Amid Recent Geopolitical Tensions, There Have Been Serious Concerns Regarding the Vulnerability of The United States’ Critical Infrastructure.
By Josh Brodbent, Director of Public Sector Solutions Engineering, BeyondTrust
The Cybersecurity and Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors whose operations are “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” The threat of such an attack is credible enough to warrant official, repeated warnings from the White House urging the public and private sectors bolster their “cyber defenses immediately.”
Converging Operational and Information Technology
Historically, critical infrastructure sectors relied heavily on operational technology (OT) rather than information technology (IT). Until recently, OT systems ran on proprietary protocols and software, lacked automation, required manual administration by people, and had no external connectivity. Today, the OT landscape is increasingly converging with IT systems. However, OT professionals and IT experts often lack a comprehensive understanding of their counterparts, which further complicates an already precarious union.
Convergence allows for revolutionary new capabilities and efficiencies, such as the ability for OT systems to produce valuable data analytics. However, the shift from largely closed systems to open ones has generated myriad cybersecurity risks. In fact, cyberattacks against critical infrastructure skyrocketed 2,000% in 2019. Vulnerabilities were further exacerbated by the global shift to remote work post-pandemic.
The need for employees to connect remotely to OT systems from personal devices on their home networks meant even fewer security controls were in place on the IT end when compared to traditional corporate environments. These remote connections have blurred the IT-OT segmentation and expanded the attack surface by providing new entry points for hackers to exploit.
The Air-Gap Argument
While some could reasonably speculate that the benefits of convergence are not worth the potential cost, and instead argue for a practice known as “air-gapping,” in which OT and IT systems are completely segregated and the OT system is entirely isolated from the outside world. However, in our modern, digital world, accidental convergence is nearly impossible to maintain, and should be anticipated.
For example, electromagnetic radiation, FM frequency signals, thermal communication channels, cellular frequencies, near-field communication (NFC) channels and even LED light pulses can expose critical systems to malicious activity. Something as innocuous as an external laptop being used as an HMI or a USB thumb drive used for OT purposes can accidentally converge an IT and OT system, opening the door for serious exploitation.
Therefore, organizations who adhere to an air-gapped security model are the most at risk because they do not implement any additional security measures. As such, convergence is inevitable, and largely beneficial, when executed securely.
As industrial systems become further intertwined with IT, they become increasingly vulnerable. Many have opted to use Virtual Private Networks (VPNs) to secure their OT infrastructure, but VPNs lack the advanced security features, visibility, and scalability necessary to fully protect a converged system.
Protecting Converged Systems Requires Visibility, Auditing and Least Privilege
Visibility is key to any advanced, secure remote access system. It is imperative that system operators can monitor who is accessing the network, what they are doing, and for how long they are connected to the network. “Always-on” VPNs provide little to no visibility or control over individual user activity. Alternatively, by restricting unapproved protocols and directing approved sessions to a predefined route, the potential attack surface is reduced.
A thorough understanding of a system’s data makes it easy to detect anomalous events. This visibility enables informed analysis. The ability to capture detailed session data for all remote access sessions, and to review that data in real time, is paramount to securing an OT network. Capturing detailed session logs creates an audit trail that enables accountability and compliance.
Of note, auditing is a primary example of how the differences between OT and IT systems management can cause friction. To assess an IT system, operators typically use a technique known as scanning, but OT systems do not respond well to scanning. In fact, an entire OT system could be disrupted if they were scanned in typical IT fashion. Instead, OT systems should be queried in their native language.
Understanding how to safely remedy different practices between IT and OT systems is critical in the process of convergence and is one of the many reasons IT and OT professionals should better educate on another.
Converged networks should also follow the principle of least privilege (PoLP), a core component of any zero trust architecture (ZTA). PoLP is the idea that any user, program, or process should only have the bare minimum privileges necessary to perform its function. PoLP dramatically mitigates the risk of a cyberattack by restricting a bad actor’s ability to move laterally within a system.
Zero trust has become profoundly relevant for OT industrial control systems, as modern cloud-based technologies have blurred or dissolved the idea of traditional firewalls and network-zoned perimeters.
VPNs permit unnecessary access for operators, suppliers, and vendors, meaning that they do not adhere to the PoLP or zero trust. Troublingly, VPNs often store privileged credentials insecurely. To protect our nation’s most valuable resources, role-specific access and individual accountability for shared accounts must be implemented.
Converged systems are often more exploitable because of the challenges inherent in auditing them, meaning that when remotely accessing OT infrastructure, a zero trust mindset is critical.
Ensure Security Without Compromising Business Goals
Converging two unique systems will always present challenges, so when bringing disparate environments together, it is imperative to be diligent about segmentation and engineering throughout the network.
Comprehensive IT protections and secure remote access protocols should be implemented before attaching a network to an OT system, otherwise that OT system will inherit all those same vulnerabilities, an exploitation of which could yield seismic consequences.
In the process of converging the nation’s OT and IT systems, educating one another is of the utmost priority. There is a concerning lack of understanding on both sides about the other, and if we hope to converge our critical infrastructure successfully and securely, that must change.
The benefits of convergence are plentiful, from cost to functionality, but the consequences of a faulty convergence are potentially severe. The process of converging an OT and IT system should be undertaken patiently and with informed decision making. Above all, visibility and vigilance should be prioritized, and the principle of least privilege should be followed closely.
About the Author
Josh Brodbent is the Director of Public Sector Solutions Engineering at BeyondTrust. Throughout his 20-year career, Josh has worked with multiple federal agencies to secure their networks and architected over 3 million user accounts in the public sector for identity and access management solutions. At BeyondTrust, Josh leads a team of senior solutions engineers and architects in supporting the public sector vertical. BeyondTrust is a worldwide leader in intelligent identity and access security, empowering organizations to protect identities, stop threats, and deliver dynamic access to empower and secure a work-from-anywhere world. Our integrated products and platform offer the industry’s most advanced privileged access management (PAM) solution, enabling organizations to quickly shrink their attack surface across traditional, cloud and hybrid environments.
Josh can be reached online on LinkedIn and at our company website https://www.beyondtrust.com