The importance of access control for cyber security

There is an old joke that “snowwhiteandthe7dwarfs” is an ideal password because it contains eight characters and a number. It makes us smile because, at one time or another, most of us have been annoyed about having to update our log-in credentials. But access control is no laughing matter.

The news that two major cyber-attacks in recent months likely started with a weak password and stolen credentials has underlined the importance of having adequate measures in place and a strong cyber security culture. People are the biggest cause of security breaches, whether it is because they click on a link in a phishing email or hold a door open to an intruder who follows them into an office building. That is why access control is at the very heart of cyber security, which depends on organizations being sure that users are who they say they are and that they have permission to utilize specific network resources or to enter restricted areas. Not only does access control serve to secure assets, but, in the event of a breach, it can also help to trace actions and to determine the cause.

There are two kinds of access controls: physical and logical. Physical controls limit access to premises, workstations and IT hardware, while logical controls are about restricting access to critical cyber assets. Both are essential for cyber security and start from the premise that users, devices and any other entities requesting access are unknown until the system can verify them. For this to happen, they must have a unique and known ID, such as a username, email or MAC address for example, that identifies them when they request access.

Principle of least privilege

Weak and insufficient measures are quite simply a disaster waiting to happen. The US National Security Agency found this out the wrong way when the whistleblower, Edward Snowden, leaked documents to the media. As well as dealing with public fallout over the surveillance scandal, the agency also faced criticism about its cyber security policies and specifically access control. As a result, the NSA strictly limited network access to the level necessary for individuals to perform their jobs. Known as the principle of least privilege, it is one of the key measures that IEC 62443-2-1 recommends for keeping critical infrastructure and other industrial automation and control systems (IACS) safe from unauthorized access. Similarly, ISO/IEC 27001 recommends the principle of least privilege for keeping data safe:

“Users shall only be provided with access to the network and network services that they have been specifically authorized to use.”

Implementing such a policy requires a comprehensive approach to the principles of identity and asset management. In addition to managing privilege with care, it is also vital to record all user actions in order to be able to create an audit trail in the event of a breach. Finally, adding and removing rights, called provisioning and de-provisioning, must not have a negative impact on productivity. Policies must be in place to add privileges as needs arise and to remove them when projects are completed, or employment contracts come to an end.

Authentication and authorization

A number of international standards deal with the process of authentication – when a device and user’s identity are verified – and authorization, which establishes whether a user can access a specific asset with her or his level of privilege. These include, for example, the IEC 62443 series and the ISO/IEC 27000 family of standards cited above. IEC 60839-11-5 covers physical access controls, including biometrics, such as fingerprints and iris scans, and cards. Read more about biometrics standards here.

An IEC technical report currently in development will provide guidance on role based access control (RBAC) for intelligent electronic devices and applications at electrical substations. The aim is to tie role-based access control and permissions – as defined in IEC 62351 standards – to IEC 61850 devices and applications. Read more about cyber security for the smart grid here.

IEC Standards take a holistic approach to risk mitigation by addressing not only technologies and procedures, but also people. Training and capacity building activities are seen as essential for raising awareness and for creating a healthy cyber security culture. This is especially important at a time when more people than ever before are teleworking as a consequence of the coronavirus pandemic. The current situation is adding to the complexity of access control, as users log into multiple enterprise applications and subnetworks from their home environments. IEC Standards help organizations to manage roles and to distribute network rights efficiently while achieving a satisfactory trade-off between usability and security.