Why OT Security Must Include Non-Human Identities (NHIs)

What are Non-Human Identities? 

A non-human identity (NHI), also commonly called a machine identity, is an account or identity that operates without direct human oversight or intervention. NHIs can include automated systems, service accounts, and application programming interfaces (APIs), among other types of identities.  

Over the past decade, NHIs have become increasingly prevalent in industrial and operational technology (OT) environments, where they perform essential functions such as managing machinery, processing data, and facilitating communication between various systems. But even as they help keep operations running smoothly, NHIs can also pose a serious security and safety risk due to their potential to be exploited.  

Why Do NHIs Pose a Growing Risk to OT Security? 

Despite the explosion of NHIs in recent years, most security and access management tools still focus on human users. NHIs thus frequently lack the security measures that have become standard for securing human users, such as multi-factor authentication (MFA), least privilege access, and credentials management.  

Without these security best practices in place, NHIs can be compromised by malicious actors with relative ease. Attackers may gain unauthorized access to a sensitive environemnt via an NHI and then proceed to manipulate data or disrupt operations without immediate detection. NHIs can also be used to automate attacks, making them difficult to counteract before significant damage is done. 

How NHI Compromise Leads to Real-World Consequences 

To better understand the tangible threat posed by compromised NHIs, let’s briefly consider two examples. 

1. Industrial Control System Manipulation: NHIs often have access to Industrial Control Systems (ICS), which oversee critical operations like power generation, water treatment, and key manufacturing processes. If an attacker compromises an NHI that controls an ICS, they could manipulate operational settings or cause physical damage to equipment. In the worst case, an attacker could even override safety protocols, leading to substantial harm to humans and the environment. 

2. Data Integrity Breaches: NHIs are commonly responsible for collecting, storing, and processing sensitive operational data. An attacker who compromises such an identity could manipulate this data, leading to operational inefficiencies and inaccurate decision-making. For instance, a compromised NHI that manages inventory data might be used to falsely report stock levels, resulting in supply chain disruptions, shipping issues, and financial losses. 

The OWASP Non-Human Identities Top 10 

Making clear the urgent need for organizations across industries to implement stronger security precautions around NHIs, the OWASP Foundation recently announced the OWASP Non-Human Identities Top 10. According to OWASP, “the NHI top 10 is a comprehensive list of the most pressing security risks and vulnerabilities that non-human identities present to organizations.” 

These security risks and vulnerabilities include: 

1. Improper Offboarding 

2. Secret Leakage 

3. Vulnerable Third-Party NHI 

4. Insecure Authentication 

5. Overprivileged NHI 

6. Insecure Cloud Deployment Configurations 

7. Long-Lived Secrets 

8. Environment Isolation 

9. NHI Reuse 

10. Human Use of NHI 

How Cyolo Helps Secure NHIs and Supports the OWASP NHI Top 10 

Whereas legacy secure remote access (SRA) tools focus on human users, the Cyolo PRO (Privileged Remote Operations) solution is built to connect identities to applications (assets or resources). This means Cyolo PRO is uniquely suited to ensure secure access for human and non-human identities alike.  

In addition, key features and capabilities of Cyolo PRO align directly with the OWASP NHI Top 10. These include granular access, connectivity, and oversight controls, support for third-party access scenarios, protection of keys, tokens, and other sensitive NHIs with an in-solution credentials vault, and the enforcement of least privilege access to prevent the over-privileging of any identity.  

The team at Cyolo recognizes that non-human identities and machine-to-machine connections will only become more common in the years ahead and is working tirelessly to help industrial organizations mitigate the risks posed by NHIs.