It’s Time to Add MFA to Our Critical Infrastructure
November is National Critical Infrastructure Security and Resilience Month so I thought it would be a great opportunity to discuss some of the security challenges concerning critical infrastructure, specifically the weak access controls in sensitive operational technology (OT) environments.
Strong authentication is an essential requirement for critical infrastructure
When defending critical infrastructure, it’s necessary to authenticate the identity of an individual, device or machine that requires access to sensitive networks, facilities or information. Poor authentication mechanisms are commonly exploited by adversaries seeking to gain access to, and control over, sensitive systems. One would expect that access to these systems is limited to authorized users. However, these environments have an inherent vulnerability – weak access controls.
The implementation of strong authentication (aka multi-factor authentication) is a very popular method as it requires users to provide an additional means of authentication to validate their identity before granted access to sensitive systems. Yet until today, implementing MFA in these environments has been nearly impossible.
The challenge with critical infrastructure environments
Critical infrastructure environments include both IT and OT networks. Although they are comprised of different technologies, and in most facilities these networks are segregated, there are a few challenges that are common to both types of environments:
- Comprised of “Unprotectable systems”: both IT networks and OT environments include systems that until today were considered “unprotectable.” This is because there is no out-of-the-box solution for these systems and it’s impossible to deploy third-party software agents on them:
- Non-standard proprietary systems: In most cases these systems were not designed with security in mind. As a result, they have very weak access controls. However, non-standard systems are typically unsupported by MFA solutions. Creating a custom solution for these systems is both expensive and resource consuming.
- Legacy systems: Legacy systems often utilize hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text. An attacker who obtains these passwords can often interact with the controlled process at will. Yet most MFA vendors are not interested in providing support for these systems.
- Systems under vendor warranty: Many systems, especially in the OT environment, require the vendor approval for installing 3rd-party software. Without this approval, any attempt to install 3rd-party software may revoke the warranty.
- 24-7-365 availability is required: Many systems in these environments must remain operational at all times. It is not possible to reboot them – a common requirement for software installation. Since most MFA solutions require the deployment of a software agent on each protected system, following a system reboot, organizations can’t implement MFA to secure access to these systems.
For the same reason solutions that require the deployment of in-line proxies are also difficult to implement.
The usability of authentication approaches remains a significant challenge for many control systems, as many existing authentication tools are available only for standard computing platforms.
Silverfort: Agentless MFA for IT and OT networks
Silverfort delivers adaptive authentication across all corporate networks, OT and cloud environments from a unified platform, without requiring any software agents or inline proxies. This means that for the first time, critical infrastructures can easily add MFA to protect any sensitive IT or OT system, without the need to deploy software agents on user endpoints or sensitive servers. It also doesn’t require deployment of inline proxies or complex configurations.
By analyzing authentication activity across all users, devices, systems and environments, and leveraging its holistic AI-based Risk Engine, Silverfort enables the most effective risk-based adaptive authentication with unparalleled accuracy. Silverfort helps organizations detect and mitigate threats in real-time, and protects against unauthorized access, without disrupting the user experience.
To learn more schedule a call with one of our experts