Access Control for Process Systems
Access control for operational technology requires different approaches than IT systems. ISO 27019 provides specific guidance for controlling access to process control systems in energy environments.
Unique Challenges in OT Access Control
Operational Continuity Requirements
Access controls must not prevent emergency operations:
- Emergency shutdown procedures must remain accessible
- Safety system access cannot be blocked by security
- Failover to manual control must be possible
- 24/7 operations require always-available access
Shared Accounts and Systems
Legacy OT systems often lack individual authentication:
- Operator consoles use shared credentials
- SCADA systems with single administrator accounts
- PLCs without user management capabilities
- Emergency access accounts for critical situations
Physical and Logical Access Convergence
OT access involves both:
- Physical access to control rooms and equipment
- Logical access to control systems
- Must coordinate both for effective security
- Physical breach often leads to logical compromise
ISO 27019 Access Control Principles
Role-Based Access (RBAC)
Organize access by operational roles:
| Role | Access Level | Typical Permissions |
|---|---|---|
| System Operator | Monitor and control | View all data, execute approved commands |
| Supervisor | Full operational control | All operator permissions plus overrides |
| Engineer | Configuration | Modify setpoints, program logic, system config |
| Viewer | Read-only | Dashboard viewing, no control actions |
| Maintenance | Limited functional | Specific equipment access for repairs |
| Emergency | Break-glass | Critical safety operations only |
Privileged Access Management
Administrative Accounts
Special handling for high-privilege accounts:
- Separate accounts for admin vs. regular duties
- Just-in-time access for temporary elevation
- Session recording for all administrative actions
- Approval workflows for admin access requests
- Time-limited credentials that expire after use
Emergency Access ("Break Glass")
Procedures for emergency situations:
- Sealed envelopes with credentials in control rooms
- Tamper-evident containers requiring documentation
- Automatic alerts when emergency access is used
- Post-incident review of all emergency access
- Regular testing of emergency procedures
Least Privilege Principle
Minimize access to only what's required:
- Operators see only their area of responsibility
- Engineers access only systems they maintain
- Third-party vendors restricted to specific equipment
- Management has no direct control system access
Vendor and Third-Party Access
Temporary Access for Vendors
Strict controls for external parties:
- Pre-approved vendors with background checks
- Escort requirements during on-site work
- Time-limited accounts that expire automatically
- Monitoring of all vendor activities
- Dedicated access paths separate from employee access
Remote Vendor Access
Additional security for remote maintenance:
- VPN with MFA and device posture checking
- Just-in-time access enabled only during scheduled maintenance
- Jump hosts preventing direct access to control systems
- Session recording for audit and review
- Advance notification required for remote access
Authentication Mechanisms
Multi-Factor Authentication (MFA)
Required for remote and privileged access:
- Something you know: Password or PIN
- Something you have: Smart card, token, or mobile app
- Something you are: Biometrics where appropriate
Challenges with Legacy Systems
When modern authentication not supported:
- Compensating controls: Enhanced physical security, network isolation
- Proxy authentication: Jump host with MFA protecting legacy system
- Shared credential management: Password vaults with individual accountability
- Enhanced logging: Correlate physical and logical access
Physical Access Integration
Badge Systems
Coordinate physical and logical access:
- Same badge for building and system access
- Badge readers at control room entries
- Automatic correlation of physical presence with system logins
- Alerts for system access without physical presence
Visitor Management
Special procedures for non-employees:
- Pre-registration and approval required
- Escort at all times in sensitive areas
- No unattended access to systems
- Visitor badge clearly distinguishable
- Sign-in/sign-out logs
Access Provisioning and Deprovisioning
Onboarding Process
Steps for granting new access:
- Request: Manager submits formal request
- Approval: Role-based approval workflow
- Training: Security awareness before access granted
- Provisioning: IT/OT creates accounts with appropriate permissions
- Verification: Confirm access works and is limited as intended
Offboarding Process
Critical for departing personnel:
- Notification: HR triggers offboarding workflow
- Timeline: Immediate for terminations, scheduled for resignations
- Physical: Recover badges, keys, tokens
- Logical: Disable all accounts and credentials
- Verification: Audit to confirm all access removed
Access Review
Regular validation of permissions:
- Quarterly review of all privileged accounts
- Annual review of standard user access
- Manager attestation of appropriate access
- Remove unused accounts and permissions
- Document and approve exceptions
Monitoring and Auditing
Access Logging
Comprehensive logging requirements:
- All authentication attempts (success and failure)
- All privileged actions and configuration changes
- All remote access sessions
- All emergency access use
- Correlation with physical access logs
Log Protection
Ensure integrity of audit trails:
- Centralized log collection from OT systems
- Write-once storage preventing tampering
- Encrypted transmission to log server
- Long retention periods (minimum 1 year, often longer)
- Regular review for anomalies
Anomaly Detection
Watch for unusual access patterns:
- Access from unexpected locations or times
- Multiple failed authentication attempts
- Privilege escalation attempts
- Access to systems outside normal scope
- Simultaneous access from multiple locations
Special Scenarios
Emergency Operations
Maintain safety during security incidents:
- Documented emergency access procedures
- Pre-positioned backup credentials
- Override capabilities for life-safety
- Automatic alerting of security team
- Post-emergency access review
Contractor Access
Managing temporary workforce:
- Same background checks as employees
- Time-limited accounts tied to contract period
- Restricted to specific systems/areas
- Enhanced monitoring during access
- Prompt removal upon contract completion
Shift Handover
Smooth transitions between operators:
- Clear documentation of current system state
- Formal handover procedures
- Individual accountability despite shared consoles
- Logbook entries for significant actions
- Overlap period for knowledge transfer
Implementation Roadmap
Phase 1: Assessment (Months 1-2)
- Inventory all OT systems and access points
- Document current access control mechanisms
- Identify gaps vs. ISO 27019 requirements
- Prioritize systems by criticality
Phase 2: Policy and Design (Months 3-4)
- Develop OT access control policy
- Design role-based access model
- Plan authentication architecture
- Create vendor access procedures
Phase 3: Pilot Implementation (Months 5-6)
- Deploy on non-critical systems first
- Test MFA solutions
- Implement logging and monitoring
- Refine based on operational feedback
Phase 4: Full Deployment (Months 7-12)
- Roll out to critical systems
- Migrate from shared to individual accounts where possible
- Implement compensating controls for legacy systems
- Train all personnel on new procedures
Phase 5: Ongoing Operations (Continuous)
- Regular access reviews
- Continuous monitoring
- Annual policy updates
- Adapt to new threats and technologies
Next Lesson: Implementing network segmentation to protect critical energy infrastructure.