The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published a new guide to aid system administrators in securing identity and access management (IAM) infrastructure.
The document is part of the agencies’ Enduring Security Framework (ESF). It includes recommended best practices to counter IAM threats related to identity governance, environmental hardening, identity federation/single sign-on, multi-factor authentication (MFA) and IAM auditing and monitoring.
In the guide, CISA and NSA mention a few attacks in recent years that leveraged vulnerabilities in IAM products and implementations to target critical infrastructure.
“In 2021, compromised credentials were used to attack and shut down the Colonial national gas pipeline in the US,” reads the document. “[Months earlier], an unknown attacker manipulated computer systems in a Florida water treatment plant to increase the concentration of sodium hydroxide in the water supply.”
The report also mentions the 2022 attack targeting a water treatment plant in South Staffordshire, UK.
“Critical infrastructure organizations have a particular responsibility to implement, maintain and monitor secure IAM solutions and processes to protect not only their own business functions and information but also the organizations and individuals with whom they interact,” reads the guide.
To aid these businesses in achieving higher levels of security, the guide provides a framework to enable them to assess current IAM capabilities and risk posture. It highlights techniques to improve areas, including selecting, layering, integrating and adequately configuring secure solutions.
System administrators should also maintain the appropriate level of security to manage risk during continued operations, as well as foster awareness of correct IAM usage and risks.
The CISA advisory comes a couple of months after a SecurityScorecards report suggested almost half of all critical manufacturing organizations are currently vulnerable to a breach.