The multilayer IAM maps services from a user’s multiple identity and active directory providers onto different network layers of ICS/OT systems. Credit: iStock Zero trust security provider Xage Security has added a multilayer identity and access management (IAM) solution to its decentralized access control platform Xage Fabric to secure assets in different layers of operational technology (OT) and industrial control systems (ICS) environments.“Multilayer IAM is needed for a couple of reasons,” said Roman Arutyunov, co-founder, and senior vice president of products at Xage Security. “First is the fact that operators design systems for high availability and resiliency, leaving no single point of failure, and second that separate identities are used at each layer and site with different admins to ensure that compromise of credentials at IT doesn’t result in compromise of OT and furthermore, compromise of one site does not lead to compromise of all sites.”Xage Fabric’s blockchain-based technology utilizes a distributed mesh architecture with nodes deployed at various levels or layers, which interact and interface with different services to orchestrate a multilayered access authentication system, Arutyunov explained.“Threat vectors in ICS/OT environments are different, needing controls focused on machine-to-machine communications rather than a human-to-machine approach in IT systems,” said Jack Poller, an analyst at ESG Global. “Also, many ICS/OT systems have limited computational power, limited storage, and limited upgrade capabilities, making them unable to add/upgrade security controls directly on the devices. Instead, they need services like Xage Security to implement security as a set of external controls, acting as proxy security for the device.” With this launch, Xage has also announced partnering with CISA under the Joint Cyber Defense Collaborative to advise on critical infrastructure protection.Different IdPs and ADs for different layersThe idea with Xage’s multilayer IAM is to map multiple identity providers (IdPs) and active directory (AD) services onto different security zones or network layers of OT/ICS systems. “The nodes in Xage Fabric may separately interface with various AD services at various levels, but they work together to apply a policy and orchestrate access using the appropriate AD at the appropriate level,” Arutyunov said. “Xage Fabric utilizes distributed consensus mechanisms and distributed threshold-base encryption based on Shamir Secret Sharing to tamperproof each node’s data and processes.”Shamir’s Secret Sharing is a cryptographic algorithm used to protect secret information when it needs to be shared among multiple parties. In this algorithm, a secret is divided into a number of shares, where each share is distributed to a different participant. A threshold number of shares is required to reconstruct the original secret.“With machine-to-machine communication, as is often the case with industrial control systems and operational technology (ICS/OT), we can’t use conventional multifactor authentication. Xage’s multilayer solution is an implementation of Zero Trust strategies, and Zero Trust is becoming the new paradigm for securing both IT and ICS/OT environments,” Poller said.Xage multilayer IAM integrates with services like Microsoft’s Active Directory, Windows-based active directory federation services (ADFS), and all other IdPs that support access protocols such as LDAP or SAML 2.0.Xage offers local and remote accessXage’s IAM allows both local and remote users to see the assets and systems within an OT/ICS site or zone after they successfully authenticate against that site-level AD and pass the site-level MFA challenge.“Each OT site (plant, mill, power generation facility, etc.) may have its own AD system to manage identities of users operating on that site. Users need access to assets (workstations, systems, PLCs, RTUs, etc) while onsite or remotely,” Arutyunov said. To avoid complications in case of multiple sites and corresponding credentials, Xage enables administrators to create granular access policies, specifying which assets can be accessed by which specific users, at which location or level, and automatically authenticate with the right site-level AD and enforce access, Arutyunov added.Local and remote users use passwordless, hardware-based, and biometric MFA mapped to different identity providers. Xage also allows local users to authenticate with the local level AD when the site loses network connectivity.“An important layer of a multilayered or defense-in-depth strategy is securing remote access. The idea with Zero Trust Network Access is to shift from a network-centric (or perimeter-based) security — where anyone who has access to the network is automatically trusted and granted access to devices and services on the network — to zero trust, where clients must be continuously authenticated and authorized for every transaction,” Poller said. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe