Cloud-Based IAM for Secure SAP Asset Management in OT Environments
SAP asset management tools are built on Industry 4.0 principles that aim to connect all processes across the entire supply chain. These include performance management, field service management, asset collaboration, and so on. It is essentially an intelligent ecosystem-wide strategy for managing enterprise assets.
For OT environments, as will be explained in this article, there is a lot of catching up to do when it comes to securing access to systems and devices.
Cloud-based IAMs are becoming popular these days, but how well are they equipped to handle the peculiarities of OT infrastructure? In fact, what is peculiar about OT systems? Read on to learn more.
Cybersecurity Implications of OT and IT Convergence
The increasing adoption of technologies such as IoT, cloud computing, and big data analytics has been bridging the gap between traditionally segregated OT and IT environments.
This convergence brings the potential for several benefits including enhanced visibility, real-time monitoring, more seamless flow of information, and improved operational efficiency.
Particularly, many organisations are hopeful about enhanced cybersecurity for OT assets since they now have connectivity. However, the hopes can fall apart if you are approaching IAM for OT in the same way it was implemented for IT.
As Accenture reminds us, “IAM solutions are a combination of people, process, and technology.” So, you can’t simply transfer what has worked for IT services unto OT environments. Of course, the goals of IAM remain the same; it’s about securing and provisioning access to users and devices. But implementation does not have to be the same.
Challenges of IAM for OT Environments
There are some immediate challenges to the effective implementation of IAM in OT environments; we’ll examine three major ones.
- Not OT-specific
The majority of IAM solutions are designed for IT utility. OT assets don’t come up as often when talking about identity and access; so, already, there’s a lot of catching up left to do.
Indeed, some experts and organisations are already highlighting these issues but it’s going to take a long time for OT identity management to be on par with what is obtainable in digital environments.
- Connectivity Issues
One of the reasons why organisations are more lackadaisical about IAM for OT environments is that most major physical assets and infrastructure are located in remote sites, often with lack of access to internet connectivity; or at best, intermittent connectivity.
This makes it difficult to establish a protocol for cloud-based IAM for OT assets. In order to get ahead in this regard, there has to be provision for constant connectivity.
- Multiple Identities
Certain security regulations for infrastructure security recommend multiple identities for different environments. Such include NIST SP 800-82 Rev. 2, and the CISA Performance Goals.
While this makes sense from a security perspective, when it comes to identity and access management specifically, you find out that it causes more friction than it should. In fact, the friction could be such that organisations might even abandon IAM solutions for their OT assets.
So, IAM solutions must be innovative so as to not cause unbearable friction that might put the security of assets that should be provided at risk.
In summary, despite all these, organisations must do the work of fitting innovative IAM solutions into their OT infrastructure. In fact, since the state of cybersecurity today emphasizes zero-trust architecture, that aim cannot be achieved if physical identity and access management are not integrated into an organisation’s overall security architecture.
What Effective Cloud-based IAM Looks Like for OT Systems
In OT cybersecurity, just like IT environments, access governance ensures that access rights are granted based on the principle of least privilege, meaning that users are granted only the necessary access privileges required to perform their specific job functions within the OT system.
This includes defining access policies, conducting regular access reviews and certifications, as well as implementing segregation of duties (SoD) controls to prevent conflicts.
It’s also important to factor in contractors and other third-party personnel who might have to interact with devices and systems. This is a more common feature with physical assets than digital assets and, as such, extra protection consciousness is required.
Just like a digital cloud contact center where different agents have access to the same communications platform, all personnel must be duly covered and secured.
In addition, privileged accounts, such as those used by system administrators or maintenance personnel, particularly have extensive access privileges and control over OT systems and data.
Therefore, securing and managing these accounts is crucial to prevent unauthorized or malicious activities that could disrupt OT operations or compromise the integrity of the systems.
Hence, IAM in the OT context involves implementing measures such as secure credential management, session monitoring and recording, just-in-time access provisioning, and privileged user behavior analytics. This helps mitigate the risk of insider threats, external attacks, and unauthorized modifications to critical infrastructure.
Cloud-based IAM is not without its own problems, especially for OT assets and infrastructure. Some fear that it is not as secure as on-premises solutions. However, these challenges occur with digital technologies too. Yet, the industry has been able to make it work.
Not to say that implementing cloud-based IAM is the solution to all cybersecurity problems; physical asset management is too complex for that. But it’s a good starting point, insofar as you consider the peculiar features that OT environments exhibit.