Cyber Security Password Policy for Industrial Control ... - IEEE Xplore

2015 1st International Conference on Next Generation Computing Technologies (NGCT-2015) Dehradun, India, 4-5 September 2015

Cyber Security Password Policy for Industrial Control Networks Sajal Sarkar∗ , Sudip Sarkar† , Kajal Sarkar‡ and Soumalya Ghosh§ ∗

‡ ‡

Power Grid Corporation of India Limited, Haryana, Gurgaon, India-122001, sajals[at]ece.iitkgp.ernet.in Govt. Engineering College, Jalpaiguri, West Bengal, India-735102, sudip.sarkar91[at]gmail.com Rubber Technology Centre, IIT Kharagpur, Medinipur, West Bengal, India-721302, kajalsarkar1979[at]gmail.com University of Petroleum and Energy Studies, Dehradun, Uttarakhand, India-248007, soumalyaghosh[at]gmail.com † Jalpaiguri

Abstract—An enormous growing of Information Technology and its applications in diverse fields enables us to think for digital world wherein cyberspace is being emerged significantly. After land, sea, air and space, cyberspace is the fifth domain where cybercrime, espionage and cyber weapons are on rising day by day. As a result, cyber security is a multi-dimensional concept and a complex issue straddling many disciplines and fields. Development of Information Technology makes possible to automate the industrial control system (ICS) for its efficient and remote operations. The automation in turn makes the industrial control system vulnerable to cyber security threats. Keeping in mind cyber security as a multi-dimensional complex issue, in this paper we have proposed a password policy for industrial control networks (ICNs) to have highest level of security. Our proposed password policy provides a set of guidelines for all involved individuals and associated systems in ICN and ICS ((IC)2 N S) with aim ensure security aspects such as authentication, authorization, confidentiality, integrity, availability, non-repudiation and cyber security best practices in (IC)2 N S. The password policy covers password creation criteria, minimum required length of password and character sets for password composition. We have also discussed about the purpose, scope, policy exception, review and enforcement of the password policy in (IC)2 N S. Keywords: Password, Cyber System,Automated System.

I.

Security,

Industrial

Control

INTRODUCTION

Recently, the industrial control system (ICS) automation has obtained a huge research attention to make the system robust and scalable enough for carrying out its daily operations remotely and safely. All these systems automation are taking place using different types of intelligent electronics devices (IEDs), industrial control devices, network devices, cyber security devices, etc and along with legacy devices under the umbrella of integrated IP networks, controllers, and SCADA systems. This integrated IP network for ICS is formally known as industrial control networks [1]. Though IP network and cutting technology can make the system automatic easily, the main challenge is that the security threats which may breach automated ICNs at any point of circumstance. Thus, one of the major problems in the field of industrial control system automation is to design appropriate security policies so as to optimize the security measures by providing security guidelines and best practices. The traditional IP networks security policies can not be used directly in ICNs as the 978-1-4673-6809-4/15/$31.00 ©2015 IEEE

408

security requirements in ICNs are reversely applicable unlikely in traditional IP networks. An ICN plays an important role for automation of critical sectors such as power, energy, transport, banking for sensitive information flow from one part of the country to other. As a result, if something goes wrong with (IC)2 N S, there may be a huge immediate social impact which can not be remedied by any cost. Therefore, all security policies for (IC)2 N S should be designed in such a way that the policies can provide all possible guidelines and requirements to have highest level of security in the system. The password policy is an important one which can give us security guidelines and best practices to provide first line of security defense in the automated (IC)2 N S used in various critical sectors. A password is a sequence of characters required to access a computer system or service, whereas a passphrase is a long password, typically constructed from a sequence of words-a song, poem or phrase, employing the use of characters, spaces and symbols. Password and passphrase is generally created as per guidelines in the organizational password policy. Thus, password policy plays major roles for password construction, lifetime of individual password and other contextual factors to define the numbers of users are expected to remember and the frequency with which they have to use them. Therefore, we investigated and found that a stringent password policy can meet important security objectives in a large extend through out the organization. A number of works has been carried out on password and its policy to fulfill the security objectives. The authors of [2] have designed a graphical password scheme based on an old Chinese game. In this scheme, a user selects intersections on a grid as a way to input a password using Pass-Go technique. The scheme provides acceptable usability which is demon-strated empirically by the largest user study on graphical passwords. In addition, most application environments and input devices rather than being limited to small mobile devices are supported by the this scheme. In [3], the authors have defined an enterprize mobile device passcode policy which can surprisingly increase the system security. Here, the proposed passcode policy attempts to reconcile two opposing goals. Firstly, if the mobile device has been lost or stolen and secondly, the user wont be annoyed with passcode length and complexity. Though the goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient.


It has been argued in [4] that there is no silver bullet to meet all requirements for password based security, but in many instances there are the solution which best fits the scenario of uses. Among broad authentication research directions to follow, here the authors first suggested better means to con-cretely identify actual requirements and weight their relative importance in the target scenarios. Secondly, for scenarios where indeed passwords appear to be the best-fit solution, they have suggested for designing better means to support passwords themselves. Finally, they have highlighted the need for more systematic research. In HCI research community, it has been pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. Align with this, in [5], a study which re-examined password policy and password practice in the workplace. Here, the authors have found that users are in general concerned to maintain security, but that existing security policy are too inflexible to match their capabilities. As a result, the password policy can place demands on users which impact negatively on their productivity and, ultimately, that of the organization. Therefore, it is not only important to focuss on password policy for maximizing password strength and enforce frequency alone, but also policy is to be designed using HCI principles for helping user to set an appropriately strong password. It is pertained in [6] that passwords are an ubiquitous and critical component of the security systems as information and access guarding by passwords is an essential. As a result, the security becomes ever more dependent upon the passwords policy. Hence, the creation and management of password [7], [8] and its policy is essential in the organization. The authors of [9] have argued that it is time for a radical change of password policy. It is because in the practice of security, they have accumulated a number of thumb rules that many people accept password policy without careful consideration of it. It is also the case that as technology is getting improved and hence the underlying assumptions of conventional wisdom is also changing over time. The result is a stale policy that may no longer be effective or possibly even dangerous. Therefore, the password strength appear to be based on nothing more than the current default settings on a particular operating system. Hence, most of the password best practices are based largely on folklore or on severely outdated theories. An examination is carried out in [10] for the password policy of odd 75 different web-sites. The goal of the examination is to understand the enormous diversity of requirements such as the acceptance of simple six-character passwords, while others impose rules of high complexity on their users. Thus, a comparison is presented for different features of the sites to find which characteristics are correlated with stronger policy. The results show that greater security demands are surprisingly do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. A large-scale study of the success of password expiration in meeting is presented in [12]. Here, the purpose is to revoking the access into an account by an attacker who has 409

learnt the password. Using a dataset of over 7700 accounts, the authors have assessed the extent to which passwords that users choose to replace expired ones pose an obstacle to the attackers con-tinued access. A framework is also developed for a users new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. The authors finally have used the strategy to measure the difficulty of breaking newly chosen passwords from old ones. In [13], the authors suggested a text-based password dominant authentica-tion method for computer systems, despite significant advance-ment in attackers capabilities to perform password cracking. In response to this threat, password composition guidelines have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password composition guidelines. The authors of [15], [16] have analyzed and explained about textual passwords defense mechanism in information systems security. In [15], author found about odd 86 passwords were weak in terms of being too short, containing lowercase letters only, digits only or a combination of the two and being easily found in dictionaries. Thus, they have identified the problems that may arise in creating and using textual passwords. On the other hand, in [16], an intensive studied is carried to understand the underlying distributions of textual passwords. Here, the authors have shown that Zipfs law perfectly exists in user-generated passwords and identified the corresponding exact distribution functions. Based on the distribution functions, finally, they have investigated the fundamental implications about password, password-based cryptograph and password policies. Although the above mentioned schemes can significantly provide password creation guidelines and best practices for an organizational security measures in enterprize networks consisting of traditional network devices, most of the existing schemes can not directly be used in automated industrial control networks. This is because an automated ICN consists of not only traditional network devices but also different industrial devices such as IEDs, controllers, and SCADA systems. Further, to the best of our knowledge, there is no or a few number of password policies is suggested for such critical sectors automation as there are convergence challenges between ICN and traditional IP network. Therefore, we have investigated and found that a password policy for (IC)2 N S automation is an important stepping stone for cyber security consideration. Hence, a proper password policy is necessary to ensure highest security level in the automated system used for (IC)2 N S. Thus, in this paper, we propose a password policy for cyber security consideration in an industrial control system automation. In our propose work, we have given a complete discussion about policy, scope of the policy, purpose of the policy, password creation guidelines, minimum required criteria to create a password. This also covers the password requirements to have stringent security level in an automated enterprize network. Finally, we have discussed about policy enforcement, review, exception and possible disciplinary actions. The paper is organized as follows. In Section II, scope and


component of cyber security in (IC)2 N S. Password generally protects user accounts and systems; however, a poorly constructed password may result in the compromise of individual systems, data, or even system setup. Thus, here we have provided thorough guidelines to construct strong and secure password for users as well as systems in (IC)2 N S.

purpose of the password policy is described. The password creation guidelines is discussed in Section III while the minimum required criteria to create a password is explained in Section IV. Section VI explains policy enforcement, exception and review. Finally, the paper is concluded in Section VII. II.

SCOPE AND PURPOSE

1)

A. Purpose The password policys purpose is to make sure about stringent security guidelines and measures for ICS automation and its information flow among the installed devices through out the integrated ICNs. The policy provides best practices guidelines for all employees in the organization. It also protects sensitive information of the employees and organization. In addition, password policy defines the organizational attitude of accessibility, best practices and announces internal and external information that is to be protected from unauthorized access, modification, disclosure, and destruction. On the other hand, the policy implementation and enforcement safeguards the employees and organizational confidential information. Moreover, it establishes a standard to create strong password, protect password, change password and provide protection to the organizational databases as well.

2)

3)

Scope The scope of the password policy covers all stakeholders involved with (IC)2 N S in the organization regardless of their capacity, roles or functions. Stakeholders would typically include anyone who is a user of the information or systems in (IC)2 N S. All individuals involved with the organization shall be included under the scope of the policy. Such individual include employees, third party contractors, guests, consultants and temporary or part-time roles. The policy is applicable to all operational and information technology systems and processes that create, modify, or use information that is important, confidential and significant for the organization. III.

Organizational and non-organizational accounts should use different passwords for various accessibility.

GENERAL GUIDELINES OF THE POLICY

General guidelines are always important to provide a high level borderline for a system building. In this work, the password general guidelines provide a holistic guidance for password policy maintenance, password creation and minimum password creation criteria. Password policy shall have a version number with date and it shall maintain the history like authors, reviewers and approving authority of the policy. All passwords associated with (IC)2 N S conform following guidelines: i) Password shall be created as per password creation guidelines ii) Password of user and system must be changed in a regular interval. iii) All production systems passwords may be part of SANS Institutes global password management system [11]. iv) Administrator or root that has highest access privileges must have a unique password from all other accounts. iv) For simple network management protocol (SNMP), system administrator shall modify the default access community strings which must be different from the passwords used to log in interactively. IV.

PASSWORD CONSTRUCTION GUIDELINES

4)

All users should be conscious of how to select strong passwords. To create a strong password, a password must contain at least four of the five following classes of characters: • Upper Case Letters: A through Z • Lower Case Letters: a through z • Numerals: 0 through 9 • Punctuation symbols (, . ; : ) • Special characters (@, #, $, %, &, *) The following practices should be avoided for a password creation: • Password length is less than nine characters and dic-tionary word should not be used as a password. • Family name, nick name, friend name, qwerty, ananana, 2312321, etc must not be used as a password. The strength of password partly depends on multiple guessing attacks. Thus, the system and its software should automatically lock the account after defined number of unsuccessful attempt using an incorrect password. The systems should provide a special hashed version of the password for check the strength of the password and its validity. Stricter requirements should also be provided for higher access privileged an account such as system administrator. Password protection standards is described in [7], [8]. The password protection of (IC)2 N S can be enforced by following practices:

A user never write down passwords though this is prac-tically very challenging. Therefore, to remind password easily, user may choose weak password while weak password may get easily cracked. Thus, password may be kept in a secure form such as a safe or an encrypted master file but not in online devices or systems. Special care should be taken of password as it is a sensitive and confidential information of the user as well as of the organization. A password should not be revealed on questionnaires or security forums and shared through chat, over phone, in email, or other electronic media. A password should not be spoke out in front of anyone. The use of system generated remember password feature for different applications always should be avoided. The incident of a password compromise should be immediately reported to the Information Security De-partment of the organization.

Password construction guideline is an important and es- A user should follow the procedure of Information Security sential part of a password policy as a password is a critical Department and the password policy to get a new password. 410


Password management: A password policy shall provide password management guidelines. As per existing works mentioned in [7], [8], [11], [14], password management can be carried out as follows: •

A user ensure the log off before leaving a computer unattended and password should be changed immediately whenever there is suspicion about compromise.

•

Operating system and application running in the system should have different password and online password generation tools should be avoided to generated pass-word.

•

An account should not be shared to any one in any circumstance.

◦

System administrator should ensure password implemen-tation standards with the combination of technological controls and local practice in the organization. The pass-word policy and its standard must have a consistent principle for systems and users associated with the or-ganization. Policy should also provide detail guidelines and restrictions for system and users as follows: •

Minimum standard for password and passpharse: A user of a system must have a unique identifier and password. A user should have the provision to change his/her account password.

•

Additional requirements for password and passphrase: The above mentioned requirements may not be the ideal for few special cases. Thus, to meet these special cases, the password should provide the following guidelines: ◦ Account for elevated privileges system: A an ac-count may have rights to maintain a system or applications such as operating system, application, or database administrator. Therefore, an adminis-trator should not use his/her account as an elevated privilege system account. The administrator should be assigned an elevated privilege system account to maintain the above mentioned applications. ◦ Identity based elevated privileges: Elevated priv-ileges may also apply to identity based account that has been assigned a role. This identity based account may be used to access sensitive data such as system health information or employees daily activities. ◦ Account for local workstation administrator: Every system must have an account with password for local system administrator and account authentica-tion should not be relied on a central authentication service. The local administrator password should be unique for all systems and should be used for system administration purposes such as implementation, integration, operation and control of devices in (IC)2 N S. ◦ Service account: A service account must be created subject to the password complexity of the elevated privilege account. The account 411

◦

may be exempted from the change management requirement. The password of service account must be changed whenever a member of the work group who has known the service account password leaves the work group. Assisted password reset: Sometimes it may be a requirement to reset the password. A user first must request to the administrator for resetting the password though administrator may not reset the password if the user is not identified. A user must request to reset password by providing any one of the following: i) a secret key or satisfactory answers about personal information stored in the central database of the organization, ii) a supervisor or technology supported users identity, iii) a photo identity or human factor such as a biometric scan and iv) satisfactory challengeresponses in a self-service application. If the organization has an application development standard that must ensure the following security precautions: It should support authentication of individual users instead of groups authentication. It should not store passwords in clear text or in any easily reversible form. A temporary password with validity 3 days should be provided to a special user for some sort of role management tasks. V.

1)

2)

3)

4)

5)

6)

POLICY

All Intelligent Electronics Devices (IEDs), industrial devices, network devices and cyber security devices used in (IC)2 N S must be password protected. There shall not be any provision to access the system by using its default password. Poor password not satisfying the password standard shall not be allowed to create. All passwords must be changed at least every 90 days. System automatically asks user to change the password before completing this duration. Three consecutive unsuccessful attempt shall result in lock out of the user account and it shall raise a alarm to Security Information and Event Management (SIEM) system. Intruder lock out feature shall be implemented for imposing best level of security. The session of a logged in user shall be automatically terminated after 10 minutes in idle condition. The systems should be capable of strong passwords for a large numbers (as much number are required for the organization) of users. Simultaneous login from different places on behalf of same user shall be avoided. Old password shall be recorded for the period of three months and hence the password shall not be allowed to reuse in the subsequent period. An automatic alarm shall be generated if a user try to use the old password within the period of six months. A security token or one time password (OTP) tech-


7)

8)

9)

10)

11) 12)

13)

14)

15)

nique may be used to access the (IC)2 N S for some special applications. The human factors for passwords may also be considered. Unlike computers, human users cannot delete one mem-ory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess. Users are often advised to use mnemonic devices to remember complex passwords. Administration factors can also be an issue in (IC)2 N S. ICS sometimes have legacy devices that require a pass-word that is used before the password duration expired. In order to manage these legacy devices, users may have to resort to writing down all old passwords for the eventual case where they need to log in to a legacy device. A passphrase preferably should use public key/private key cryptographic technique for authentication. The passphrase should relatively have long and contains a combination of upper and lowercase letters and numeric and punctuation characters. Remote accessibility of ICN systems and servers prefer-ably should be avoided. On emergency the remote acces-sibility of the servers and systems may be allowed using password and/or passphrases under a remote accessibility setup. To provide remote accessibility, approval of the higher authority, i.e., from chief information security officer (CISO) should also be taken. Access to (IC)2 N S via remote access is to be controlled using a one-time password authentication or a public/private key system with a strong passphrase or VPN setup or combination of all three. Remote accessibility setup should support TACACS+, TACACS, RADIUS and LDAP security re-trieval wherever possible. All logs of the systems and users shall be maintained. Successful and unsuccessful login attempt shall also be recorded in the events log. Password policy should include progressive sanctions beginning with warnings and ending with possible loss of computer privileges. Where confidentiality is mandated by law, e.g., with classified information, a violation of password policy should be viewed as laxity in the job proforma of the organization. Password policy should usually be a tradeoff between the-oretical security and the practicality of human behavior. For example requiring excessively complex passwords and forcing them to be changed frequently could cause users to write passwords down in places that are easy for an intruder to find. Some identity management systems should be allowed for self service password reset method, where users can reset password securely by supplying an answer to one or more security questions. It should also be kept in mind that often the answers to these questions can easily be obtained by social engineering, phising or simple research. The password policy for different web-sites should be concluded that security partly explains more stringent policy such as monopoly provider of a service have more stringent policy than sites where consumers have choice. 412

VI.

ENFORCEMENT, EXCEPTION AND REVIEW OF THE POLICY

A. Enforcement of the Policy 1)

2) 3)

A centralized authentication service shall be incorporated for all systems and processes associated with (IC)2 N S. An automated account and password management may be implemented for local password standards. The systems and processes that do not comply with this policy without granted an exception, will be subjected to loss of access to (IC)2 N S. Any violation of the policy to access the (IC)2 N S may call for disciplinary action as per the organization policy. Password cracking or penetration testing may be per-formed on a periodic or random basis by the Information Security Department or its delegates only after obtaining permission from CISO. If a password is guessed or cracked during these exercises, the user would be required to undergo three days training to relearn the guidelines.

B. Policy Exception Process All the applications or services shall be implemented under the consideration of the minimum standards though there may be considered the exception of this policy in some special cases. The exception process requires a technical description mentioning why this exception and statement of justification for the exception. A review and analysis of policy exception may also be conducted by the organization head who can take support from the cyber security cell of the organization. C. Policy Review A committee shall review the policy at least annually to generate a new version with date and including name and signature of committee members even if there is no change it the existing policy. The version shall be maintained in the policy history documents of the organization and a statement shall be written in history. VII.

CONCLUSIONS

We have proposed a password policy for cyber security consideration in industrial control networks and industrial control systems ((IC)2 N S) which is eventually an integrated IP networks. The (IC)2 N S is consists of intelligent electronics devices, industrial control systems, networking devices, cyber security devices and along with the legacy devices. The proposed password policy provides a complete discussion about policy, scope of the policy, purpose of the policy, password creation guidelines, minimum required criteria to create a password. This also covers the password requirements to have highest level of security in an automated industrial control system and industrial control network. We have presented a strategy to access (IC)2 N S and its data securely by following the guidelines lighted upon in this work. The strategy provides a technological way to access systems and its information in the organizations. Finally, we have discussed about policy enforcement, review, exception and possible disciplinary actions. Our proposed password policy is a generic category which can be used for any types of industrial control networks. Thus, the


specific industrial control network where specific password is to be used left as a future work. ACKNOWLEDGEMENT:We would like to thank fellow employees working in NTAMC project conceived by Power Grid Corporation of In-dia Limited. We are also grateful to the anonymous reviewers for their comments and suggestions that essentially helped to improve the quality of the paper.

[2] [3] [4]

[5]

[6]

[8] [9] [10]

[11] [12]

R EFERENCES [1]

[7]

B. Galloway and G. P. Hancke, Introduction to Industrial Control Networks, IEEE Communications Surveys and Tutorials, Vol. 15, No. 2, pp. 860-880, 2012. H. Tao, Pass-Go, a New Graphical Password Scheme, June, 2006. A. Jaquith, Picking a Sensible Mobile Password Policy, White Paper, SilverSky Secure from The Cloud, 2013. C. Herley and P. C. van Oorschot, A Research Agenda Acknowledging the Persistence of Passwords, IEEE Security and Privacy Magazine, pp. 1-9, 2012. P. Inglesant and M. A. Sasse, The True Cost of Unusable Password Policies: Password Use in the Wild, ACM, CHI10, Atlanta, Georgia, USA, pp. 1-10, 2010. R. J. K. Shay, A. B. Spantzel and E. Bertino, Password Policy Simulation and Analysis, ACM, DIM07, Fairfax, Virginia, USA, pp.110, 2007.

413

[13]

[14]

[15] [16]

A. Huth, M. Orlando, and L. Pesante, Password Security, Protection, and Management, US-CERT, pp. 1-5, 2012. McDowell and Mindi et al.,Choosing and Protecting Passwords, USCERT Cyber Security Tip ST04-002, 2012. A. Singer and W. Anderson, Rethinking Password Policies, Security, Vol. 38, No. 4, pp. 14-18, 2013. D. F. Encio and C. Herley, Where Do Security Policies Come From?, Symposium on Usable Privacy and Security (SOUPS) 2010, Redmond, WA USA, pp. 1-14, 2010. Password Protection Policy, SANS Institute, 2014. Y. Zhang, F. Monrose, and M. K. Reiter The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, ACM, pp. 1-11. P. G. Kelley, S. Komanduri, M. L. M., R. Shay, T. V. L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms, IEEE Symposium on Security and Privacy, pp. 523-537, 2012. K. Scarfone and M. Souppaya, Guide to Enterprise Password Management (Draft), National Institute of Standards and Technology, US Department of Commerce, Special Publication, pp. 1-38, 2009. V. Taneski, Marjan Hericko and B. Brumen, Password security no change in 35 years? MIPRO, pp. 1360 - 1365, 2014. D. Wang, G. Jian, X. Huang and P. Wang, Zipfs Law in Passwords, ACM Trans. on Info. and System Security, Vol. 1, No. 1, pp. 1-33, 2015.