Xage’s new IAM offering provides multilayer authentication for ICS/OT

Zero trust security provider Xage Security has added a multilayer identity and access management (IAM) solution to its decentralized access control platform Xage Fabric to secure assets in different layers of operational technology (OT) and industrial control systems (ICS) environments.

“Multilayer IAM is needed for a couple of reasons,” said Roman Arutyunov, co-founder, and senior vice president of products at Xage Security. “First is the fact that operators design systems for high availability and resiliency, leaving no single point of failure, and second that separate identities are used at each layer and site with different admins to ensure that compromise of credentials at IT doesn’t result in compromise of OT and furthermore, compromise of one site does not lead to compromise of all sites.”

Xage Fabric’s blockchain-based technology utilizes a distributed mesh architecture with nodes deployed at various levels or layers, which interact and interface with different services to orchestrate a multilayered access authentication system, Arutyunov explained.

“Threat vectors in ICS/OT environments are different, needing controls focused on machine-to-machine communications rather than a human-to-machine approach in IT systems,” said Jack Poller, an analyst at ESG Global. “Also, many ICS/OT systems have limited computational power, limited storage, and limited upgrade capabilities, making them unable to add/upgrade security controls directly on the devices. Instead, they need services like Xage Security to implement security as a set of external controls, acting as proxy security for the device.”

With this launch, Xage has also announced partnering with CISA under the Joint Cyber Defense Collaborative to advise on critical infrastructure protection.

Different IdPs and ADs for different layers

The idea with Xage’s multilayer IAM is to map multiple identity providers (IdPs) and active directory (AD) services onto different security zones or network layers of OT/ICS systems.

“The nodes in Xage Fabric may separately interface with various AD services at various levels, but they work together to apply a policy and orchestrate access using the appropriate AD at the appropriate level,” Arutyunov said. “Xage Fabric utilizes distributed consensus mechanisms and distributed threshold-base encryption based on Shamir Secret Sharing to tamperproof each node’s data and processes.”

Shamir’s Secret Sharing is a cryptographic algorithm used to protect secret information when it needs to be shared among multiple parties. In this algorithm, a secret is divided into a number of shares, where each share is distributed to a different participant. A threshold number of shares is required to reconstruct the original secret.

“With machine-to-machine communication, as is often the case with industrial control systems and operational technology (ICS/OT), we can’t use conventional multifactor authentication. Xage’s multilayer solution is an implementation of Zero Trust strategies, and Zero Trust is becoming the new paradigm for securing both IT and ICS/OT environments,” Poller said.

Xage multilayer IAM integrates with services like Microsoft’s Active Directory, Windows-based active directory federation services (ADFS), and all other IdPs that support access protocols such as LDAP or SAML 2.0.

Xage offers local and remote access

Xage’s IAM allows both local and remote users to see the assets and systems within an OT/ICS site or zone after they successfully authenticate against that site-level AD and pass the site-level MFA challenge.

“Each OT site (plant, mill, power generation facility, etc.) may have its own AD system to manage identities of users operating on that site. Users need access to assets (workstations, systems, PLCs, RTUs, etc) while onsite or remotely,” Arutyunov said.

To avoid complications in case of multiple sites and corresponding credentials, Xage enables administrators to create granular access policies, specifying which assets can be accessed by which specific users, at which location or level, and automatically authenticate with the right site-level AD and enforce access, Arutyunov added.

Local and remote users use passwordless, hardware-based, and biometric MFA mapped to different identity providers. Xage also allows local users to authenticate with the local level AD when the site loses network connectivity.

“An important layer of a multilayered or defense-in-depth strategy is securing remote access. The idea with Zero Trust Network Access is to shift from a network-centric (or perimeter-based) security — where anyone who has access to the network is automatically trusted and granted access to devices and services on the network — to zero trust, where clients must be continuously authenticated and authorized for every transaction,” Poller said.