Once you’ve partitioned your system into security zones the next step is to control access to the assets within those zones. It is important to provide both physical and logical access controls. Physical access controls are generally straightforward and easily understood.
Typical physical access controls are fences, locked doors, and locked equipment cabinets. The concept is to limit physical access to critical ICS assets to only those who require access to perform their job. For example, the control system in a typical refinery would be protected by multiple layers of physical access - starting with the fence around the refinery, then with locked doors on the building housing the control system, then with additional locked doors for the control room and equipment rooms, and finally locked enclosures for the actual control system equipment. Ideally, the same concepts should apply to logical access to critical control system resources.
Unfortunately, too often users can remotely access critical control resources by passing through only one simple layer of authentication. Like physical access control, logical access control starts by identifying who should have access to what resources with what privileges and how that should be enforced. Users need to be identified and authenticated to verify they are who they say they are. Once authenticated, users can be authorized to perform certain functions. Often this is determined by the role of the user. The concept of least privilege is also important, meaning that a user is only authorized to perform the functions necessary to perform their job. Another important concept is accountability, which involves logging the actions of individual users so they can be held accountable for their actions.
Fortunately, there are many tools available to assist the control system administrator in managing logical access control, such as Active Directory. However, we often see this technology misapplied. Much of what it takes to properly apply this technology is good planning; identifying users, roles, and assigning the users to those roles is a key first step which is often skipped and or developed “on the fly”.