Rapid technological change, accelerated by the pandemic and now ingrained in our daily lives, has led us to become increasingly dependent on connected devices within critical infrastructures, as exhibited by the proliferation of smart meters, sensors, industrial controllers, and other “smart” products. As utilities, governments, and other critical infrastructure operators embrace the efficiencies of an expanded IoT and add ever more connected devices to their networks, they simultaneously increase the potential points of attack surface for malicious cyberthreats. This creates risk, and recent attacks on SolarWinds, the Oldsmar, Florida water treatment plant, and SITA, have proven that bad actors are only growing bolder and more sophisticated with their attempts at intrusion and manipulation of critical infrastructures functionality. 

Critical infrastructures must balance the utility of expanding their network of connected devices with the threats posed by bad actors. Managing the risk emerging from these threats will require an understanding of the specific style of threats posed, as well as how to counter them.

The Nature of Critical Infrastructure Threats

One form of attack that is proliferating in its usage against critical infrastructures is an Advanced Persistent Threat (APT). An APT attack is when an unauthorized user gains a lasting presence in a system or device, and because the attack is permanent in the device, a simple restart will not necessarily rid the device of it. This persistency allows an attacker to cause more damage over a longer period of time.

This is what happened in the SolarWinds breach, as hackers infiltrated the supply chain to insert a backdoor into the product, which then allowed the hackers access to every system that downloaded the compromised packages. This intrusion was missed by traditional threat identification processes because the hackers randomized their behavior to avoid triggering indicator of compromise (IOC) sweeps.

To avoid being the next SolarWinds, critical infrastructures will need to reimagine their security protocols from an inside-out philosophy that trusts actors within a set perimeter to a “Zero Trust” approach that requires authorization for all changes, no matter whether they are internal, external, or along the supply chain. As APT attacks are not going to stop coming, the objective is less about stopping threats from happening and more about detecting threats, preventing them from actually doing any damage, and collecting forensic data for advanced analytics. This begins at the device level, as device integrity is crucial to critical infrastructures yet is difficult to ensure. This is especially true for battery-operated devices with limited energy availability, processing power, and memory footprints.

Cybersecurity Measures Stakeholders need to take

While there is need for security at all three levels of connected systems – the device, network, and system levels – for bad actors targeting enterprise infrastructures, a single point of entry is sometimes all it takes. As the IoT expands and critical infrastructures add more and more connected devices to their network, these devices will be exposed to both internal and external threats, some of which may be unaddressed by the critical infrastructure’s existing protection capabilities. These threats can arise along the supply chain or even from within a network itself.

As their network grows, critical infrastructures must ensure that each device they roll out is itself impermeable, a guarantee they can only make by introducing device-level security that protects connected edge devices like smart meters from all attack vectors from installation, implementation, maintenance, and upgrading. One way of doing this is to introduce a solution with hardwired gatekeeper embedded into the device. This will provide passive prevention against outsider, insider, and supply chain APT threats, block unauthorized manipulation by automatically rejecting all changes unauthenticated by a trusted server, and allow for secure remote updating. This in turn will prevent persistency, which occurs when the attacker has a permanent hold within the device, allowing them to manipulate it and even seize control from the device owner.

Improving critical infrastructure security is an ongoing process that requires recognition and address of potential weaknesses. An approach that is anything short of Zero Trust fails to recognize that insider threats are a possibility, and security that lacks device-level protection fails to address the vulnerability of these devices. In other words, to improve security, trust no one and protect everything.

Who Needs to Adopt these Solutions?

Deploying a “Zero Trust’ approach by implementing device-level protection into each connected device on a critical infrastructure is a smart next step in defending against malicious manipulation, no matter if you are a utility, an industrial manufacturer, or a municipality. However, as we saw with the Oldsmar, Fla. water treatment plant hack, the critical infrastructure systems for smaller cities are particularly easy targets because local governments are often overworked and understaffed.

These departments are often overlooked because there are few positive indicators of successful performance - the absence or prevention of cyberattacks will never lead the nightly news so lawmakers can be reluctant to improve cybersecurity funding if they believe what they currently have works fine. The problem is that cybersecurity is an arms race, so if you are standing still, you are losing ground. Small cities must take a long look at their systems to see what protections are in place. Do they know every third-party vendor they partner with? Do they know their own security protocols? Assessing critical infrastructures to find and address weak points is a task all critical infrastructures should be constantly performing, because if they are not doing it, bad actors certainly will.