Vendor Admin Accounts Warning

Yesterday the DHS ICS-CERT issued a new alert about vendors establishing administrative-level accounts on new control systems software during the installation process. The alert notes that: The addition of an administrative account to an ICS network with the password known by a contract company increases the cybersecurity risk to the asset owner.” (pg 1) High-risk chemical facilities should also note that this gives an untold number of people at the vendor company unaccompanied access to a cyber system that might be a ‘critical asset’ at the facility. In addition to the risk of unauthorized access to the system, there is also the additional burden of insuring that adequate background checks have been conducted on these personnel. Rather obviously ICS-CERT recommends against this practice, but they do note that there might be legitimate reasons where this may be necessary. In those cases they recommend:

“Where it is not possible or practical to avoid creating an administrator account (some control system software versions may require this practice) the asset owner should work with the contractor or vendor service organization to reach agreement on how best to control the system’s cybersecurity risk profile. This should be formalized into a security level agreement that clearly defines the responsibilities of both parties and should be documented in the systems configuration management process.” (pg 2)

If a facility’s site security plan has already been approved, allowing this type of access to a critical asset may require approval from DHS-ISCD before it is implemented. DHS-ISCD should be contacted for advise on the particular facility situation.