Critical infrastructure attacks remain a threat on the cyber horizon
In what has been described as the largest and most egregious cyberattack against United States critical infrastructure in our history, Colonial Pipeline which operates the nation’s largest fuel pipeline was forced to shut down all operations for almost a week in May of 2021. The devastating ransomware attack against Colonial forced an unprecedented emergency declaration from the federal government as the cyberattack essentially dried up gas distribution throughout the East Coast and impacted distribution around the country, as the company worked to resume operations.
Despite the wake-up call that was the May 2021 Colonial Pipeline ransomware incident, our nation’s scarcest resources, and the nation’s critical infrastructure systems, continue to be a primary target for cybercriminals. This threat has amplified the security and risk mitigation process and procedures for critical infrastructure, with companies that are leveraging identity-based access controls and enforcing zero trust to ensure whoever needs sensitive information in OT and IT environments, while keeping adversaries out.
One such company, Xage Security, has over $62M invested in its solution by organizations like Chevron, GE, Piva, SCF Ventures and other clients such as the U.S. Space Force, BR Petrobras and Saudi Aramco. SecurityInfoWatch recently caught up with Xage Security CEO Duncan Greatwood to discuss trends and solutions related to devastating cyber attacks on critical systems. Prior to joining Xage, Duncan was an executive at Apple, leading search-technology projects and products. Prior to Apple, Duncan was the CEO of Topsy, the pioneer in social media search and analytics acquired by Apple in 2013. Prior to Topsy, he was the founder and CEO of PostPath, the email and security company acquired by Cisco in 2008.
SIW: Can you discuss a brief history of the most recent attacks on critical infrastructure and what the immediate government-level and organizational responses were?
Greatwood: Critical infrastructure attacks happen frequently, and many are never reported. The Colonial Pipeline attack in 2021 was one of the highest-profile critical infrastructure cyber-attacks - it directly impacted the availability of gasoline at gas stations - and it was a wake-up call to infrastructure owners and operators. In response to this attack, President Joe Biden declared a state of emergency and signed Executive Order 14028, which aims to eliminate obstacles to sharing threat information. It lays out a framework for how the government and private sectors should collaborate to improve cybersecurity and assist organizations in defending themselves against cyber threats.
Looking at other examples, last summer, the UK water company, South Staffordshire Water, was hacked. The hackers gained access to the systems that control the level of chemicals in the water and leaked customers’ personal data. IT detected the attacks in time, and no damage was done, but it could have been devastating.
One of the latest attacks on critical infrastructure happened in December 2022 when Germany's multinational industrial engineering and steel production company ThyssenKrupp suffered a massive cyberattack. Microsoft reported that cyberattacks targeting critical infrastructure had doubled from 20% to 40% of nation-state-sponsored attacks they observed in 2022 and unfortunately, this trend will continue to accelerate in 2023.SIW: Critical infrastructure sectors like the power grid, gas & oil, water supplies and others seem to kick the can down the road when it comes to implementing both security technologies and risk management frameworks to protect their facilities. Why aren’t there more proactive approaches to mitigating risk?
Greatwood: Cyber risks have been expanding from the energy and utility sectors to the manufacturing sector, including heavy industries like steel production. To protect the world’s critical infrastructure – against a backdrop of rising geopolitical tensions, the transition to distributed renewable energy, supply chain risks, and state-enabled ransomware and espionage – it’s no longer enough for organizations to know they’ve been hacked. They have to shift their mindset from reactive to proactive cybersecurity instead.
Critical infrastructure long relied upon creating total separation, an airgap, between their operational technology (OT) networks and IT networks. Now that business and operational needs have created a need for OT-IT interconnectivity, including the need for remote access to critical OT assets, the attack surface is increasing, but the security policies and approaches to mitigating that risk are still catching up.
Unfortunately, there aren't many proactive approaches to mitigating risk because existing cybersecurity approaches for critical operations and operational technology (OT) are limited to perimeter security, threat detection and incident response strategies. There are also legacy approaches to access management that use shared/static credentials with excessive privileges, plus there are IT-centric remote access solutions that, when applied to physical operations, unnecessarily expose operational assets to external threats.
SIW: What sort of identity and access management do you feel is needed and how can these solutions be implemented?
Greatwood: Zero Trust, the strategy heralded by organizations including CISA and the TSA, is the best approach to modernizing access control and data security. With a Zero Trust architecture, personnel are granted just-in-time, just-enough access and must verify their identity and privileges to access a workstation, device, or other assets. Zero Trust principles, which emphasize granular, identity-based access management, are no longer a “nice to have” but a “must-have” when it comes to modernizing industrial cybersecurity programs. For example - remote access to critical infrastructure can be modernized with zero-trust strategies and solutions along with existing defense-in-depth investments.
Critical infrastructure organizations have a unique set of responsibilities and circumstances driving their need for remote access as part of their overall access control approach. A Zero Trust approach to access does away with the overly permissive nature of VPNs and jump boxes while also eliminating the requirement of managing byzantine firewall rules. What’s more, with a cybersecurity mesh approach, Zero Trust can overlay existing equipment and architectures, maintaining the existing security hierarchies and avoiding the need for rip-and-replace of networks or operational equipment.
SIW: Are facilities doing enough to ensure their networks are properly configured and that they have secure internet-facing network devices and if not, how can these risks be addressed?
Greatwood: A common approach to industrial cybersecurity right now is to focus on detection and response rather than prevention. This has value but is insufficient in critical infrastructure. The costs, and danger to human life, of even a minor hack, make it crucial to focus on blocking attacks before systems are compromised. That means critical infrastructure operators need their remote access and access management solutions to follow Zero Trust principles, with multi-factor authentication at every layer, automated credential rotation, granular access control and protection for legacy systems. Additionally, critical infrastructure operators need complete control over data transfer in and out of their environments. This means controlling who can move data in and out, and whether any data can go in or out at all, and when, and what data may be moved in and out of the system. Solving these needs securely is a nontrivial challenge. The next generation of Zero Trust security tools for OT exists, and forward-thinking operators are adopting them. The rest of the industry will soon be pushed to modernize security as well or suffer the consequences of escalating cyber threats.
SIW: Beyond network vulnerabilities, other challenges can threaten CI sectors. Talk about how security and risk professionals must tackle operating systems, processes and human vulnerabilities with as much vigor as their networks.
Greatwood: One of the challenging aspects to securing critical infrastructure is that high-risk vulnerabilities that impact operating systems (e.g., End-of-Life’d Windows systems) and vulnerable OT hardware (e.g., Siemens PLC vulnerability CVE-2022-38773) cannot be patched, and compensating controls need to be deployed to secure these systems. Zero Trust-based strategies like granular identity-based access and privilege enforcement reduce the risks these systems are exploited, by preventing unauthorized access.
A common human vulnerability is linked to the stolen server or device credentials used in high-profile attacks and breaches. An attacker doesn't have to use some complex chain of vulnerabilities if they can just steal or buy credentials that allow them to log into a target system and upload whatever malware they choose. However, with a proper zero trust architecture in place, control is not lost due to the breach of a single credential or network-level vulnerability; instead, with zero trust, access is still controlled system by system, even if attackers find their way inside the operational network.
Zero Trust strategies that are tailored for operational environments provide a pathway to modernize security controls and processes to protect vulnerable critical assets and minimize the risks due to human errors.