This whitepaper recommends methods to implement centralized access control for field devices.
Centralized access control would allow grid operators to greatly improve the security of field devices, such as Remote Terminal Units (RTU), gateways, and even IEDs and protection relays. They can set a strong password policy with individual passwords for engineers and rules for password strengths and lifetimes. They can use role-based access control with engineers receiving only the access rights needed for their work. And they can assign log events to individual engineers to allow easier investigation of incidents.
Solutions for centralized authentication are now on the market. In an ENCS market survey on distribution automation RTUs [1] conducted November 2019, eight of the nine vendors surveyed supported centralized access control. Most supported RADIUS (6 vendors) or LDAP (5 vendors). Moreover, a standard for access control is emerging in IEC 62351-8 [2]. All surveyed vendors said they were considering this standard. A new version was just released in 2020, adding RADIUS as an authentication option.
But when using centralized authentication on field devices, there is a risk that credentials get compromised through physical attacks (see [3]). Many devices are placed at locations that are difficult to protect, such as substations or pole tops. They are usually not designed to resist physical attacks, lacking measures such as secure boot and protection of stored data. So, with a bit of skill and effort, attackers can take full control of a device. If credentials are then sent to the device, attackers can capture these and reuse them on other field devices or even other part of the OT environment to gain the same access the engineer has.
To mitigate this risk, grid operators should use an authentication method that does not give credentials to the field device in a reusable form. This whitepaper recommends two concrete methods.