When doing assessments we almost always find unnecessary accounts and permissions in the SCADA application. Employees have retired or been reassigned but their accounts remain. Consultants, always a problem, needed access for two weeks but their accounts remain. Make sure everyone who has an account still needs that account.

The next step is to insure each account is placed in the right role, assuming you have implemented role based access control like most asset owners. If you implement AOR, make sure each user only has rights to the appropriate area.

The most egregious finding is when large number of users are given admin privileges. Sometimes it is easier to just make someone an admin when they can’t perform a needed function, but this definitely is not least privilege or best practice. It probably is more indicative that the authorizations and roles have not been defined appropriately.

Managers should review the accounts and permissions at least once a year and log their review. This is true of any access control list. Another area we find widespread unnecessary access is the list for physical access to the Control Center.

So schedule an annual review of your users and their authorizations. If it has been more than a year I think you will be suprised at what you find.