This blog addresses the new challenges faced by operational technology security teams in charge of critical infrastructure, exemplified by the recent ransomware attack that shut down the Colonial Pipeline that supplies fuel to most of the eastern United States, including military bases, with far-reaching consequences. It explains why this breach was different and how it sheds light on the security challenges of the digital transformation in industrial sectors deemed critical to national security.
The security of critical infrastructure has been under advanced and persistent threats from sophisticated state actors for many years. Stuxnet, the malware code uncovered in 2010 that was used to attack the Iranian nuclear program, proved that even air-gapped operational technology networks and industrial control systems are vulnerable to breaches and sabotage. Expanding on an initial breach, the attackers remained undetected while moving laterally across the network to reach their intended target: the uranium enrichment centrifuges' programmable logic controller (PLC). But once the Stuxnet cyberweapon got into the wild and in the hands of adversaries and criminal rings, a pandora's box opened, and the rest is history still in the making.
Why is the ransomware attack on the Colonial Pipeline IT network essentially different from previously reported attacks on critical infrastructure?
It is a natural consequence of this event that confidence in the security of the critical infrastructure of many countries is eroding.
Whether the attackers intended or not to compromise the OT network, the fact is that the incident shed light upon the security challenges of digital transformation of critical infrastructure. Across multiple industries, IT and OT networks are increasingly overlapping. Air gaps and demilitarized zones (DMZ) in industrial environments are vanishing as their traditional network perimeters become more difficult to define and secure. OT and IT in the industrial sector share common trends:
The convergence of OT with IT has brought new security challenges to organizations’ network environments. OT teams have unique risks that they need to minimize as much as possible if they cannot be fully eliminated. The risk of loss of life, ecological disasters, and/or severe economic impact on society because of a compromised industrial control system are not the types of risks managed by IT teams that operate and secure corporate networks. But OT and IT share common threats: ransomware (i.e., Petya, WannaCry) deployed by criminal rings, and wipers (i.e., NotPetya) deployed by state actors. OT and IT teams require a new approach to security, and they need to work together to find a cost-effective, rapid, simple, and ubiquitous solution to secure IT and OT. The implicit trust model to secure enterprise resources is not effective. The watchtower, moat, draw bridge, and fortification wall design approach to protect critical infrastructure no longer works.
There's an urgency to re-think and re-design information security because the convergence between OT and IT also redefines the intersection between information security with physical security. When IIoT sensors and actuators that control valves are compromised, lives, ecosystems, and economies are compromised as well. Many industrial control systems include devices running legacy operating systems that are no longer supported and hardware that is not easy or cheap to rip and replace. Forrester's Zero Trust security model is a good start to design a better security strategy for critical infrastructure. The National Institute of Standards and Technology (NIST) also published a "Guide to Industrial Control Systems (ICS) Security" and a special publication titled "Zero Trust Architecture" to help organizations secure their digital infrastructure.
Getting rid of the old implicit trust model is a journey that starts with adopting the zero trust mindset across the whole organization and not just the OT and IT teams. For stakeholders to trust the security of critical infrastructure again, security and network teams in the IT and OT organizations need to design a new and encompassing information and operational security strategy. This strategy must consider identity and contextual attributes of users, devices, applications, workflows, and even data packets, as the new perimeter where to enforce access policies. Elisity® is enabling that with the Cognitive Trust™ platform by adding the missing link between visibility and enforcement, with ubiquitous adaptive policies enforced as close to the asset as possible.
"We cannot continue to address cybersecurity as a linear problem with linear solutions," says Hellmut Ometzberger, a subject matter expert. "Cybersecurity is complex, and we cannot continue to approach it as if it is merely complicated. Solving cybersecurity as a complicated problem resulted in a proliferation of point solutions in the prevention, detection, and, of late, recovery space as well as a -develop, connect, secure, deploy- mindset." Hellmut suggests "last mile" vulnerabilities, however, are inherent to leading cybersecurity solutions and defense-in-depth thinking. By adopting a "design, secure, develop, connect, deploy" perspective, Hellmut believes we can secure increasingly distributed IT solutions in inherently insecure and unpredictable environments: "Securing services, containers, and APIs requires us to reframe cybersecurity in terms of data, identity and behavior. As service-centric meshes replace data center-centric infrastructures, framing cybersecurity in terms of endpoints, application and data stores, perimeters, as well as trusted and untrusted infrastructure components simply is not workable and scalable. Innovators like Elisity have a compelling story to tell here."
Since January 2021, the United States government has seen nine federal agencies and around one hundred private companies compromised by a Russian cyberespionage operation. At the same time, a Chinese-linked group exploited a Microsoft Exchange zero-day vulnerability and compromised the information security of tens of thousands of businesses. The more recent ransomware attack on the Colonial Pipeline by a criminal ring harbored by the Russian government forced the company to shut down its pipeline, responsible for delivering 45% of the East Coast's fuel supply, including military bases. As a result, President Biden signed an executive order to boost the federal government's cybersecurity defenses. Although its focus is on the public sector and falls short of addressing critical infrastructure, the executive order will likely set the private sector in the right direction: towards a Zero Trust security model.
InfraGard, a partnership between the Federal Bureau of Investigations (FBI) and the private sector, has been leading the way for quite some time to raise awareness and drive collaboration in critical infrastructure security matters. But there's a lot to be done by practitioners and cybersecurity solution providers, like to shift how we develop solutions to address today's OT and IT security challenges. Staying ahead of these advanced and evolving threats requires more than the government and critical infrastructure operators coming together to find effective and quick solutions for the sake of national security. It requires developers of OT and IT security solutions to stop preaching a "develop, connect, secure, deploy" workflow and shift instead to a "design, secure, develop, connect, deploy" route. To regain trust in critical infrastructure, security has to become an integral part of application development and an integral part of the converging OT and IT network architecture. Security and Networking teams need to start attending the same meetings and working together, the same way IT and OT teams must do the same. In the end, our lives depend on it in more ways than we may be willing to admit.
Elisity® Cognitive Trust™ for Connected Devices integrates with leading user, application, and device identity providers to help OT teams secure access to their environment. Elisity bridges the gap between device visibility and policy enforcement.