Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Embracing Zero Trust: Least-Privilege Access

According to a recent World Economic Forum community paper, The ‘Zero Trust’ Model in Cybersecurity: Towards understanding and deployment:"

“Zero trust is a principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an unknown – whether a human or a machine — to ensure trustworthy behavior.”

Unpacking Zero Trust

At Schneider Electric, we have been unpacking the principles of our Zero Trust model in a series of blog posts. In our first, we discussed the need for organizations to routinely verify, authorize, and validate users of IT and OT infrastructures to prevent potential compromises to critical data and systems.

What is Least-Privilege Access?

Building on this concept, our second principle of Least-Privilege Access ensures that users only have access to exactly what they need — nothing more, nothing less. Identifying and limiting users’ access rights to what is strictly necessary not only limits our exposure to malware and cyber-attacks, but it also bolsters productivity by affording people with exactly what they need to do their jobs.

As advancements in smart technologies and automated processes require an increasingly larger workforce with more unique access control requirements, however, implementing the principle of Least-Privilege Access in our organization is easier said than done. To keep up with today’s needs, we take an active role in managing access privileges to ensure that users have the requisite permissions to fulfill vital tasks while removing access controls from those who no longer require them.

Failing to remove permissions runs the risk of privilege creep, which is the overabundance of permissions to sensitive systems granted to users who no longer need them to perform their functions. Privilege creep significantly opens up organizations to cyber vulnerabilities. Limiting the number of users with certain accesses not only reduces our risk of data loss, corruption, or theft, but it also makes traceability of the source for those problems far more efficient.

There are many ways we approach the principle of Least-Privilege Access. One of the most fundamental steps is creating clearly defined parameters for different levels of access. At the outset, all our new users begin with the bare-minimum amount of access required for the least-sensitive functions; these are referred to as least-privileged users (LPUs). By setting every new user up as an LPU, we can subsequently grant privileges on an individualized basis while keeping track of which individual users have been granted certain privileges.

Instead of solely granting permanent privileges, we also place time limits on access permissions, giving people temporary privileges if they need access for a specific task for a certain amount of time. Temporary privileges can either be granted within a specific timeframe before expiring or until the task is done. In the case of the latter, we often create and track one-time-use credentials while conducting due diligence that such permissions are revoked afterwards.

There are a number of other ways we practice least access as well. To counter privilege creep, we actively manage access rights to keep up with the rapidly changing landscape of our workforce and reprovision privileges when necessary. As shared accounts make it far more difficult to track access rights, we issue individual accounts to users wherever possible. In situations where someone cannot be given an individual account, we ensure that generic accounts are robustly secured through appropriate methods like smart card account logins for better traceability.

We have also worked with vendors that provide innovative and cost-effective privileged access management services so we can increase efficiencies without compromising on security. For instance, we can automatically discover and identify privileged accounts across a given network and set up automated alerts for IT and OT managers to help them detect, react, and stop outside attacks or internal misuse. We have also internal solutions for our EcoStruxure service such as Access Expert, which safely gives users with certain access privileges control over their invulnerable domains from the web or on mobile devices.

Compliance

Practicing the principle of Least-Privilege Access is not only the responsible thing to do — it is in fact necessary to remain compliant with many global industrial standards. Cybersecurity regulations and standards series — such as ISA/IEC 62443, ISO 27001, the NIS Directive, LPM, NERC CIP, and NIST SP-800-82 — each contain highly complex requirements regarding access privileges. By making least privilege access a matter of well-documented policy, we are not only able to attain cyber standards certifications required by our customers but also prove compliance in case of an audit by regulatory agencies.

Trust Nothing and Verify Everything

The principle of Least-Privilege Access represents a core tenet of our zero-trust philosophy, and it requires we practice a “trust nothing and verify everything” philosophy. When it comes to cybersecurity, hypervigilance is crucial while even the slightest bit of slack can be disastrous.

We encourage other organizations who seek to protect their critical systems and data actively manage privileges to ensure they are granted, reprovisioned, and removed properly. While such scrupulous oversight comes at a cost, it is more than recouped by mitigating potential cyber-attacks and reducing inefficiencies by ensuring employees always have the exact privileges they need to do their jobs.

Greg Elliott
Greg Elliott
Greg Elliott has nearly 30 years of industry experience in IT/OT, more than 15 of which have been dedicated to the field of cybersecurity. He currently serves as the Head of Cybersecurity Innovation, Technology & Architecture at Schneider Electric. Prior to his current role, Greg served as Schneider Electric's regional Chief Information Security Officer (CISO) over the Asia Pacific region, where he led the development and implementation of cybersecurity strategies across multiple countries. Greg's earlier career experiences provided him with a solid technical foundation across a range of IT functions, including serving as an infrastructure manager responsible for overseeing network, datacentre and endpoint management. He has also held roles as an Ecommerce manager, Systems Analyst and Software Developer.

Related Posts

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM