Welcome back, fellow travelers on the digital frontier. Joe Baxter here, and today we're diving into another major difference between IT and OT worlds: Privileges. Before we begin, in case you have missed any of the previous installments, here are quick links:
- Priorities … Here
- Personnel … Here
- Programs … Here
- Processing … Here
- Parameters … Here
- Privileges … You are Here
- Placement … coming soon
- Protocols … coming soon
While IT has embraced a (kind of) zero trust security model, OT remains tied to outdated practices that prioritize convenience over security. This blog post explores four key differences in how IT and OT manage access: Multi-Factor Authentication (MFA), passwords and One-Time Passwords (OTP), account management, and access granularity.
1. Authentication and the MFA Mismatch
Modern IT systems rely on Multi-Factor Authentication (MFA) to secure access. With IT's extensive use of MFA, adoption is estimated to be over 70% in many organizations. This is often accomplished through systems that send an authentication request to a mobile app or a One-Time Password (OTP) via SMS, ensuring that even if a password is stolen, the account remains secure.
In contrast, OT's use of MFA is minimal, with adoption possibly less than 20% overall. Many OT facilities simply can't support the data services required for standard MFA methods. The need for constant availability means even a brief interruption in data service for an authentication request is unacceptable. Furthermore, some legacy OT systems are so fragile that they may be incompatible with modern authentication protocols. The operational imperative of "always on" simply doesn't align with the technical requirements of typical MFA systems.
2. The Password Paradox
The disparity in authentication security extends to passwords themselves. IT has long since moved past the idea of using simple passwords, and modern training for IT staff includes extensive education on the dangers of phishing, OTP usage, and secure help desk procedures. IT's focus on security has reached a point where finding a password written on a sticky note is now a running joke.
Conversely, many OT systems, as software and hardware from an earlier generation, rely on simple username and password authentication (at best). Some OT devices may not even have a username, only a single, low-character-count password. In many industrial settings, it’s not uncommon to find shared Human Machine Interface (HMI) panels with passwords openly displayed on a label maker, a clear indication that ease of access has long taken precedence over security.
3. Dedicated vs. Shared Accounts
IT has largely abandoned the security risk of shared accounts. In the modern IT landscape, every user, service, and application has a dedicated account with a unique identity and specific privileges. This allows for clear accountability and granular auditing of who accessed what, and when.
However, many OT systems continue to use shared accounts. Devices such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and relays generally do not provide facilities for multiple accounts or different authorization levels. This practice leaves a significant security gap, as it becomes nearly impossible to trace unauthorized changes back to a specific individual.
4. The Pitfalls of Broad Access
A key tenet of modern IT security is granular access, also known as the principle of least privilege. This approach ensures that users and applications are only granted the bare minimum permissions necessary to perform their specific tasks, severely limiting the damage a compromised account can cause.
Unfortunately, OT systems often provide broad access, a practice rooted in the desire for "easy access" for technicians and operators. To make matters worse, some OT devices may even provide automatic access to other devices from the same manufacturer without requiring re-authentication. A real-world example of this was found in an electrical entity where a field service technician could connect to a single communications processor and use that single point of entry to connect to devices scattered across several US states without any further authentication. This broad access model creates a massive attack surface and can lead to a catastrophic ripple effect with the compromise of a single point.
The Wrong Answer
It’s a little like that old joke about a man visiting a doctor. “Doctor, it hurts when I do this.” To which the doctor blandly replies, “Well, stop doing that." Solutions that simply tell OT to “stop doing that” will never see the light of day. However, many frameworks and compliance regulations do exactly that. They might as well try telling the grass to stop being green. This isn’t a new problem that no one has ever considered before now! Cybersecurity has been harping on these issues for a few decades now, at least.
Yet, we still see no wide-spread OT adoption. And why not? For the same reason it makes no sense to turn a 1957 Chevy into a mag-lev bullet train. No one makes that asset anymore, it still runs undeniably well, the alternative creates a prohibitive expense, and the surrounding infrastructure won’t support such changes.
The Right Answer
The stark differences in privilege management between IT and OT highlight the urgent need for a new security paradigm in the industrial world: one that combines the "always on" nature of OT with the robust authentication and access controls of modern IT. The good news is that this is possible today…If you are interested in seeing it in action, click here.
Next week, same bat time, same bat channel to talk about the environmental differences between IT and OT.
-min.avif)
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.
.svg)