Critical infrastructure, which was historically isolated and disconnected from other networks, is becoming increasingly interconnected due to the ubiquity of the Internet and the growth of the cloud and the Industrial Internet of Things (IIoT), making it even more powerful in the crosshairs of cybercriminals. They are targets for everything from financial gain to cyber espionage to operational disruption.
The continuing convergence of IT and operational technology (OT) is putting pressure to modernize cyber protection for a critical infrastructure (CI) security environment that is perceived to be a decade or more old. In June, U.S. Homeland Security Secretary Alejandro Mayorkas outlined priorities for critical infrastructure support and resiliency, writing in a memo that “the increasing interconnectedness of critical infrastructure systems and reliance on global technologies and supply chains makes these systems vulnerable to a myriad of threats.”
This week, the Cloud Security Alliance (CSA) released a report detailing a roadmap for implementing Zero Trust concepts in operational technology and industrial control systems (ICS) environments that come with a host of challenges, from legacy systems and protocols to closed systems that are difficult to control. Upgrading or patching complex networks. The steps outlined in the report aim to overcome challenges and put Zero Trust solutions into practice.
Zero Trust is a security environment where by default no person or application trying to access the network should be trusted. Instead, they should be verified first.
“In an environment where security is both critical and clearly challenging, Zero Trust is not just a security upgrade but a necessity,” Joshua Woodruff, lead author of the paper and a member of CSA's Zero Trust working group, said in a statement. . “By identifying practical strategies and specific methodologies designed to implement a Zero Trust strategy in CI environments, we help ensure resilience and security amid the rapidly evolving digital technology and threat landscape.”
Critical infrastructure under attack
Protecting critical infrastructure has been a key part of the Biden administration's cybersecurity efforts over the past three years — the government lists 16 critical infrastructure sectors, including energy, water, IT, health care, and financial services — and the growing threats of the nation-state's demise. Adversarial actors such as China, Russia, and Iran have sharply highlighted this issue.
In April, the White House issued a national security memorandum addressing critical infrastructure security, noting the emergence of an interconnected, interconnected economy that includes such organizations. She also spoke of “an era of strategic competition with nation-state actors targeting America's critical infrastructure and tolerating or enabling malign actions by non-state actors. Adversaries target our critical infrastructure using both legitimate and illegitimate means.”
For example, a number of US federal agencies as well as their counterparts from other countries issued an advisory report earlier this year on the need to defend operational technology systems and devices in the US and Europe against pro-Russian threat groups. There have also been reports of government-linked bad actors from China and Iran targeting critical infrastructure in the United States, including municipal water systems.
In the CSA's 64-page “Zerotrust Guidelines for Critical Infrastructure,” the report's authors write that historically isolated OT networks are becoming more difficult to find, with modern systems linked together through embedded wireless systems, the cloud and software as a network. – SaaS applications.
“Even legacy systems interface with maintenance laptops or removable media for backup, maintenance upgrades, patches, or data transfer,” they wrote. “This shift from air-gapped systems to fully integrated networks, and the risks associated with it, must be taken into account when establishing and implementing security controls.”
Crawling, walking, running
CSA advocates a five-step “crawl, walk, run” strategy for implementing Zero Trust principles in OT and ICS environments, noting the serious consequences of downtime and the ability to avoid waiting for the perfect time to launch such a project. It supports the implementation steps outlined in the National Security Communications Advisory Committee's (NSTAC) no-confidence vote against Biden, which the authors of the CSA report wrote “provides an excellent background and overview and compares and contrasts various ZT references and approaches.”
The first step involves identifying the protected surface through an enterprise-wide inventory of business and operational assets to help prioritize implementation based on risk. The following four steps should be applied to each protected surface, starting with mapping transaction flows through pulling tools and techniques and documenting the work.
Next comes building the Zero Trust architecture, planning and designing where Zero Trust policies can be enforced in the architecture, and then creating those policies.
“Adjusting access permissions and regularly reviewing access rights ensures that users can only access critical assets and functionality required for their tasks,” the authors wrote. “Using the principle of least privilege, access is limited to the minimum required for specific tasks. This approach effectively reduces potential attack vectors and unauthorized access.
Once the architecture and policies are in place, the final step is to ensure continuous monitoring and real-time analysis of network traffic, user behavior and device activity to quickly detect and respond to threats, the authors wrote.
Increasing impulse
Others also call for a lack of trust in critical infrastructure. In a blog post in June, Aria Cybersecurity Solutions said modern network-based security protections only provide a security baseline while next-generation antivirus tools do not always prevent increasingly sophisticated attacks launched by nation-state threat groups.
“While most current critical infrastructure cybersecurity defenses rely on solutions from the past decade, this Zero Trust approach is designed to create a more general approach to stopping the latest attacks without waiting for software updates from cyber vendors in an attempt to stop these attacks,” the company wrote. “Little chance of success.”
