2

I would like to understand the real role of 2-Factor Authentication in Industry Control Systems like SCADA/SmartGrid with Windows AD infrastructure. In particular I am interested in an operational use cases: when operators/engineers accessing workstations/HMI consoles.

  • On which kind of 2FA means are smart-cards being replaced with?
  • What is the main purpose of implementing 2FA ? the regulations, human factor or real security control.
  • What kind of threats/attacks are mitigated by 2FA as security control?

Any feedback from a field practitioners would be appreciated.

Limit
  • 3,191
  • 1
  • 16
  • 35
AleSil
  • 49
  • 6

1 Answers1

3

In our case, it was the human factor. You're lucky if the post-it with the password doesn't go right on the console. If it doesn't, everyone has the same password that everyone knows.

Staff gets annoyed by the need for a token, but they can't easily replicate it, so they're too worried about explaining how they lost theirs to just leave it around. Add a password that has to be changed and soon enough they run out of combinations so obvious that they could be guessed in three tries, and syncing their passwords is more trouble than doing things right.

On tokens vs tokenless, I'm strongly for tokens. Tokens come dirt cheap in a box from China, they work in buildings with phone jammers, don't get left elsewhere out of fear of damage, there's no battery concerns, and they end up stored alongside physical keys, which people always recognize as items to be protected. And there's something to be said for the personal interaction in handing one.

I don't see how you can separate real security control from the human factor. Security is all about minimizing the vulnerabilities from the human factor. Make it easier to comply with the rules than to work around them and you can get enough security that the system isn't wide open.

Source: Did SCADA.

ZOMVID-21
  • 2,450
  • 11
  • 17