While the federal government cannot command private industry, it can provide direction and drive urgency. To this end, the Biden Administration recently issued a new National Security Memorandum (NSM) outlining steps to safeguard the country’s critical infrastructure. This follows a series of government actions, including the May 2021 Executive Cybersecurity Order and 2020 Certified Maturity Model Certification (CMMC) roll out, which may “sound bureaucratic, but that have teeth,” to quote Washington Post’s David Ignatius.
During a recent speech at the Office for the Director of National Intelligence, President Biden warned that ransomware and other cyber threats “increasingly are able to cause damage and disruption in the real world,” according to Financial Times. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” he continued.
The latest directive is purely voluntary and collaborative, as about 85% of U.S. IT infrastructure resides in the private sector, beyond Washington’s command. Still, the Industrial Control System Cybersecurity Initiative calls for the federal government to “create a path” for government and industry to take action “within their spheres of control to address serious threats.” The Department of Homeland Security will be issuing preliminary sector-specific cybersecurity goals by September 22, making them final one year later. A parallel legal study suggests the government may push to make these requirements legally binding in the future, reports CSO.
Historically, such proposed regulations have met resistance. Yet on the heels of major breaches from SolarWinds to Kaseya, the stakes have never been higher. At Black Hat USA, Scott Shackelford, cybersecurity program chair at Indiana University and Christopher Hart, former chairman of the National Transportation Safety Board (NTSB), called for a middle ground of sorts in the form of a national cybersecurity safety review board — an independent agency similar to the NTSB — that could investigate major cyber incidents to find out why they happened and even subpoena organizations, when necessary, to help prevent them from happening again.
Critical Infrastructure: A Broad Definition and Target-Rich Environment
The U.S. Cybersecurity and Infrastructure and Security Agency (CISA) identifies 16 critical sectors that need to improve cyber defenses: chemical, commercial facilities, communications, critical manufacturing, dams, defense industries, emergency services, energy, financial services, food and agriculture, government facilities, healthcare, IT, nuclear power, transportation and water/wastewater. This designation of “critical infrastructure” in the U.S. is much broader than in other parts of the world, such as the EU, which recognizes only seven sectors.
All these critical sectors rely on computerized operating technology (OT) to function, which is fast converging with IT and exposing critical industrial control system (ICS) endpoints and other assets to aggressive threats like ransomware.
Add to that remote access, the Internet of Things (IoT) and the cloud — and the attack surface increases significantly, allowing more opportunities for attackers to get into IT/OT systems. A successful attack on critical infrastructure could disable or destroy production lines and industrial processes, leave cities in the dark or shut off critical lifesaving technologies.
Corporate IT executives are aware of the hazards. A 2020 Ponemon Institute survey of more than 2,500 cybersecurity practitioners responsible for protecting OT systems found 57% believed they will face one or more attacks, while almost half believe that the risks are higher for OT systems than IT systems. Slightly more than six out of 10 believed that OT and IT security efforts are not aligned. Nearly half also said that the threat to OT systems is increasing. They identified the three biggest threats: phishing, ransomware and denial-of-service attacks. One-third admitted that their companies suffered the loss of OT-related intellectual property as a result of previous attacks.
The challenge is enormous. During his Black Hat talk (you can check out slides here), Shackelford asked, “Here in the states, given our broad perspective on critical infrastructure, if everything is critical, how can we best coordinate our expertise and resources to defend vulnerable critical infrastructure against the huge array of cyber-enabled threats, including ransomware, that we’ve seen recently?”
The Need for Night Vision
One thing is clear, as the Biden memo states: “We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”
Most critical infrastructure companies operating with legacy security measures are in the “blind” position. They cannot defend against threats they cannot see and only know if they have been attacked after the damage is done. This could be weeks, months or even years after suffering an initial intrusion.
Of significant concern is the sharp rise of ransomware attacks targeting the critical infrastructure space. According to a report from The Institute for Critical Infrastructure Technology (ICIT), “if a SCADA or ICS system in an energy, utilities or manufacturing organization becomes infected with ransomware, then lives could be jeopardized in the time it takes to investigate the incident and return the systems to operation.”
A Zero Trust Playbook for Ransomware Protection
This May, CISA and the FBI issued guidance on protecting critical infrastructure from ransomware. Here is a look at three of their key recommendations for defense-in-depth ransomware protection:
- Attacks on powerful ICS systems often begin with identity compromise at the endpoint and subsequent abuse of privileged credentials. The CISA and FBI provide the following guidance: “Ensure user and process accounts are limited through account use policies, user account control and privileged account management. Organize access rights based on the principles of least privilege and separation of duties.”
- Securing and monitoring remote access to OT and IT networks is also critically important, since both internal and external users require access to ICS networks. This access increasingly involves remote connectivity sessions that can sometimes go unsecured and unmonitored for days or weeks. CISA and FBI authors recommend “limiting access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.”
- Implementing application whitelisting (also known as “allowlisting”) can help mitigate the risk of malware-based attacks by “only allowing systems to execute programs known and permitted by security policy.” CISA and FBI authors write, “Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/ decompression programs.”
Unusual user activity or unauthorized credential use to access an ICS asset could also indicate signs of an attack. Understanding the context of a user’s actions helps add another layer of security. Users will typically interact with the company system at the usual time, accessing the usual files. Anything that breaks the pattern can be flagged, logged and blocked. It’s one thing to be logging on from California at 12 noon on your usual laptop to begin work. It’s another to be logging on at midnight from a foreign country using a desktop PC.
This guidance follows the Zero Trust cybersecurity model of “never trust, always verify” and helps organizations to secure individual identities — whether human or machine — throughout the cycle of accessing critical OT and IT assets. When identities can be authenticated accurately, authorized with the proper permissions and given access to privileged assets in a structured manner, organizations are better-equipped to find attackers as they move throughout a network — and stop them before they can disrupt critical systems, threaten uptime and jeopardize consumer safety.
No Time to Waste
The U.S. Government has defined the critical infrastructure cybersecurity problem and outlined broad solutions, and will soon deliver its recommendations. The private industry has work to do meeting those goals — and as Shackelford and Hart urged their Black Hat audience — the time to act is now. With or without federal government enforcement.