NACIO Non-obtrusive Authentication of Critical Infrastructure Operators Sam Clements, Mark Hadley, Tom Edgar, and Cliff Glantz Pacific Northwest National Laboratory (PNNL) March 2010 This material is based upon work supported by the U.S. Dept. of Homeland Security under Grant Award Number 2006-CS-001- 000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College.
18
Embed
Survivability and Recovery of Process Control Systems · 1 NACIO Non-obtrusive Authentication of Critical Infrastructure Operators Sam Clements, Mark Hadley, Tom Edgar, and Cliff
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
11
NACIONon-obtrusive Authentication of Critical
Infrastructure Operators
Sam Clements, Mark Hadley,
Tom Edgar, and Cliff Glantz
Pacific Northwest National Laboratory (PNNL)
March 2010
This material is based upon work supported by the U.S. Dept. of Homeland Security under Grant Award Number 2006-CS-001-
000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed
by Dartmouth College. The views and conclusions contained in this document are those of the authors and should not be
interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland
Security, the I3P, or Dartmouth College.
The NACIO Team
Project Team Members
• Sam Clements
• Mark Hadley
• Thomas Edgar
Working out of PNNL’s main campus in Richland, Washington
2
3
What is Authentication?
“All information systems
must have a security
mechanism installed that
requires authentication prior
to file access.”
- API 1164
“…Responsible Entity shall
have a policy for managing the
use of such accounts [shared,
generic] that limits access to
only those with authorization,
[and] an audit trail of the
account use …”
- NERC CIP 7 R5.2.3
The process of verifying a user’s identity and
authorization to access a network or its resources.
- NIST 800-53
- NRC RG-5.71
What is Required for Authentication?
• For IT systems we often require:
– Something you know (e.g.; password)
– Something you have (e.g.; security
token, mag. card)
– Something you are (e.g., fingerprints)
4
Control System Authentication Issues
• Authentication restrictions cannot be allowed to: