Domestic critical infrastructure is arguably now more at risk than at any point in living memory, and certainly in a peacetime context. The highly digitized and connected nature of today’s healthcare, public sector, building and industrial systems have placed them firmly in the sights of cybercriminals and malign foreign powers.
The current and ubiquitous public health crisis has only added to the issues facing those charged with protecting services and data. If that wasn’t enough, concerns about interference in the election process have created a siege mentality, reinforced by regular evidence that attacks and breaches are rapidly increasing.
There can be no doubt that protecting critical infrastructure is vital, given that 70% of breaches in 2019 were perpetrated by external actors, according to the Verizon 2020 DBI Report. The majority (64%) are financially motivated, with espionage accounting for 5% of breaches.
The cybersecurity challenges facing critical infrastructure vary by sector, and part of the problem is that there is no ‘catch-all’ remedy. In the energy and water utilities sectors, for example, their IoT and OT networks are critical to both the delivery of vital public services and to cash flow. If critical infrastructure experiences an outage, there is a measurable negative impact on the organization and customers alike.
In the financial services sector, institutions have become high-value targets of cyber-attacks, and must deal with a range of issues, including securing remote users, managing network access and addressing compliance requirements from regulators. Healthcare organizations, by contrast, are focused on patient privacy and data access on open networks, security and privacy for medical devices and systems, and the security of micro-segmentation for healthcare workers, vendors, contractors, and third-parties.
If that wasn’t enough, during the COVID-19 period, cybercrime has quadrupled, according to the FBI, while the World Health Organization, for example, reported a fivefold increase “in the number of cyberattacks directed at its staff and email scams targeting the public at large.”
The FBI has also highlighted the risks healthcare organizations working to create COVID-19 vaccines and treatments currently face. As a bulletin released in May explained, “Criminal and nation-state cyber actors since February 2020 have been increasingly targeting US pharmaceutical, medical, and biological research facilities to acquire or manipulate sensitive information, to include COVID-19 vaccine and treatment research amid the evolving global pandemic.”
As a consequence of the pandemic, there have also been multiple attacks on electricity grids, water systems and energy organizations, election locations, and newly distributed enterprises.
Leaving the Legacy - the Shift to Zero Trust
To an extent, the rise in cybercrime in these areas is a consequence of the rapid pace of IT innovation, and the widening network perimeters that require protection. The development of critical and physical infrastructure has created attack vectors that didn’t exist when many of today’s most popular security solutions were being designed. The result is rapidly rising cost and complexity, with a measurable decline in protection. The original inventors of the networking technologies that became the internet never imagined the billions of devices we use today. They introduced something that turned out to be a huge, critical assumption: IP addresses could safely be used as both location and identity. Every device gets an IP address, that address is used as its identity and can be found. If it can be found, it can be hacked. Moreover, every device hacked can be used to hack other devices.
As organizations across the public and private sectors pursue digital transformation strategies to improve efficiency, service and financial performance, legacy security technologies are rapidly becoming obsolete. The sudden and widespread shift to remote working environments, for example, has laid bare the limitations of some dominant security solutions.
Traditional VPNs are an important example. Complex and difficult to deploy, most are unable to scale to the current demand. In addition, as organizations increasingly make some changes to working culture permanent, they will require a long-term solution to the security needs of their complex cloud, multi-cloud, virtual, physical, and edge environments.
This explains the increasing reliance organizations place on ‘zero-trust’ security strategies. These are defined by the National Institute of Standards and Technology (NIST) as a “set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
The zero-trust model means that only necessary actions and connections are specifically enabled in a workload or application and everything else is blocked. It reduces the network attack surface by limiting east-west communication through the application of very granular security controls. These include multi-factor authentication (MFA), micro-segmentation and end-to-end encryption, creating a solution that is impervious to lateral movement.
By establishing a software-defined perimeter, regardless of whether it involves a virtual machine (VM), container, or function, zero trust extends secure connectivity to distributed environments and varied use cases that are now a feature of many IT strategies.
Critical infrastructure and distributed organizations sit on the front line of the cybersecurity ecosystem. Protecting them must represent a line in the sand in the fight against malicious activity - failure to do so will have widespread and long-term consequences for large sections of society.