In my previous column, I wrote about the steady drumbeat of alerts, news reports, and actual attacks demonstrating that critical infrastructure has been in the crosshairs of nation-state threat actors and cyber criminals for years. Now, evolving intelligence indicates attacks on critical infrastructure networks are taking center stage in the theater of war.
On April 20, the security agencies that comprise the Five Eyes intelligence alliance from countries including the U.S., Australia, Canada, New Zealand, and the United Kingdom, released a joint Cybersecurity Advisory (CSA) warning of imminent and serious threats to critical infrastructure in countries that have sanctioned Russia or otherwise supported the Ukraine. Cybercrime groups have aligned with Russia, pledging to support the country’s efforts to wage cyberwarfare.
It’s against this backdrop that U.S. critical infrastructure organizations across all 16 sectors must move quickly to mitigate risk. Many of us have seen, if not personally experienced, the impact on lives and livelihoods when critical infrastructure like hospitals, telecommunications, oil pipelines, and food supply chains are disrupted. I’m not saying this to create fear or worry, but to encourage preparation and prevention.
Protecting critical infrastructure is an ongoing process and it is never too late to get started. Fortunately, there are seven immediate steps you can take to put your organization on the path toward better situational awareness and risk reduction.
1. Capitalize on your strengths. Executives and boards have internalized the lessons learned from high-profile cyberattacks. According to a global survey conducted by Pollfish in September 2021, more than 50% of organizations report executives and boards becoming very involved in cybersecurity decision-making and oversight and more than 80% report an increase in IT and operational technology (OT) security budgets over the past two years. This increased attention can lead to more productive budget discussions as all stakeholders are aligned on the risk. It’s a good time to seek more funding because cybersecurity is no longer considered an expense, but a competitive advantage.
Defenders can use this position of strength to move quickly to leverage the greatest advantage they have, knowing their networks better than the adversary. Having visibility into all assets is an excellent first step to prepare proactively and focus on addressing likely paths of attack. Consider all systems and devices including the Extended IoT (XIoT), which includes OT/Industrial IoT (IIoT), Internet of Medical Things (IoMT), and enterprise IoT. This can take time so prioritize the most critical processes, machines, and devices for the greatest payoff.
2. Coalesce the team. Instead of starting down the path of creating a separate OT governance process and Security Operations Center (SOC), which introduces risk and delays, common best practice is to centralize responsibility and accountability for securing the OT environment under the CISO. IT and OT teams can work together, leveraging existing best practices and technology used in IT environments and only adding incremental OT-specific capabilities to cover the totality of the network. Approaching risk management and governance processes holistically allows the CISO to execute an enterprise-wide risk management strategy more efficiently and effectively.
3. Assess and improve your security posture. With visibility into assets, you can understand security gaps and mitigate risks such as vulnerabilities and misconfigurations. As the joint CSA suggests, prioritize patching known exploited vulnerabilities. In instances where patching isn’t possible or practical, such as with legacy systems, identify and implement compensating controls such as firewall rules and access control lists. Understanding your level of exposure will help you decide where to focus your resources and budget to prioritize crown jewels protection.
4. Revisit the basics. If you haven’t provided end-user awareness and training in the last few months, now is the time for an update. With an ever-expanding attack surface due to hybrid work models and increased inter-connectivity, many attacks are leveraging smart social engineering techniques to gain a foothold in organizations. Make sure your team stays up to date on those. The strength of your technology defense stack is irrelevant if an employee gets spearphished.
Also, ensure that your cyber hygiene extends to XIoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. The Cybersecurity and Infrastructure Security Agency (CISA) has a number of no-cost hygiene tools, including scanning and testing to help reduce exposure to threats.
5. Control access and communications. Audit your network segmentation to ensure you have IT/OT segmentation, which reduces the chance of an attack on the IT network spreading to the OT network. In addition, virtual segmentation within the OT environment is a cost-effective and efficient way to establish what “normal” looks like and be alerted to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. And if remote operations need direct access to the OT networks, make sure this is done through a secure remote access connection with strict controls over users, devices, and sessions.
6. Monitor systems. Sophisticated attacks require extensive preparation by adversaries and usually take a significant amount of time to carry out, with lots of lateral movement. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network can be implemented quickly and can provide early warning indicators of compromise, so you can get ahead of threats and take the necessary steps to mitigate risk.
7. Build Preparedness. Tabletop exercises of likely scenarios are an effective way to gain a deeper understanding of organizational and technical preparedness. Use the learnings to create an improved incident response plan. If not already in place, formalize partnerships with incident response and legal firms. In the face of an attack, you’ll receive better, faster counsel if firms already know your key internal stakeholders and teams, have visibility into existing IT and OT infrastructure and controls, and understand your business and risk profile.
As the adage goes, don’t let perfect be the enemy of good. Most executives and boards don’t need convincing that efforts to protect critical infrastructure must accelerate, so use this to your advantage and get started now. The immediate steps above offer the best ratio of risk reduction to effort invested and get your organization moving in the right direction quickly.