Best Practices in Cybersecurity

Topic: Secure Remote Access

Vendors Identified: 30

Academic Institute: George Mason University

Sponsored by: Protect Our Power

Date of Report: August 2020

1 Best Practices in Cybersecurity for Utilities: Secure Remote Access

Kai Zeng and Zhihao Li Wireless Innovation and Cybersecurity Lab Department of Electrical and Computer Engineering George Mason University Fairfax, VA 22030 Emails: {kzeng2, zli34}@gmu.edu

August 2020

This study is sponsored by Protect Our Power (https://protectourpower.org/).

2 Abstract

Nowadays, remote Internet access to assets is a common practice and performed daily across all organizations that operate critical infrastructures, such as energy and power utilities. Parallel to the general Information Technology (IT) environments, remote access is prevalent in Operational Technology (OT) environments as well to operate more critical Industrial Control Systems (ICS), like Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS) with embedded Programmable Logic Controller (PLC) and Remote Telemetry Unit (RTU). This remote Internet access to an OT environment could lead to detrimental consequences if abused.

Recognizing the utmost importance of securing remote Internet access for power utilities, this report aims to identify best-practice secure remote access solutions and products on the market. First, we provide a literature review in Part I about the functions and services of remote and privileged access control, as well as the identified attacks that could hazard the control system of the power grid. We also introduce the standards, regulations, and guidelines released by the government and industry on secure remote access. Second, in Part II, we conduct a thorough search on the vendors providing secure remote access products or solutions and summarize a vendor list with 30 companies that offer such security services. Third, based on the North American Electric Reliability Corporation (NERC) standard, we identify the key functionalities a secure remote access product should provide and design criteria to assess these functionalities. Finally, in Part IV, we present a comparative matrix of secure remote access products provided by 14 vendors according to the designed criteria. Best practice recommendations for secure remote access solutions are then provided based on the evaluation results.

3 Table of Contents

Abstract 3

List of Acronyms 5

Part I: Secure Remote Access Control in Electric Grid: Literature Review 6 1. Introduction 6 2. Remote Access Control and Privileged Access Control 7 2.1. Remote Access Control (RAC) 7 2.2. Privileged Access Control (PAC) 9 3. Secure Privileged Access Control 11 3.1. Related standards and guidelines 12 3.2. NERC guidance and required features 12

Part II: Vendors of Secure Remote Access Solutions 14

Part III: Criteria for Secure Remote Access 20 1. Key Functionalities for Secure Remote Access 20 1.1 User identification 20 1.2 Secure communication 20 1.3 Access management (access policy granularity) 20 1.4 Monitoring, logging, and alerting 21 1.5 Accountability with full audit 21 2. Evaluation Criteria 22 3. Criteria Design and Scoring Rules 23 3.1 Criteria design 23 3.2 Weight assignment 24 3.3 Criteria scoring rules 25

Part IV: Vendor Comparison and Best Practice Recommendation 27 1. Comparative Matrix 27 2. Evaluation Results Discussion 29 3. Best Practice Recommendation 29

References 31

4 List of Acronyms AES Advanced Standard BYOD Bring-your-own-device CIP Critical Infrastructure Protection CPNI Centre for the Protection of National Infrastructure DCS Distributed Control System DNP3 Distributed Network Protocol 3 IAM Identity and Access Management ICS Industrial Control System ID Identity IED Intelligent Electronic Device HTTPS Hypertext Transfer Protocol Secure IP Internet Protocol IT Information Technology LAN Local Area Network MFA Multi-factor NERC North American Electric Reliability Corporation NIST National Institute of Standards and Technology NISTIR NIST Interagency/Internal Report NISTSP NIST Special Publication PAC Privileged Access Control PAM Privileged Access Management PC Personal Computer PLC Programmable Logic Controller PSM Privilege Session Manager OT Operation Technology OSVDB Open-Source Vulnerability Database RAC Remote Access Control RAP Remote Access Platform RDP Remote Desktop Protocol RTU Remote Telemetry Unit RSA Rivest–Shamir–Adleman SCADA Supervisory Control and Data Acquisition SDN Software Defined Networking SRA Secure Remote Access SMS Short Message Service SSH Secure Shell SSL Secure Sockets Layer TLS Transport Layer Security VNC Virtual Network Computing VPN Virtual Private Network

5 Part I: Secure Remote Access Control in Electric Grid: Literature Review

1. Introduction

Industrial Control Systems (ICS) play a vital role in critical infrastructures, such as the power grid. The requirements for their high availability and proper functioning demand that the systems should be protected from both intentional and unintentional incidents. In the past, risks to these systems were mitigated by ensuring complete separation of operational domains from information domains and external networks. Access to the control function in the operational domain was limited to authorized users with physical access to a facility. Today, business demands, like increasing online access to real-time data or electric infrastructures, have led to the rapid adoption of modern Internet technologies in critical infrastructures (e.g., power grid), which accelerates the interconnectivity of these once isolated industrial systems. The Internet connectivity has empowered asset owners to maximize business operations and reduce costs associated with equipment monitoring, upgrading, and troubleshooting while creating a new security paradigm for protecting control systems from cyber incidents.

Part of the security equation in critical infrastructures involves how operational assets are accessed and managed and how the cybersecurity of control systems is impacted with such access. Remote access to assets is a common practice and is performed daily across all organizations that operate critical infrastructures, such as energy and power utilities, Oil and Gas, etc. Parallel to the general Information Technology (IT) environment, remote access is prevalent in Operational Technology (OT) environments to operate more critical Industrial Control Systems (ICS), like Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS) with embedded Programmable Logic Controller (PLC) and Remote Telemetry Unit (RTU). Remote access to an OT environment could lead to detrimental consequences if abused. Besides the general remote access, privileged access is another essential paradigm. Privileged accounts have administrative permission to view or alter sensitive information and system settings, even shared by multiple users to remotely access the systems. In many cases, they have default or weak with no structured policies to manage and enforce who has access rights, and when and how they should be replaced. Thus, it becomes more severe and critical when third parties and vendors enter the network with privileged access.

Recent findings highlight the vulnerabilities of privileged remote access leading organizations to review their remote access systems and implement measures to mitigate the risks. One critical threat is that cyber-attacks could utilize privileged accounts to access the OT domain. The Open- Source Vulnerability Database (OSVDB) shows that through the end of 2014, more than 85% of all ICS vulnerabilities have been disclosed since 2011 - the year following the discovery of Stuxnet [1]. On December 23, 2015, the cyber-attack on the Ukrainian Power Grid caused approximately

6 225,000 customers to lose power across various areas. The attacker illegally entered into the company’s computer and gained access to each level of the SCADA systems [2]. In September 2017, security firm Symantec warned that a series of recent attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid controls---enough to induce blackouts [3, 4]. In July 2018, it was reported that Russian hackers infiltrated the control rooms of multiple electric utilities over the past years, gaining the ability to cause blackout and grid disruption [5]. Besides, cybersecurity researchers at Tel Aviv University and the Technion Institute of Technology have discovered critical vulnerabilities in the Siemens S7 Simatic PLC, one of the world's most secure PLCs that are used to run industrial processes [6].

The above cybersecurity incidents demonstrate the importance of securing the remote access process for utilities and critical infrastructures. In these incidents, either security requirements of remote access are not well understood by the organizations or the security policies are not fully implemented [7,8]. Furthermore, secure remote access solutions designed for IT systems may not adequately consider the control systems environments [9,10,11]. Therefore, a thorough survey and analysis of the best practice solutions for secure remote access are needed.

2. Remote Access Control and Privileged Access Control Secure remote access is becoming more essential in managing and maintaining critical infrastructure with the increasing demands on real-time assets monitoring, upgrading, and troubleshooting in power grids. Remote Access Control (RAC) and Privileged Access Control (PAC) are built for handling customer-facing business for engineers or third parties, allowing them to access cyber assets, to repair system problems, and to solve security communication problems that have evolved in the transportation of the information.

RAC and PAC are both vital functions involved in remote Internet access. We provide a review for both functions below.

2.1. Remote Access Control (RAC)

Nowadays, the electricity utilities provide various access for their customers and third parties to their power systems for electricity generation, transmission, and trading [12]. Customer identity and general access are built for handling customer-facing business. Utilities also provide remote access for engineers or third parties to cyber assets in order to troubleshoot the systems. It provides a mechanism to monitor and manage power system operation and status beyond the boundaries of normally-authorized users and access requiring an escort.

As shown in Fig. 1, the integrated cyber architecture of a control system has connections from external sources such as the corporate Local Area Network (LAN), peer sites, vendor sites, and the Internet [9]. The external communications infrastructure can be localized or distributed across large geographic areas, as illustrated. It supports various connectivity to remote operations,

7 remote facilities, business partners, and vendors. It is a current de facto mechanism for remote users to gain access to business or system operations.

Fig. 1. Secure remote access Control System Security Program National Cyber Security Division https://www.us-cert.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf

The integrated cyber architecture, if not properly secured, could provide attackers with various avenues for accessing critical systems and components in the vital infrastructure. Thus, the issue of system convergence raises concerns regarding how attackers could create vectors into control architectures by compromising trusted resources in remote operations, remote facilities, remote business partners, and even vendors.

Remote access control is a critical function to thwart unauthorized access to cyber assets in critical infrastructure. General access control systems provide all essential services of , identification and authentication, access approval, and accountability as defined below [17]:

1. Authorization specifies what a subject can do. 2. Identification and authentication ensure that only legitimate subjects can log on to a system. 3. Access approval grants proper access during operations to the user based on the

8 authorization policy. 4. Accountability identifies what a subject (or all subjects associated with a user) did.

Authentication and access control are often combined into a single operation, as specific access is approved after successful authentication. The access policy defines specific access boundaries and operation in the whole system. For access control management, there are four basic operations: allowing access, denying access, limiting access, and revoking access. Limiting access referring to the sophisticated policy setting is a complicated task, but always following the principle of least privilege. The standard policy set we commonly encounter in systems includes [13,14,18,19]:

1. Discretionary access control: the system owner determines who can access specific resources. 2. : the owner does not decide who gets to access it, but instead, access is determined by a group or individual who has the authority to set access. 3. Role-based access control: it is similar to mandatory control, but the access control is based on the role the individual being granted access is performing. 4. Attribute-based access control: access rights are granted to users through the use of policies that evaluate attributes (user attributes, resource attributes, and environment conditions). 5. Multilevel access control: used where the access control models above are not robust enough to protect the information to which we are controlling access.

2.2. Privileged Access Control (PAC)

To maintain and update systems, some vendors and users have the privilege to access critical components (e.g., databases, servers, domains, and networks) as well as handling IT admin accounts. The privileged access has produced many benefits for system maintenance, but as well as severe problems and vulnerabilities. From the report of Forrester [15], the misuse or abuse of privileged credentials and access is implicated in roughly 80% of IT security breaches. 69% of the respondents reported they suffered security breaches resulting from vendor privileged access [16]. Cybercriminals covet privileges/privileged access because it can expedite access to an organization’s most sensitive targets. With such privileged credentials and access, a cyber attacker or piece of essentially becomes an “insider,” which brings severe endangerment.

In most control operations, the roles that would require remote access to assets may include, but are not limited to, system operators and engineers, vendors, business partners, reporting or regulatory entities and customers. When managing user accounts, companies should set a clear division between general accounts and privileged accounts. The benefit of doing this is twofold. First, general accounts and privileged accounts have vastly different needs and requirements. Second, compartmentalization helps prevent cross-contamination. That is, if something goes wrong in the general account system, it won’t affect the privileged account system or vice versa. The general account mainly helps companies manage general affairs, like creating consumer

9 identities and controlling customer access capabilities. On the contrary, PAC offerings are more geared toward internal employee or vendor permissions and business-to-business/government relations.

Specifically, the privileged users, wherever and whenever they access the networks, usually have administrative permissions to view or alter sensitive information or systems, such as critical systems (e.g., confidential databases, servers, domains, and networks) and IT admin accounts. The major risks associated with privileged access are listed as follows [9,20]: 1. Attackers can use captured or guessed credentials to impersonate the privileged user. 2. The target system can be impersonated by an attacker to deceive the user and thus gain the credentials of the target system. 3. Most privileged users have administrator access on their machines. 4. Lack of auditing and control over privileged users, especially for root accounts. 5. No session monitoring or recording of privileged users. 6. Uncontrolled or “all or nothing” principle for inside users and third-party access. 7. No singular or clear picture of threats or what to do about the privileged users. 8. Disorganized and chaotic directory services infrastructure, with multiple logins required and inconsistent policy. 9. Gaps in management between privileged and non-privileged identities. 10. Individual patching, management, and inconsistent policies by applications.

It is reported that hackers infiltrated the control rooms of certain US electric utilities in 2018 [5,21]. In the attack, hackers compromised a third-party vendor. They used the watering-hole attack at the third-party vendor by sending spear- emails. After that, hackers obtained the highest-level privileged credentials available to access the utility network. Since the attacker has legitimate credentials, utilities may not know they have been compromised. This attack is called the cyber-attack chain, as shown in Fig. 2, where the privileged credentials play an essential role [22, 23].

10

Fig. 2. Method of cyber-attack chain https://www.beyondtrust.com/blog/entry/stopping-cyber-attack-chain-privilege-vulnerability-management 3. Secure Privileged Access Control

In large organizations, many employees and some specific third-party vendors may hold privileged remote access accounts. Hence, the risk of inflicting damage increases, whether intentional or accidental. In practice, a may be manually changed by one of the IT or operations personnel without informing relevant parties, which may cause hours of delay in recovering from failure and other damages. However, productivity will be hindered without a built-in process to efficiently request and approve remote access. Thus, there are significant challenges in privileged access control that need to be addressed.

There are many security benefits to adopt secure privileged access control solutions. Privileged access control solutions help companies to record who has access to what and the user behaviors. To realize the highest security, it often centralizes the privileged credentials storage and administration of access. Administrators can create databases, record user account histories, and view approved privileges, all of which help simplify the onboarding process. They can quickly create new accounts and support new users to access systems. For those users who are no longer authorized, administrators can promptly restrict and revoke their privileges or even delete their accounts.

In the access process, these solutions can provide an identity to each user with a set of permissions for privileged access. They allow the administrator to gain greater control over the legal users who enter and view sensitive data. They also provide identity lifecycle management features to create, edit, and eliminate a user’s privileged access permission. Meanwhile, they can monitor privileged access behaviors and alert the administrator when an anomaly is detected.

11 Besides, the recorded privileged access activities are documented for accountability and investigation, as well as subsequent cybersecurity risk mitigation.

3.1. Related standards and guidelines

It is crucial to design effective and secure privileged access solutions in critical control systems. Various regulations and guidelines regarding secure remote access for control systems have been released by government and industry:

1. The National Institute of Standards and Technology (NIST) 800-53 Revision 4: Security and privacy controls for federal information systems and organizations [14]. 2. NIST Interagency/Internal Report (NISTIR) - 7628 Rev 1: Guidelines for Smart Grid Cybersecurity [24]. 3. Special Publication (NIST SP) - 800-82 Rev 2: Guide to Industrial Control Systems (ICS) Security [25]. 4. Homeland security, Centre for the Protection of National Infrastructure (CPNI): Configuring and managing remote access for industrial control systems-control system security program, 2010.11. 5. NERC Industry Advisory: Guidance for Secure Interactive Remote Access, 2011 [11]. 6. NERC Lesson Learned Critical Infrastructure Protection (CIP) Version 5 Transition Program: Interactive Remote Access [26]. 7. NERC: Remote Access Study Report: Critical Energy/Electric Infrastructure Information Has Been Redacted, 2017 [27]. 8. Buyer’s Guide for Complete Privileged Access Management (PAM), BeyondTrust [16]. 9. Privileged Access Threat Report, 2019, BeyondTrust [21]. 10. The Forrester Wave: Privileged Identity Management, Q4 2018 [16].

3.2. NERC guidance and required features

Among the various industry guidelines on how to secure remote access in critical infrastructure networks, the NERC (North American Electric Reliability Corporation) recommended guidelines [11] is widely adopted in practice. Common remote access use cases include:

1. A company employee on the corporate network needs access to data that resides in the control network. This access to information could be a read-only operation or an interactive session. 2. Emergency and off-hours activities that require a company employee to connect to the ICS network through an Internet connection. 3. Vendors connect remotely to perform maintenance or support the ICS network using an internet-based connection. 4. Field maintenance employees connect through a mobile (public network-based) connection from the field.

12

The NERC secured access recommendations include: 1. Using encrypted and securely authenticated access controls when interactively remotely accessing control and monitoring systems. 2. Utilization of multi-factor (two or more factors) when authenticating users. 3. Provision of specific and personal accounts for remote access. 4. Implementation of intermediate devices as virtual private network (VPN)/encryption termination devices and multi-factor authentication devices. 5. Implementing an inactivity timeout to automatically disconnect the remote interactive access after a predefined period of inactivity. 6. Implementing logging and monitoring of all user activity, including file transfers and program activation at the access point, as part of the proxy server, or with a specialized device for accountability. 7. Implementing an account lockout feature such that an account is locked out for a period of time following a predetermined number of repetitive and unsuccessful login attempts.

Based on existing standards and practical solutions, commonly required features and functionalities for privileged access management are listed below [28]: 1. The principle of least privilege. 2. Defense-in-depth, in support of the first principle. 3. Local access — Local access functionality facilitates administrative access to on- premises systems, legacy applications, web-based applications, network resources, and servers. 4. Multi-factor authentication (MFA) — MFA or 2FA functionality adds a supplementary level of security for systems by requiring SMS codes, security questions, or other verification methods before granting access. 5. Bulk changes — Bulk change functionality can simplify the administration, federation, and identity governance to manage large amounts through batch update capabilities. 6. BYOD support — Bring-your-own-device (BYOD) features enable users to use their own device(s) to access company applications. 7. Bidirectional profile synchronization — Synchronization keeps all profile attributes consistent across applications whether the change is made in the provisioning system or the app. 8. Policy management — Policy management helps administrators establish various policies that provide authentication and access rights. 9. Approval workflows — Process and approval workflows allow business stakeholders and administrators to approve or reject requested changes to access via a defined workflow. 10. Compliance audits — Auditing checks compliance with standards and policies while proactively monitoring access rights against predefined requirements. 11. Smart provisioning — Self-learning or automated provisioning helps reduce the amount of manual work associated with creating access rights, as well as managing changes and removals for on-premises and cloud-based applications.

13 Part II: Vendors of Secure Remote Access Solutions

We conducted a survey on the vendors who provide secure remote access solutions or products on the market. The vendors and their secure remote access solutions are listed below.

1. Claroty: [email protected] (https://www.claroty.com/secure-remote-access) The Claroty Platform is an integrated set of cybersecurity products that provides extreme visibility, unmatched cyber threat detection, secure remote access, and risk assessments for industrial control networks (ICS/OT). Secure Remote Access (SRA) is the policy-based access control product within the Claroty Platform. SRA minimizes the risks of remote users, including employees and 3rd party vendors, introduced to OT networks. It provides a single, manageable interface that all external users connect through, prior to performing software upgrades, periodic maintenance, and other support activities on assets within industrial control system networks. It complies with NERC regulations.

2. Nextnine: [email protected] (https://nextnine.com/secure-remote-access/) NextNine is a leader in Operational Technology (OT) security management software for industrial and critical infrastructure, markets that are vulnerable to cybersecurity attacks and are underserved by traditional enterprise IT solutions. NextNine’s solution provides centralized OT security management for the entire SCADA/ICS environment. It provides a framework for unifying the management of remote access based on centralized authentication, granular authorization, and session accounting and control. The solution also includes a password vault for authenticating remote users without sharing device credentials and allows secure file distribution and data transfer from remote devices to the central operations and security center on top of the remote user.

3. Securelink: [email protected] (https://www.securelink.com/industries/energy/) SecureLink is used for energy sector IT support by large-scale organizations as it provides the necessary protection without hampering the ability to comply with government regulations, be transparent for auditing purposes, and be receptive to support and maintenance activities from vital energy sector IT support technicians. The goal of the SecureLink platform is to minimize workflow disruption while enabling secure third-party remote access for the energy industry. The platform complies with NERC/FERC regulations.

4. CYBERX: [email protected] (https://cyberx-labs.com/secure-remote-access/) By integrating with leading privileged access management platforms such as CyberArk PSM and others, CyberX ensures secure remote access by immediately alerting on any unauthorized use of remote access credentials. What’s more, CyberX’s auditing and forensic tools enable streamlined investigations and rapid response to remote access incidents.

14 5. Centrify: [email protected] (https://www.centrify.com/privileged-access-management/privileged-access-service/secure- remote-access/) Centrify provides IT administration teams, outsourced IT, and third-party vendors with secure, granular access to critical infrastructure resources regardless of location and without the hassles of a VPN. Centrify Privileged Access Service enables secure remote access to the data center and cloud-based infrastructures through a cloud-based service or on-premises deployment.

6. Cyberark: (https://www.cyberark.com/resource/cyberark-nerc-secured-remote-access/) CyberArk’s Privileged Account Security Solution is a comprehensive solution for password management, continuous activity monitoring, and compliance of privileged access to the OT/ICS environment. Using a common infrastructure, organizations can isolate, control, and monitor all privileged sessions, whether on servers, databases, or virtual machines, providing both ease of management and unified reports for times of audit. This enables controlling and securing all privileged activity in a single solution.

7. Dragos: [email protected] (https://dragos.com/) The Dragos Platform is industrial cybersecurity software that identifies industrial assets, pinpoints malicious activity, and provides step-by-step guidance to investigate incidents and respond. Combines the functionality of an OT security incident and event management system, network detection and anomaly system, and incident response platform with the experience and intelligence of the Dragos team without a “bake-in” period.

8. BeyondTrust: [email protected] (https://www.beyondtrust.com/solutions) BeyondTrust privileged access management platform is an integrated solution that provides visibility and control over all privileged accounts and users. By uniting the broadest set of privileged security capabilities, the platform simplifies deployments, reduces costs, improves usability, and reduces privilege risks.

9. Indegy: [email protected] (https://www.indegy.com/power-utilities-cyber-security/) Indegy platform provides passively monitors standard operational communication protocols (like Modbus & DNP3) and provides in-depth, real-time visibility into all activities performed over the operational network. It captures all changes to programmable logic controllers (PLCs) and remote terminal units (RTUs), whether performed over the network or directly on the physical devices. It conducts periodic verification of controller device firmware, application, and configuration to provide visibility with details for each controller.

10. Attila Cybertech: [email protected] (https://www.attilatech.com/aboutus)

15 Attila Cybertech is an Operational Technology (OT) cybersecurity firm. It secures critical assets through a holistic approach with a range of solutions from risk assessment to secured network design, selection, configuration, and testing of industrial control systems (such as SCADA, DCS, PLC, RTU) as well as various industrial protocols and process control systems.

11. Bayshore networks [email protected] (https://www.bayshorenetworks.com/ot-access) Bayshore’s solution for energy OT Access (Industrial Access Control) is the first dedicated policy- enforcing secure remote access solution for mission-critical OT environments. OT Access is purpose-built for manufacturing, utilities, oil, and gas, as compared to today’s security options, which include enterprise VPN or software-defined networking tools built for non-industrial enterprise environments. OT Access is now available for subscription-based purchases online.

12. BlueRidge networks: [email protected] (https://www.blueridgenetworks.com/) LinkGuard outperforms complex and insecure solutions like firewalls and TLS or IPsec VPNs and has been heavily tested. LinkGuard devices are deployed to isolate and contain critical assets within an encrypted overlay to protect systems and provide secure connectivity. End-to-end encrypted tunnels are pre-configured without dependence on the networking equipment used to carry the tunneled traffic. EdgeGuard enables secure remote access by isolating the session (and OT systems) from possible pre-existing malware on the PC of the accessor and preventing malware-mediated theft of credentials. EdgeGuard enforces two-factor mutual authentication, using non-enterprise credentials, for all remote access users.

13. One identity: [email protected] (https://www.oneidentity.com/solutions/privileged-access-management/) One Identity’s solutions for identity and access management eliminate the complexities and time- consuming processes often required to govern identities, manage privileged accounts, and control access.

14. NOZOMI networks: [email protected] (https://www.nozominetworks.com/) NOZOMI deliver innovative cybersecurity solutions to the electricity industry. By applying network behavioral analytics to ICS environments, Nozomi Networks’ flagship product, SCADA guardian, delivers real-time visibility into process network communications and configurations. Its ICS network mapping and automated process analysis detect cyber-attacks and operational missteps for immediate remediation.

15. Siemens Crossbow: [email protected] (https://new.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/grid- security.html) Siemens offers a certified secure remote access solution optimized to the needs of power system operators. RUGGEDCOM CROSSBOW solution focuses on delivering productivity gains for administrators and users while achieving full NERC compliance in managing, securing, and

16 reporting on remote access. The combination of the CROSSBOW Secure Access Management server and CROSSBOW Station Access Controller for local substation access form an integrated, comprehensive solution with a seamless configuration environment. User access is governed by the appropriate authentication model (e.g., RSA SecurID), and all user activity is logged and reported per the NERC CIP specification.

16. Honeywell (https://www.honeywell.com/en-us/remote-access) Honeywell’s ICS SHIELDTM OT cybersecurity management platform is designed for securing connected industrial control system (ICS) environments.

17. ABB: [email protected] (https://new.abb.com/uk/about/our-businesses/power-grids) ABB’s Remote Access Platform (RAP) is designed to provide remote support, as well as continuous remote monitoring and diagnostics. RAP security features address the concerns of IT administrators on security issues that surround remote support technologies.

18. Owl cyber defense: [email protected] (https://owlcyberdefense.com/learn-about-data- diodes/) Owl Commercial Products are designed to provide deterministic data transfer in only one direction (unidirectional), to segment and protect networks, devices, and other digital assets (databases, historians, SCADA, PLCs, DCS, etc.) from external cyber threats.

19. Senhasegura: [email protected] (https://senhasegura.com/en/products/access- management-pam/) Senhasegura is a Privileged Access Management solution whose purpose is to store, manage, and monitor high privilege passwords such as routers, balancers, systems, databases, and many other devices. Centralized access management, with the purpose of protecting and controlling the use of generic and high privilege credentials, providing secure storage, access segregation, and full traceability of use.

20. SSH.com: [email protected] (https://www.ssh.com/iam/pam/) PrivX is an access management gateway that is fast to deploy and simple to maintain. PrivX advances security by allowing connections for only the amount of time needed, removing the dependency on passwords, controlling access to both cloud-hosted and on-premises applications, and interfacing directly with the identity management system.

21. SUBNET: (http://www.subnet.com/news-events/white-papers/unified-ied-management-solution- whitepaper.aspx) SUBNET provides unified Intelligent Electronic Device (IED) access control security with an integrated system of IED access management and password management. For electric utility professionals who need to access and manage IEDs, SUBNET offers a software solution that

17 provides simple, effortless, and secure remote access to field IEDs. This secure solution complies with both internal IT and legislated cybersecurity policies, including NERC Critical Infrastructure Protection (CIP) requirements.

22. DI Technologies: [email protected] (https://www.tditechnologies.com/) The DI’s ConsoleWorks platform enforces end-user role-based-access to manage rights and privileges to both IT and OT assets, monitor and manage asset configurations and securely remote into assets. ConsoleWorks does this without requiring agents on endpoint assets.

23. Thycotic: [email protected] (https://thycotic.com/?utm_expid=.VlwkhY3nTZ6v3TktE_QiQA.0&utm_referrer) Thycotic provides endpoint privilege management and application control software. Privileged Account Management (PAM) tools protect privileged credentials on new and custom legacy systems from unauthorized access and misuse. Security controls to limit access to sensitive information and curtail an attacker’s ability to circulate unhindered throughout an IT environment.

24. WALLIX: (https://www.wallix.com/en/remote-access-security/) WALLIX provides Privileged Access Management (PAM) with the following functions: Secure passwords that enable the connection of target appliances with a centralized password vault. Create a clear picture of who has been granted access to networks and sensitive equipment. Patch potential security vulnerabilities caused by oversight using the auto-discovery module. Apply a granular user connection policy and create a centralized overview of service providers and their access privileges. Secure remote access by defining rules that allow the automatic authentication and revocation of access rights for a given period. Log all sessions as soon as service providers access to target resources. View user activity in real-time. Maintain detailed audits that can be compiled from metadata feeds in dashboards and produce context-relevant reports. Record and playback user sessions, allowing you to attribute all connections and access to specific user sessions.

25. Waterfall: [email protected] (https://waterfall-security.com/remote-access/remote- screen-view) Waterfall allows the industrial site to retain full control over any manipulations or changes that are recommended for the industrial network. With physical protections built into the Unidirectional Gateway hardware, no software compromise can impair the security protection provided to the industrial system. CYBERBIT’s solutions span the full range of cyber intelligence and cybersecurity technologies with a focus on Critical Infrastructure Protection for Utilities and NERC compliant organizations.

26. Broadcom (formerly CA Privileged Access Management): (https://www.broadcom.com/products/software/cybersecurity/privileged-access-management) Layer7 Privileged Access Management (formerly CA Privileged Access Management) is designed to prevent security breaches by providing granular authorization of users to systems and accounts,

18 constantly monitoring privileged activity to assess for risk, triggering automated mitigations when higher risk is detected, auditing and recording attempts to access as well as vaulting and rotating the privileged account’s credentials including passwords or key/token-based authentication.

27. Microfocus: (https://www.microfocus.com/en-us/solutions/identity-access-management) The Identity-Powered Access solutions enable customers to quickly and cost-effectively integrate Identity and Access Management (IAM) policies across local, mobile, and cloud environments. Microfocus’s solutions use integrated identity information to create, modify, and retire identities and control their access. Identity-powered security solutions work by integrating identity information with security monitoring, giving customers the security intelligence when needed. The security management solutions provide visibility and control of user activities, security events, and critical systems across an organization to help the customer quickly address evolving threats.

28. Secomea: [email protected] (https://www.secomea.com/remote-access-for-utility-installations/) The Secomea solution allows machine administrators to provide remote programming, monitoring, and data logging of their customers’ machines. Designed for users with no IT or networking knowledge, the solution comprises three essential components that provide secure communication between the machine administrator and the device, no matter where it is in the world. It keeps users independent of remote network configuration, allowing users full control. If an issue occurs, users can connect to the equipment for further diagnostics, programming, and upgrades.

29. Forescout: [email protected] (https://www.forescout.com/platform/eyecontrol/) eyeControl enforces and automates policy-based network and host controls through integrations with heterogeneous physical and virtual network infrastructure. Actions can be automated or administrator-initiated, and gradually increased to minimize disruption while reducing the manual effort to enforce network access, improve device compliance, implement network segmentation, and accelerate incident response.

30. Veracity industrial networks: (https://veracity.io/product/) Authorize Networked Devices Cerebellum makes device management simple. With Veracity’s INDUSTRIAL SDN TM, 100% of all devices connected to the network are identified. During the learning/identification mode, the system is also characterizing the network devices to classify the functional role and device type (e.g., PLC, RTU, SCADA Server, etc.). Device management provides information to the user to define whether a device should be authorized or not. The user can also decide to quarantine a device (e.g., an unauthorized integrator laptop).

19 Part III: Criteria for Secure Remote Access

Based on the survey of secure remote access technologies, regulations, and products, we identify essential functionalities required for secure remote access in critical infrastructure networks. Under each functionality, we define specific criteria to facilitate the evaluation of vendor solutions and products in order to identify the best-practice solutions or products on the market. We come up with five key functionalities below.

1. Key Functionalities for Secure Remote Access

1.1 User identification a. Identity establishment: a framework for providing, changing, and revoking unique identities for users, such as Email, ID string, certificates, even including dedicated hardware and software. b. Identity validation and authentication: a mechanism designed to ensure the genuineness of the identity, especially for privileged accounts (e.g., one-time password token, certificates, two- factor/multi-factor authentication).

Criteria in this functionality are built according to NERC CIP-003-6R1 and CIP-005-5 R2 Part 2.3.

1.2 Secure communication Criteria in this functionality are focusing on the secure communication encryption method, availability, and data diode (unidirectional transmission).

Criteria in this functionality are built according to NERC CIP-005-5 R1 Part1.2 and CIP- 005-5 R2 Part 2.2.

1.3 Access management (access policy granularity) a. Authorization: it can be label-based, role-based, or on-demand, and the period of access is limited. Control access to only the information sets and services that the authenticated user or system is permitted to access or use. The ability to be scheduled and the right to restrict access at either a system or user level. b. Revocation: session termination.

Criteria in this functionality are built according to NERC CIP-003-6R1; CIP-004-6 R1,R2,R4,R5; CIP-005-5 R1 Part 1.1,1.3; CIP-005-5 R2 Part 2.1; and CIP-007-006 R1,R5.

20 1.4 Monitoring, logging, and alerting This functionality focuses on monitoring, logging, and alerting for each session. Specific required features include: a. Logging, monitoring, and alerting. b. Real-time supervision and intrusion prevention system. c. Critical devices, center log, monitor activities and alert on anomalous events, even directly interrupt the access session. d. Real-time visibility of each access event. Criteria in this functionality are built according to NERC CIP-007-6 R4.

1.5 Accountability with full audit This functionality mainly includes generating and analyzing detailed session forensic reports. During the session, all information related to the session needs to be recorded. Session reports include basic session information along with links to the session details, chatting information, and video recording. The reports also include IP address, login Email addresses, and comments for sessions, etc. Moreover, the request reason for access is also included, which requires users to specify the access reason for a session.

Criteria in this functionality are built according to NERC CIP-005-5 R1 Part1.1.

Table 1. The mapping between functionalities and NERC standards Corresponding NERC Standard Requirements

Functionality 1: User Identification CIP-003-6R1; CIP-005-5 R2 Part 2.3

Functionality 2: Secure Communication CIP-005-5 R1 Part1.2; CIP-005-5 R2 Part 2.2

Functionality 3: Access Management CIP-003-6R1; CIP-004-6 R1,R2,R4,R5; CIP- 005-5 R1 Part 1.1,1.3; CIP-005-5 R2 Part 2.1; CIP-007-006 R1,R5

Functionality 4: Monitoring, Logging, CIP-007-6 R4 Alerting

Functionality 5: Accountability with Full CIP-007-6 R4 Audit

Remote Access Study Report June-2017 https://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/Final%20PUBLIC%20Remote% 20Access%20Study%20Report%206-30-2017.pdf

The mapping between the above functionalities and NERC CIP standard requirements are

21 summarized in Table 1. Each requirement, e.g., CIP-003-6, indicates standard functions that vendors or secure remote access facilities should provide.

2. Evaluation Criteria To facilitate evaluation, we specify the criteria for each functionality in Table 2. For each criterion, we also assign a weight to indicate its importance from a security point of view. Customers can tune these weights according to their own needs in their specific application scenarios. Other than security considerations, we notice that compatibility is an important factor that a customer would consider when making a purchase decision as it is highly associated with deployment cost, maintenance, and usability. Therefore, we also include compatibility criteria in the list. Since it is not a security consideration, we do not assign any weights to the compatibility criteria.

Table 2. Criteria List Weight % TYPE Criteria 1.1 Binary Support Windows 1.2 Binary Support Mac Compatibility 1.3 Binary Support Linux 1.4 Binary Support Mobile Device (iOS or Android) 7 2 Binary Two/multiple-factor authentication Users need to gain credentials from the endpoint 3 3.1 Binary credential manager. Users store credentials in the password vault for all 3 3.2 Binary sessions. The passwords of the same user login to different Functionality 1: 2 4.1 Binary User accounts cannot be similar. Identification 2 4.2 Binary The password needs to be changed periodically. A password should be at least 10 characters long, 2 4.3 Binary containing numbers and letters, and being case sensitive. 6 5 Binary Password vaulting 8 6 Score Encryption method security strength File transfer control for different types of users (Data Functionality 2: diode is used. When users have read-only permission, Secure 6 7 Binary users are only allowed to read but not allowed to Communication transfer files through remote access.) 6 8 Binary RDP/VNC/SSH General Account Management (General accounts

have no access to specific resource, and permission Functionality 3: 2 9 Binary of general accounts is more restricted than privileged Access accounts) Management Privileged Account Management (Users with different (access policy 2 10 Binary permissions need different access rights and granularity) permissions. For example, privileged accounts are

22 permitted to read and write data on machines/electronic devices in control networks.) Access Invite (Create links for users to invite other 2 11.1 Binary users, and operation permissions to invited users are managed.) Shell jump (Connect to SSH, RDP, or other network 2 11.2 Binary devices through a jump-point.) Jump client and jump point (Access any operating system such as Windows, Mac, or any unattended 2 11.3 Binary operation system on a network. Connect through proxy servers by credentials.) Operation Permission: Read-only for the normal 2 11.4 Binary account user Operation Permission: Read and Write for the 2 11.5 Binary privileged account user Session timeout enforcement: Timeout after a pre- 2 11.6 Binary defined period of inactivity 2 11.7 Binary Session enforcement: Limited period of access 2 11.8 Binary Session enforcement: On-demand Monitoring the consistency between the stated remote 4 12 Binary access purpose and the actual activities. Functionality 4: 4 13 Binary Whitelists/blacklists (source IP level) Monitoring, 4 14 Binary Logging and Real-time supervision on session Real-time intrusion prevention and session Alerting 4 15 Binary termination 4 16 Binary Real-time visibility of each session Detailed session records and reports about all Functionality 5: 7.5 17 Score Accountability activities with full audit 7.5 18 Binary Access control policy configuration recording

3. Criteria Design and Scoring Rules We now explain the rationality behind the criteria design and the scoring rules.

3.1 Criteria design Criterion 1: This criterion includes four sub-criteria corresponding to different operating systems a product may support. This criterion is built for evaluating whether the vendor provides dedicated support on multiple operating systems such as Windows and Linux. Criterion 2: Two-factor/Multiple-factor authentication is the widely used method with high security in authentication. Criterion 3: This criterion is built for evaluating the credential management capability. The vendors are expected to show their management of credentials and whether their users need credentials from the endpoint manager to make remote access. Criterion 4: This criterion is built for evaluating password strength and management. Passwords need to be changed periodically and the strength of the password relies on the length and complexity.

23 Criterion 5: This criterion is built for evaluating the capability of password vaulting, a very useful method to manage all passwords in a localhost. In the password vault, a master password is needed to unlock other passwords or credentials. So users can set longer and more complex master passwords to ensure the security of the passwords stored on the host. Criterion 6: This criterion is built for evaluating the encryption strengths for secure communication. The scoring rules for this criterion are given in Section 3.3. Criteria 7,8: These two criteria are built for evaluating the security strength of secure communication. We recommend vendors use RDP/VNC/SSH protocol to create their session environment. Vendors are also expected to show their capabilities on controlling file transfer which grant different permissions to different types of users. Criterion 9: This criterion is built to check if the General Account Management function is provided. Criterion 10: This criterion is built to check if the Privileged Account Management function is provided. Criterion 11: This criterion evaluates the capability of granular remote access control. We further divide this criterion into eight subcategories to check if vendors offer the necessary remote access control features. Criteria 12-16: These criteria are built for evaluating the functionality of monitoring, logging, and alerting. Criteria 17,18: These two criteria are built for evaluating whether the detailed session recording and reporting about all activities are provided, which include login name, time, period, alert collection, IP address, etc.

3.2 Weight assignment We give 25, 20, 20, 20, and 15 to functionalities 1 - 5, respectively. These weights are assigned based on our assessment on the relative importance levels among all the functionalities. Customers can tune these weights according to their specific application scenarios and needs. The total weights sum up to 100. We explain how we assign weights to the criteria in each functionality below.

In Functionality 1, strong authentication is one of the most important functions to secure remote access. We highly recommend the use of multiple-factor authentication, so we give it higher weight (weight eight) than the other three criteria, i.e., credential management (Criteria 3.1 and 3.2), password management (Criteria 4.1-4.3), and password vaulting (Criterion 5).

In Functionality 2, encryption methods directly decide the security strength of the communication, so we assign weight eight on it. We assign weight six on both File Transfer and RDP because we believe these two functions are equally important in remote access.

In Functionality 3, we assign equal weight to all the criteria. Customers could assign higher weights to General Accounts Management or Privileged Accounts Management if they care more about account management than the granular remote access control (Criteria 11.1-11.8).

In Functionality 4, we assign weight four to all five criteria. These five criteria evaluate basic functions for monitoring remote access sessions, and they are equally important.

24 In Functionality 5, we assign weight 7.5 on both detailed session records and configuration records. They are equally important.

3.3 Criteria scoring rules Criterion 6: Session Key Encryption: AES128 or stronger Credential Encryption: RSA128 or RSA256 Session Encryption: RDP/VNC/SSH or HTTPS, TLS1.2/SSL

Items Score (Total 10)

Stronger than AES128 2

Session Key Encryption: Support in switching between encryption 1 algorithms with different security levels

Stronger than RSA256 2

Credential Encryption: Support in switching between different 1 security level encryption algorithms

Use RDP/VNC/SSH or HTTPS 2

Use TLS1.2/SSL or stronger 1 Session Encryption: Support in switching between encryption 1 algorithms with different security levels

Criterion 17:

Owner 0.5

Session Information Date Created and Date Completed 0.5

Session Duration 0.5

User ID 0.5

Session Users Information Name 0.5

Start Time and End Time 0.5

25 User Access Duration 0.5

Remote IP Address 0.5

Local Host Name 0.5

Status 0.5

Additional Authentication 0.5

Reason for Access 0.5 Vendor Connection Information Person who authorized access 0.5

Name 0.5

Start Time and End Time 0.5

Duration 0.5

Session Services Information Bytes sent and Bytes Received 0.5

Audit Logs 0.5

Credential Type 0.5

Credential User ID 0.5

26 Part IV: Vendor Comparison and Best Practice Recommendation

1. Comparative Matrix We contacted the 30 vendors listed in Part II and asked for their interest in participating in an evaluation on their secure remote access solutions or products according to the criteria built in Part III. Finally, 14 vendors (listed in Table 3) confirmed their participation. These vendors provided us information about their products in the forms of product introduction documents and website links. Several vendors also showed us demos of their products. According to the criteria, we conducted evaluations on the products provided by these 14 vendors. After initial evaluations, we provided the vendors the evaluation results of their corresponding products and asked for their comments and feedback. Six Vendors provided us feedback and helped us fine tune the criteria. We then finalized the evaluations with minor adjustments on the criteria. The evaluations are based on our best understanding of the products functions and features. The comparative matrix is presented below.

27 Table 3. Comparative Matrix

28 2. Evaluation Results Discussion Functionality I: User identification From the evaluation, we found that almost all vendors use two-factor or multi-factor authentication and require login name and password. Usually an email, SMS or phone language one-time password is required along with a password for verification in two-factor or multi-factor authentication.

Functionality II: Secure communication 79% of the vendors use highly durable secure communication protocols, including RDP, VNC, TLS1.2, etc. These protocols are standard and have been widely adopted in secure communication in networking systems. 71% of the vendors support password vaulting on users’ local hosts.

Functionality III: Access management (access policy granularity) All vendors provide General Account Management and Privileged Account Management. These management technologies explicit vendors’ capabilities to control access based on users’ security levels. 71% of the vendors support Jump technology including Jumppoints and Jump clients. For all users, all vendors support access invite, adjustable operation permission, and session timeout enforcement. 71% of the vendors use technologies like Jumppoint and Jump clients to connect to a SSH, VNC or RDP protocol to secure access for users.

Functionality IV: Monitoring, Logging, and Alerting All the vendors support real-time control including real-time supervision, real-time visibility, real- time intrusion detection and termination for the current session. These technologies ensure vendors to control the sessions so that sessions can be monitored in real time and unapproved activities can be quickly stopped.

Functionality V: Accountability with full audit All the vendors provide detailed minutes of their sessions as well as access control policy configuration recording. Most vendors are capable of alerting the risk and provide detailed audit information and records, including time, name, IP address, the protocol used, users authorized access, etc. Honeywell ICS, Centrify, and BeyondTrust also provide alarm descriptions and records.

3. Best Practice Recommendation Based on our evaluations, for each functionality, we make recommendations on the key functions, protocols, or mechanisms that need to be provided or implemented by vendors to secure the remote access process.

User Identification: Two/Multiple-factor authentication and password vaulting (ensure strong password) are highly recommended.

29 Vendors who provide two/Multiple-factor authentication: ALL 14 vendors. Vendors who provide password vaulting: Claroty, BeyondTrust, NextNine, Honeywell ICS, Secomea, Securelink, Broadcom, ABB, Centrify.

Secure Communication: The following secure communication protocols or mechanisms are recommended: RDP: Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user (on a computer called a client or local computer) to connect to a computer (called a server or remote computer) that provides Microsoft Terminal services. VNC: Virtual Network Computing (VNC) basically consists of two parts: one is the client-side login interface (vncviewer) and the other is the server-side application (vncserver). By default, all communication between a client and the host computer is encrypted using 128-bit AES. Authentication credentials are protected by 2048 bit RSA public keys. SSH: Secure Shell (SSH) is a reliable protocol designed to provide security for remote login sessions and other network services. The SSH protocol can be used to prevent information leakage during remote administration. From the client side, SSH provides two levels of security authentication. The first level is password-based authentication and the second level is key-based authentication. Data diode (unidirectional transmission): We recommend vendors to reduce the direct interaction between remote users and network assets when the user's security level is insufficient. Data diode can perform well in solving such problems. Vendors who provided all these functions: Claroty, Securelink, Honeywell ICS, CyberX, McAFee, BeyondTrust, Centrify, Waterfall.

Access Management: We recommend vendors to provide different levels of adjustable resources for users with different security levels. PAC and General Account Management are highly recommended in access management. Vendors who provide all these functions: Claroty, NextNine, ABB, Securelink, Honeywell ICS, Bayshore, BeyondTrust, Centrify, Waterfall.

Logging, monitoring, and alerting: We recommend vendors to provide real-time supervision and intrusion prevention and real- time visibility of each access event for users. Vendors should also provide an alerting system for identifying illegal behavior and stopping the session instantly. Vendors who provide all these functions: ALL 14 vendors.

Accountability with full audit: We recommend vendors to build a database for storing the session information and access information such as User ID, Username, Duration time, IP address, Local Host Name, Status, Reason for access, Credential Type and Used Protocol. Vendors who provide all these functions: Securelink, Honeywell ICS, ABB, BeyondTrust, Centrify. Vendors who provide necessary functions: ALL 14 vendors.

30

References

[1] Available: https://scadahacker.com/ [2] D. U. Case, "Analysis of the cyber attack on the Ukrainian power grid," Electricity Information Sharing and Analysis Center (E-ISAC), 2016. [3] Hackers Gain Direct Access to US Power Grid Controls. Available: https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/. [4] “Dragonfly: Western energy sector targeted by sophisticated attack group.” Available: https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks. [5] Bade, Gavin. “Russian Hackers Infiltrated Utility Control Rooms, DHS Says,” July 24, 2018. Available: https://www.utilitydive.com/news/russian-hackers-infiltrated-utility-control-rooms-dhs- says/528487 [6] “Researchers wrest control of one of world’s most secure industrial controllers”. Available: https://techxplore.com/news/2019-08-wrest-world-plcs.html [7] Jonathan Stidham, “Can Hackers Turn Your Lights Off? The Vulnerability of the US Power Grid to Electronic Attack,” SANS Institute Reading Room, 2001. Available: https://www.sans.org/reading-room/whitepapers/hackers/hackers-turn-lights-off-vulnerability- power-grid-electronic-attack-606 [8] “Addressing the Challenges and Protecting the Grid from a Cyberattack,” Advanced Energy Economy Institute, January 18, 2018. Available: https://info.aee.net/hubfs/Cybersecurity_FINAL_WP_AEEInstitute_1.18.18.pdf [9] “Configuring and Managing Remote Access for Industrial Control Systems.” Centre for the Protection of National Infrastructure, November 2010. Available: https://us- cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508N C.pdf [10] Stouffer, Keith, Victorica Pillitteri, Marshall Abrams, and Adam Hahn. “Guide to Industrial Control Systems (ICS) Security,” National Institute of Standards and Technology, May 2015. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf [11] “Guidance for Secure Interactive Remote Access,” North American Electric Reliability Corporation (NERC), July 2011. [12] I. S. Board, “Application Guide for IEEE Std 1547(TM), IEEE Standard for Interconnecting Distributed Resources with Electric Power Systems”, IEEE Standards Association, September 2017. [13] “CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations,” Available: https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf [14] J. T. Force and T. Initiative, "Security and privacy controls for federal information systems and organizations," NIST Special Publication, vol. 800, no. 53, pp. 8-13, 2013. [15] A. Cser, "The Forrester Wave: Privileged Identity Management, Q4 2018," Forrester Research, Inc, November 2018.

31 [16] BeyondTrust, "Privileged Access Threat Report 2019," 2019, Available: https://www.beyondtrust.com/resources/whitepapers/privileged-access-threat-report. [17] “Computer access control”. Available: https://en.wikipedia.org/wiki/Computer_access_control. [18] J. Andress, “The basics of information security: understanding the fundamentals of InfoSec in theory and practice”, Syngress, 2nd edition, 2014. [19] “Cybersecurity: Access Control”. Available: https://evolllution.com/opinions/cybersecurity- access-control/. [20] BeyondTrust, “Buyer’s Guide for Complete Privileged Access Management (PAM),” Available: https://www.beyondtrust.com/resources/whitepapers/pam-buyers-guide. [21] Sanger, David E. “Russian Hackers Appear to Shift Focus to U.S. Power Grid.” The New York Times. The New York Times, July 28, 2018. Available: https://www.nytimes.com/2018/07/27/us/politics/russian-hackers-electric-grid-elections-.html [22] S. Lang, “US Electric utility hack: reducing attack surfaces through privileged access management and ICS-cert guidance”. July 2018. Available: https://www.beyondtrust.com/blog/entry/us-electric-utility-hack-reducing-attack-surfaces- privileged-access-management-ics-cert-guidance. [23] M. J. Haber, “How to secure assets, and the associated user privileges, to dismantle cyberattacks”. January 2019. Available: https://www.beyondtrust.com/blog/entry/how-to-secure- assets-and-the-associated-user-privileges-to-dismantle-cyberattacks. [24] Victoria Y. Pillitteri, Tanya L. Brewer, "Guidelines for smart grid cyber security," National Institute of Standards and Technology (NIST), September 2014. [25] K. Stouffer, J. Falco, and K. Scarfone, "Guide to industrial control systems (ICS) security," NIST special publication, vol. 800, no. 82, pp. 16-16, 2011. [26] "Lesson Learned CIP Version 5 Transition Program," North American Electric Reliability Corporation (NERC), December 2015. Available: https://www.nerc.com/pa/CI/tpv5impmntnstdy/BES%20Cyber%20Asset%20Lesson%20Learned %20(Final).pdf [27] "Remote Access Study Report," North American Electric Reliability Corporation (NERC), June 2017. Available: https://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/Final%20PUBL IC%20Remote%20Access%20Study%20Report%206-30-2017.pdf [28] “Best Privileged Access Management (PAM) Software”. Available: https://www.g2.com/categories/privileged-access-management-pam

32