Toward the end of October, the Cybersecurity and Infrastructure Security Agency rolled out a simplified security checklist to help critical infrastructure providers. The intent of the document is admirable: Advise at-risk organizations on improving security practices by demonstrating the cost, projected impact and complexity of recommended fixes.
For example, CISA recommends that organizations track unsuccessful logins and generate alerts after a certain number of failures occur. Similar assessments are provided for device security, data security, governance and training, vulnerability management and other categories. As far as general advice goes, it’s not bad.
However, I have to wonder: Is issuing “not bad” advice truly the path to improving critical infrastructure security?
For reference, there are sixteen market sectors that fall under the critical infrastructure classification.
Many, such as water, energy, and government facilities, use older or specialized technology that is insufficiently hardened against cyberattacks. Others, including the financial services and communications sectors, have honed their cyber defenses by withstanding a continuous barrage of attacks.
These sectors are vital for many aspects of our day-to-day lives, and their disruption could destabilize the nation. CISA’s desire to help these industries is understandable. However, it takes more than a handy security checklist to thwart the advanced cyberattacks of international threat groups and state sponsored advanced persistent threats.
Taking blunt instruments to delicate problems
FEMA claims that 85% of critical infrastructure is privately owned, which makes it beyond the bounds of government responsibility. Conversely, a recent university study calls this number misleading, and claims the government owns 23% of critical infrastructure, which “service(s) 92% of the population.” Regardless, our critical infrastructure is vital to the public and private sectors, and everyone has a stake in its welfare. What is important to remember is that the federal government operates strictly at the national level. While some problems, such as environmental policies and interstate commerce, are addressable at this level, others are not.
For example, following the CISA checklist requires IT teams to have the requisite headcount, expertise and technology to implement the recommended fixes. While it is probably safe to assume businesses in the financial services sector can muster these resources, the same cannot be said for wastewater and transportation. Furthermore, the threats that target nuclear reactors are not necessarily the same as those targeting agricultural organizations. The specific cyberthreats facing each of the sixteen sectors may vary widely from each other. Critical infrastructure security cannot be fixed by a national, one-size-fits-all approach; industry-specific threats can slip through the cracks.
Following CISA’s recommendations may prove challenging for many organizations. It’s one thing for an organization to say “let’s create incident and response plans,” per CISA’s Response and Recovery advisory. It’s quite another to create effective plans addressing different classes of incidents, fund incident response programs, and implement relevant security frameworks. Simply put, telling a company the general steps for building an airplane won’t enable them to take flight.
Yesterday’s plan can’t stop today’s threats
Certain sections of the CISA checklist seem geared toward traditional castle-and-moat network architecture. This older networking model was popular when organizations operated from a centralized facility. It applies to an era of in-house data centers, local employee workstations, and standalone applications. Is this model still relevant in our post-pandemic world? Today, many employees have remote or hybrid work schedules, and countless applications and business resources have migrated to the cloud.
With cloud computing and remote work being commonplace among today’s organizations, basing security on the antiquated castle-and-moat model makes little sense. Some organizations may still rely on traditional network architecture, VPNs and local workstations, but they still interface with a hyper-connected world. Advising organizations on ways to secure their outdated technology is, as the saying goes, akin to “rearranging the deck chairs on the Titanic.”
Consider the numerous critical infrastructure organizations that employ third parties to augment their headcount, operations and expertise. Granting traditional network access to loosely vetted contractors is a dubious practice in any sector, but it borders on pure negligence when critical infrastructure is involved. Traditional networking is inherently insecure. It becomes more so with the continued rise of remote workers and the widespread adoption of cloud-based services. Before long, it may become as outdated as real castles and moats.
Surprisingly, one of the strongest security practices, the principle of least privilege access, is missing entirely from the CISA list. Instead, the agency offers organizations the watered-down suggestion that “No user accounts always have administrator or super-user privileges.” This is a perfect example of where good advice falls short of translating into effective cybersecurity. Yes, it is certainly good practice to deny permanent admin privileges to users accounts, but organizations should take access restrictions considerably further than that.
The current administration has issued an executive order encouraging organizations to embrace zero trust. The CISA checklist not only skips some of the most important aspects of zero trust, it doesn’t even mention the framework.
Strong security is a choice, not a checklist
Imagine the sheer number of differences between the sectors that fall under the umbrella of critical infrastructure. Then, remember that every organization, in each of the sixteen sectors utilizes different technology, frameworks, devices and network architecture. No CISA document can adequately cover the security needs of every critical infrastructure organization. The task is simply too massive to tackle in a single attempt.
To achieve strong, effective, zero-trust security an organization must partner with an experienced security specialist. Seasoned security vendors can migrate an organization’s entire infrastructure to zero trust architecture, and provide secure access to every employee, from anywhere. How this is achieved depends upon the specific security challenges the organization is facing and its current technological processes. Generally, it will involve migrating resources to the cloud, eliminating the network, and working through secure access brokers.
CISA did an excellent job putting together a prioritized checklist that provides critical infrastructure organizations general security advice. It is not CISA’s fault that implementing effective zero trust architecture simply cannot be accomplished at a national level. Ultimately, organizations are too technologically and operationally diverse to follow a single checklist and arrive at zero trust.
Dan Ballmer is senior transformation analyst at Zscaler.