The ransomware attack on the Colonial Pipeline in May 2021 illuminated the vulnerability of critical infrastructure to potential threats. Since then, security leaders have seen myriad other high-profile critical infrastructure attacks, and expect more to come.
Compared to the broader spectrum of threats, attacks on critical infrastructure remain relatively recent. For example, phishing and ransomware have been around for more than two decades. But, until about seven years ago, organizations never had to worry about bad actors gaining access to critical infrastructure, because the operational technology (OT) driving these environments was historically air gapped — meaning it wasn’t connected to the internet. So, even if a bad actor successfully infiltrated an IT network, they couldn’t move over to the OT environment.
This all changed with Covid-19. Digital transformation was sped up in a way in which there’s no turning back. OT is increasingly converging with the internet and IT environments. Operators want access outside the facility, and they know they can get it. However, companies need to start paying attention to critical infrastructure security — because failure to do so can result in widescale damage and disruption and even put people’s lives at risk.
A blueprint for critical infrastructure security
The cybersecurity industry needs to continue generating awareness around the importance of cybersecurity and resilience in the face of critical infrastructure threats. And security leaders need to continue helping organizations put a blueprint in place to defend against these attacks — especially because critical infrastructure security is still in its nascent stages, with minimal history and precedence, and many organizations don’t know where to begin.
Following are the best practices to keep businesses resilient, people safe and the global economy working.
Assess the environment
Security leaders can’t secure what they don’t know about, so the first step in a sound critical infrastructure security strategy is conducting an infrastructure assessment. Identify all assets, determine which have the most business impact and then prioritize protection efforts accordingly. With visibility into an environment, security leaders can move from a reactive to a proactive security strategy, because all involved will know what assets to protect, how and when.
Apply identity controls
Once security leaders identify their assets, they then need to know who has access to them. Failure to prioritize identity security can result in shared group accounts, lack of identity authentication and employees possessing more access than they need — all of which introduce security gaps in an environment. To mitigate identity risks, implement baseline identity and access management protocols, such as access controls, multi-factor authentication, privileged access management and least privileged access.
Implement 24x7 security monitoring
Protecting assets and ensuring authorized access requires an ongoing effort, rather than a "set it and forget it" approach. This means monitoring environments around the clock to quickly identify potential threats and suspicious access. When it comes to cyberattacks, the quicker someone can detect a threat, the faster they can mitigate it and the less damage bad actors can do.
Keeping an entire ecosystem on a single network can significantly escalate risk, because if a bad actor infiltrates one area, they have the ability to move laterally, giving them unfettered access to an entire environment. Segmentation, which entails dividing a network into smaller sub-networks to deliver unique security controls and services individually, is the best way to reduce the attack surface and isolate successful attacks, so one intrusion can’t take down multiple systems, processes or sites.
Vulnerabilities in software and devices remain a major cause of data breaches and successful attacks. Patches help organizations close security gaps, fix bugs and keep their systems up to date. The hard truth is, though, most organizations don’t have the fundamental OT security controls in place to undertake a fully-baked patching program across a decade, let alone in a calendar year. Having those controls in place is a necessity to protect essential systems while working patches in…slowly. Patching needs to be finely targeted and based on a comprehensive risk score consisting of compensating controls and unit criticalities. This is absolutely a task to prioritize and take on (after segmentation, of course), but applying an overly optimistic strategy of “patching everything, everywhere, all at once” can serve as, at best, a distraction that does not significantly reduce the attack surface nor close the door to cybercriminals.
Create a robust employee awareness and training program
Employees are the first line of defense against critical infrastructure attacks, so they need to be kept informed of the latest threats and best practices to defend against them. It’s also important to make sure employees know who they need to contact if they do identify a potential threat and how to respond. Because the threat landscape and business needs change so rapidly, it’s important to schedule training sessions frequently throughout the year. Offering short, engaging monthly sessions can be far more effective than long, PowerPoint-driven presentations once or twice a year.
Once security leaders master the security basics, they can start adding in more advanced security strategies, such as penetration testing and red team exercises to identify infrastructure weak spots and holding third-party suppliers and vendors to the same security standards as an organization.
Whether it’s a water system, power grid, pharmaceutical production or oil reserve, critical infrastructure is now a bargaining chip for cybercriminals. It’s time security leaders fight back to keep their businesses, people and country safe.