Developing a Critical Infrastructure Cybersecurity Strategy
Takeaways include the following:
- Critical infrastructure protection is a long-standing priority, but many organizations lag in their response to cyberthreats.
- COVID-19 has broadened the definition of critical infrastructure while also providing a reminder for enterprise companies to question which systems are essential to operations. This article builds on the advice in chapter one of this series in “Addressing IoT Security Challenges From the Cloud to the Edge.”
- Organizations managing critical infrastructure should develop a proactive cybersecurity posture, but coronavirus-led disruptions heighten the challenge.
By now, the need for comprehensive cybersecurity for critical infrastructure is clear. Public accounts are widespread concerning the risk of malicious actors targeting the electrical grid, dams, voting systems and other federally designated critical infrastructure. But the majority of organizations that provide essential services have taken only incremental steps in addressing cyber risk. “Many [operational technology] organizations have pretty nascent cybersecurity programs,” said Sean Peasley, a partner at Deloitte.
The term “critical infrastructure” initially referred to public works such as transportation infrastructure and public utilities, but, since the 1990s, the definition has steadily expanded. Sectors under the rubric now include, among other things, health care, energy and utilities, and various manufacturers. “And practically speaking, we’re finding out in the era of COVID, that critical infrastructure is even broader than we thought,” said Kieran Norton, a principal at Deloitte. Makers of personal protective equipment, for instance, play a role in mitigating the crisis. “We’ve also learned that supply chain disruption during a pandemic, for instance, could potentially be catastrophic,” Norton said. Not surprisingly, logistics firms have cemented their role as essential. The U.S. government has declared that pulp and paper and meat-packing industries are essential as well. So the overlap between critical infrastructure and operational technology (OT) security continues to blur. No matter what the name, few of the industries in this domain have reached a high degree of cyber-effectiveness, according to research on industrial security from the Ponemon Institute underwritten by TÜV Rheinland.
Traditional critical infrastructure entities may have decades of experience with traditional risk management and safety initiatives, but for many, cyberssecurity is a relatively new priority. And broadly speaking, organizations managing critical infrastructure tend to be slow moving. “My general experience is that OT security is about 10 to 15 years behind the IT security space,” said Andrew Howard, CEO of Kudelski Security.
Meanwhile, the threat landscape for critical infrastructure organizations continues to grow more precarious. The number of attackers targeting such infrastructure is surging, as is the number of connected devices in many critical infrastructure environments. According to the X-Force Threat Intelligence Index 2020 from IBM, the volume of attacks on industrial control systems in 2019 was higher than the previous three years combined.
Such attacks have made headlines in 2020. Ransomware attackers successfully targeted Honda and Taiwan’s energy utility and a U.S. natural gas facility. Israel’s water supply was reportedly attacked. The Japanese telecommunications firm NTT has had its internal network breached.
Risk Assess Continually
If you can’t measure something, you can’t improve it. But that advice doubly applies to critical infrastructure cybersecurity, where risk and risk reduction can be challenging to quantify. Many organizations struggle to keep an accurate asset inventory, given the diversity and complexity of their environments. Meanwhile, experts specializing in OT cybersecurity are in short supply. Compounding this risk is the complicated nature of third-party risk management, including assessing potential vulnerabilities introduced via procured hardware, software or contractors.
While risk assessment should be a continual process, critical infrastructure organizations should begin with periodic in-depth risk assessments designed to quantify threats, vulnerabilities and potential consequences of cyberattacks and other causes of operational disruption. Potential vulnerabilities include shared passwords, unpatched systems, software and hardware of unknown provenance and overly permissive firewalls.
But such security assessments can be tricky to perform. There’s an array of device types to track, ranging from pumps and valves, legacy controllers and myriad computing devices. Additionally, understanding the ramifications of an industrial system breach necessitates an in-depth operational knowledge. In an environment with scores of different systems, the problem is compounded.
Traditional network scanning techniques require care. Active network and vulnerability scanning techniques of industrial control systems can crash control systems. Using active scanning safely in a critical infrastructure environment generally can be done safely, according to Dale Peterson, a consultant specializing in industrial control system security. But it requires working closely with operations to address the risk. While passive techniques for network monitoring are less intrusive, they are also less accurate. “This debate is often where that IT security view clashes with the OT view. The IT security person is inclined to go with active scanning, but the person in charge of monitoring a critical infrastructure system often prefers a passive approach because they don’t want to put it at risk.”
Especially with in-depth assessments, organizations are likely to uncover a long list of problems and question the remediation to prioritize. Also compounding the problem, many cybersecurity professionals generally don’t have direct experience with all equipment undergoing audit, and thus must rely on interviews with seasoned asset owners and operators to gauge their cyber risk.
Organizations should weigh both severity and ease of remediation. Access control is often a theme here, Miklovic said. “Boundary interfaces always are the weakest part of any cybersecurity problem, whether it be a protocol boundary or a physical boundary,” he said. “Even in the industrial cybersecurity world, one of the biggest breach points still is USB drives.”
While it is quick and inexpensive for a staff member to use super-glue or solder to plug unused USB drives, some organizations focus too much on addressing the “easy stuff” in their remediation, Howard said. “Yes, there are threshold mitigations you should knock out immediately. But after that, you should prioritize based on risk.”
Quantifying that risk is possible using a two-by-two matrix that weighs the likelihood of a vulnerability’s impact and potential severity, according to Joe Saunders, CEO of RunSafe.
Building a risk profile for each system is rarely straightforward. Interviews with asset owners and operators are key to understand the impact if a given system were to crash. “You can have a machine that seems to be vulnerable and high risk,” Miklovic said. But if it goes down, it may cause only isolated problems rather than bringing everything”to a grinding halt.”
Another factor that can complicate risk assessment is the tendency for organizations to prioritize cyber-priorities solely based on the time or money invested. “What an organization thinks is valuable may be quite different from what a cybercriminal thinks is valuable,” said Bill Malik, vice president, infrastructure strategies at Trend Micro.
When it comes to legacy equipment, organizations can be limited in their ability to reduce risk. A device running a decades-old operating system likely can’t be updated. “The strategy that’s typically taken on these systems is to isolate and monitor,” Howard said. “My experience is that the isolation is usually pretty porous.”
New Risks in the New Normal
Risk management in critical infrastructure has become increasingly challenging with growing cybersecurity concerns. The need for those organizations to develop COVID-19 response plans while expanding remote working for some workers adds further complexity. “I think the main sort of change that we see in critical infrastructure environments is the work-from-home scenario,” said Jamil Jaffer, senior vice president for strategy, partnerships and corporate Development at IronNet Cybersecurity.
The work-from-home paradigm has complicated protecting vulnerable systems, Howard said. “Now, you have employees using VPN to connect to production systems from home to make changes,” he said. “They would probably not have done that before.”
Similarly, some organizations could be tempted to grant third-parties such as vendors and technicians remote access to sensitive systems. “There’s probably less focus on cybersecurity when many people are focused on getting their work done and keeping their job,” Norton said.
Network availability is another consideration for organizations looking to scale up remote working capabilities in critical infrastructure contexts. “In the past, you had organizations with 10%–20% of their workers using traditional remote access infrastructure,” Norton said. As organizations have scaled up remote working capabilities, “many have run into problems with bandwidth, scale and deploying assets,” Norton said.
While expanding connectivity for industrial assets can potentially create more vulnerabilities, COVID-19 also underscored the risk of old-fashioned contingency plans that rely on workers’ physical presence, manual processes, and paperwork.
Although traditionally slow to change, critical infrastructure organizations shouldn’t shy away from making wholesale changes to their technology architecture as they rethink core processes and workflows. “If this is the new normal, you probably need to redesign your infrastructure,” Norton said.
Toward Proactive Cybersecurity
Ultimately, critical infrastructure organizations seek to transition from entrenched, manual processes that offer incremental risk reduction toward a more-proactive cybersecurity posture. “Industrial environments tend to be complex and constantly evolving,” said Natali Tshuva, CEO of Sternum. “Security controls are needed not only to assess the current status but to also offer sustainable protection and peace of mind for years to come.”
Traditionally, industrial and critical infrastructure security meant physical security, encompassing safety and access control within a physical perimeter. Many traditional industrial protocols are fundamentally insecure because their designers assumed only authorized personnel would have access to them. But the rise of remote working, cloud computing and IIoT have undercut the castle-and-moat security model. The influence of that legacy model, however, is one reason many critical infrastructure organizations — as well as enterprise companies — have a reactive security approach.
The emphasis of such a redesign should be creating robust and efficient workflows based on universal security policies. “Move the security controls as close as possible to the assets,” Norton counseled.
The process includes creating a comprehensive and evolving security policy for the following assets:
- Equipment and devices: Such hardware could range from legacy industrial equipment to IoT devices to corporate-issued laptops. “Understanding those devices in context relative to users is super important,” Norton said. Organizations should secure industrial controllers, advised Joe Saunders, CEO of RunSafe Security. Securing sensors and gateways, by contrast, is relatively straightforward. “But controllers are performance-sensitive and deep in the infrastructure.”
- Networks and users: As for users, security staff should constrain access as much as feasibly possible based on controls outlined in an organizational security policy. “You can have a policy engine that’s talking to those security controls that allows you to dynamically apply, through the context of the user and the application, logic,” Norton said. Organizations should also invest in network breach detection capabilities.
- Data. Data classification and discovery are valuable tools for evaluating the level of control needed to protect a given data type.
- Workflow, workloads and processes. The degree of protection required accounts for these processes’ intrinsic value to your organization and the likelihood of adversaries interfering with them. This task also includes fortifying the supply chain and ensuring that contractors and suppliers comply with a specified security controls level.
- Software development processes. Critical infrastructure organizations “should build security into software development, so the software you deploy is resilient,” Saunders said.
While cyber-hygiene is vital, a common pitfall in security is to under-prioritize threat detection, response and recovery. “A quick rule of thumb is to spend 50% of your effort on prevention, and detection and spend 50% of your effort on response recovery,” said Matt Selheimer, an executive at PAS Global. “Traditionally, the approach many organizations have taken is to put the preventive controls in place first,” Norton said. But given the complexity of examining risk in critical infrastructure environments, response and recovery sometimes take a back seat. “If something does go wrong, you want to be able to identify it quickly and shut it down,” Norton said. “That’s just as important as preventing something because you know that something’s eventually going to go wrong.”
Organizations aspiring to transition to a proactive cybersecurity posture can draw inspiration from various frameworks, ranging from the comprehensive ISO 27002 and standards specific to industrial control systems such as ISA/IEC 62443. A relative newcomer is the Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense — designed to specify the security level required for organizations to bid on various government programs. Broken into five tiers, the first three specify basic, intermediate and good cyber-hygiene. The two upper tiers require more sophisticated cybersecurity management. The fourth stipulates that “all cyber activities are reviewed and measured for effectiveness” with review results shared with management. The top tier adds standardized and comprehensive documentation related to all relevant units.
|CMMC Level 1||Basic cyber hygiene (performed)||Select practices are documented where required|
|CMMC Level 2||Intermediate cyber hygiene (documented)||Each practice is documented and a policy exists for all activities|
|CMMC Level 3||Good cyber hygiene (managed)||In addition to practices above, a cyber plan exists and is operationalized to include all activities.|
|CMMC Level 4||Proactive (reviewed)||All cyber-activities are reviewed and measured for effectiveness. Results are shared with management.|
|CMMC Level 5||Advanced progressive (optimizing)||In addition to practices above, this stage adds a standardized documentation across the organization.|
“It’s the first framework we’ve seen with a mapped-out maturity model specific to integrators and their subcontractors bidding on sensitive government programs,” said Tony Cole, chief technology officer at Attivo Networks. The framework could encourage critical infrastructure organizations to develop a more sophisticated understanding of internal cyber risk as well as the due diligence required from third parties. There’s a level of objectivity to the framework that could be helpful, Cole said. “According to the model, a third-party auditor has to come in and confirm the cybersecurity level of a contractor. No self-reported surveys,” he said. “Somebody has to audit it.”
Automation is also an element to consider when designing a proactive security strategy. Techniques such as machine learning can help organizations automate routine security monitoring tasks such as network breach detection and implement controls to stop the spread of attacks.
Embedded security protections, which are increasingly available on diverse, resource-constrained devices, provide intrinsic threat protection. On-device protection should also “include comprehensive asset management capabilities” Tshuva said. Such controls support network visibility and can provide automatic alerts for attacks.
Organizations that rush to find ways to automate security monitoring without a robust and contextual security policy often face an explosion of false alarms, Selheimer warned. But in the end, all organizations should plan on investing time in tuning security controls. “It’s no different in OT than in IT. People in the [security operations center] spend a lot of time tuning firewall rules and security information, event management correlation rules to reduce the noise,” Selheimer said.
Complicating matters further is the unique and varied critical infrastructure landscape, which can complicate deploying off-the-shelf security automation and AI tools. “There are certainly some limitations. But there are also ways to address that, “Norton said. Organizations can, for instance, isolate sensitive operational systems and use automation and orchestration tools to protect the resulting enclave. “Through automation and orchestration, automate as much you can and then orchestrate where you can’t automate to make sure that you’ve got effective capabilities and are responding and adjusting to threats,” Norton said.
In the end, critical infrastructure security threats will likely shift rapidly. “To be proactive means you’re constantly adjusting your cyber-posture to address what’s happening both in terms of direct impacts against the organization as well as what you’re seeing happen from an industry perspective,” Norton said.