The last 18 months packed a decade’s worth of “historic” events into roughly one year while exposing infrastructure vulnerabilities across the United States. The devastating cyberattack that derailed Colonial Pipeline for over a week, impacting 45% of the U.S. East Coast region’s fuel supply, created panic at the pump and price hikes. Gas shortages ensued for weeks as the pipeline shutdown all systems to mitigate damage, and ultimately paid the $4.4 million dollar ransom to regain control and access over their network and data. This is just one of many recent security-related incidents that demonstrate how millions of lives can be impacted when infrastructure fails.
Infrastructure is a broad and crucial issue for the U.S. to get right. As devastating as the Colonial Pipeline attack and other recent attacks like SolarWinds have been, they’re only an inkling of the future risk and consequences attacks on critical infrastructure could have as threat actors become more sophisticated, and infrastructure becomes more connected and exposed.
With a new executive order (EO) from President Biden on improving the nation’s cybersecurity, 2021 may be the pivotal year where the U.S. finally makes progress in starting to close gaps in vulnerabilities for U.S. operational technology (OT) and critical infrastructure cybersecurity.
COVID-19 Accelerates Digital Transformation and Cybersecurity
In the midst of a pandemic, the NSA and Cybersecurity and Infrastructure Security Agency issued a joint statement in July of 2020: “All DoD, NSS, [Defense Industrial Base], and U.S. critical infrastructure facilities should take immediate actions to secure their OT assets.” Here are four immediate steps agencies can and should consider to reduce their risk across critical infrastructure.
Secure access pathways to critical infrastructure systems
Open ports in a firewall are unacceptable when it comes to protecting OT assets. Remote access to SCADA and OT devices must be configured in a way that can be controlled, managed, audited and that prevents lateral movement across the network. “All or nothing” VPN access that many contractors and vendors leverage to monitor and manage these OT devices should be eliminated, and replaced with least-privilege controls. In addition, those responsible for managing these devices should never be given direct privileged credential access. Instead, obfuscated credentials should be automatically injected into the requested session. This allows an agency to ensure access compliance to policies, while creating an unimpeachable audit trail.
Understand the challenges in IT and OT security
In most agencies, the cybersecurity policies honed by fire over the last two decades do not apply to OT devices. OT systems are frequently managed by entirely different groups. Thus, these networks converging with shared infrastructure creates an enlarged attack surface for critical infrastructure and agency/enterprise networks. Examples of this convergence being leveraged for breach events are easy to find, including the Colonial Pipeline breach. It’s not a new problem, however.
A recurring issue is that many OT devices are managed by third-party vendors who specialize in the equipment—not in cybersecurity. Consequently, these vendor specialists have a narrow focus and lack the holistic perspective and/or cybersecurity awareness to ensure the devices are properly secured within the highly complex OT ecosystems to which they are deployed. Providing audited, compliant and stringent remote access utilities to these vendors would represent a big step toward significantly reducing the attack surface.
A noteworthy component of the recent EO is Section 4: Enhancing Software Supply Chain Security. This section focuses on securing privileged accounts and credentials. The EO states, “the security and integrity of ‘critical software’ — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
Controlling privileged credentials, secrets and accounts across the entire network ecosystem protects against numerous attack vectors—from stolen or misused credentials to lateral movement to privilege escalation attacks. Credentials—whether human, machine, application, employee or vendor—should be vaulted and secured according to best practices. Privilege elevation and delegation should be granularly controlled for all types of access. Every session involving privileged activity should be monitored via logging, keystrokes and video recording.
In the appendix to the 2021 Verizon DBIR, the U.S. Secret Service commented on protecting infrastructure: ”Security postures and principles, such as proper network segmentation, the prevention of lateral movement, least privilege, and ‘never trust, always verify’ have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” PAM can help enforce these security controls.
Start to implement a zero trust architecture
First, it needs to be said–there is no such thing as a complete “zero trust solution”.
Zero trust is an aspirational architecture or security posture. It begins with the assumption to “always verify, never trust.” “Assume breach” is another important zero trust tenet and has quickly become de facto subsequent to the SolarWinds breach. Assume threat actors already exist somewhere within your network. Therefore, always verify identity, remove privilege from the users and, instead, elevate access for applications when specific contextual parameters are met. Additionally, leverage solutions that allow 3rd parties and remote workers secure access to only the applications and devices they need to manage. All these measures help reduce the lateral movement attack vector, reportedly part of 70% of all cyberattacks, and a particularly important component of sophisticated attacks.
The EO is also encouraging a fundamental shift towards an “identity is the new perimeter” security model, which aligns with, and helps enable, zero trust. By treating identity as the perimeter, and always verifying that identity, agencies can shift towards enforcing least privilege wherever possible, including air-gapped networks.
Josh Broadbent is the senior public sector security director at BeyondTrust.