Critical infrastructure is now in cyber criminals’ crosshairs

Importantly, a weapon – or, more accurately, a collection of weapons – is gaining ground over traditional network security concepts.
Paul Stuttard
By Paul Stuttard, Director, Duxbury Networking.
Johannesburg, 08 Oct 2021

The ongoing war between data defenders and data thieves is reaching unprecedented levels of intensity. The global cost of cyber crime continues to skyrocket and will reach a staggering trillion dollars in 2021, according to a report by cyber security firm McAfee.

Globally, the average cost of a data breach in 2020 was $3.86 million, as affirmed by the Ponemon Institute. It noted that 52% of all data breaches were caused by malicious cyber attacks.

In this light, organisations need the latest weapons in their combined arsenals to fight the growing armies of organised cyber criminals. Of particular importance is a weapon – or, more accurately, a collection of weapons – that is gaining ground over traditional network security concepts.

According to research, the most vulnerable organisations in terms of exposure to cyber attacks are found within the critical infrastructure environments in both the public and private sectors.

Critical infrastructure, as defined by most governments, includes assets vital to national security, governance, public health and safety, the economy and public confidence. These include plants dedicated to, for example, chemical processing, pulp and paper manufacture, power generation, water purification, oil and gas processing and telecommunications.

These and similar targets in the private sector present golden opportunities for cyber criminals who are motivated by financial gain, or the need to simply create chaos through phishing, ransomware and other attacks.

Malicious attacks often result in operational shutdowns and damaged equipment triggering serious financial and intellectual property losses − and even health and safety risks for those impacted.

Why do critical infrastructure assets present appealing targets? Simply put, they are easily attacked because the industrial control systems (ICSs) that manage and enable the operation of critical internal elements are vulnerable. They rely on legacy software or hardware systems which are unable to meet the standards of modern security controls and often lack access management functions.

ICSs are embedded cyber devices that operate many of the constituents of critical infrastructure. They are typically unique to the operational technology (OT) framework of cyber, which differs from enterprise information technology (IT).

It’s worth noting that Zero Trust security doesn’t focus on specific types of technology, solutions or products.

ICS and OT are thus responsible for the direct control and monitoring of industrial assets, equipment, events and processes. An unanticipated change in a system’s programmable logic controllers (PLCs), for example, could cause a powerplant to go out of service, or an automated communications system to fail.

According to the US National Institute of Standards and Technology (NIST), ICS’s vulnerability stems from issues which include inadequacies in security architecture design, a lack of regular security audits of the ICS environment, unsatisfactory security policies and a lack of ICS-specific configuration change management.

In addition, NIST highlights a lack of formal ICS security training and awareness within key industries, the general absence of administrative mechanisms for security enforcement and common deficiencies in terms of ICS continuity of operations, disaster recovery and specific security procedures.

Adding fuel to the fire are the increasing numbers of industrial internet of things (IIOT) devices being introduced by organisations in bids to improve productivity and enhance system control.

Importantly, IIOT incorporates machine learning and big data analysis, while harnessing sensor data and facilitating machine-to-machine communication. The application of IIOT devices has simplified process control, improved data monitoring and significantly raised performance benchmarks associated with tasks such as data aggregation, predictive analysis and prescriptive analysis.

As such, IIOTs have also contributed to improved industrial designs, accelerated product development and underpinned advances in automation, transforming the daily operations of many industrial firms.

However, because IIOT devices are frequently coupled with OT devices and communicate directly with IT systems, exposure to cyber attacks is considerably increased.

Organisations must therefore gain in-depth insights into the viability of every IIOT device on their network, prevent or patch vulnerabilities as quickly as possible and so contribute to the security of their critical ICS systems.

One of the increasingly accepted methods to achieve these goals while preventing unauthorised access to critical systems is through the adoption of a Zero Trust Architecture (ZTA). “Zero Trust” is a collection of disparate modern technologies working together to protect data as it travels across devices, apps and locations around the world.

While the term was more recently popularised by the Forrester research organisation, it has its roots in a 1994 doctoral thesis by Stephen Marsh on computational security.

Marsh's work is described as “a thorough study of trust”, as something finite that can be described in a mathematical construct rather than, simply, a confrontational or purely human phenomenon. Marsh inferred that “zero trust” surpasses “distrust” when it comes to securing computing systems, applications and networks.

On this basis, a ZTA is, in essence, a security concept founded on the simple principle that nothing – either inside or outside of the network − should have access to corporate systems without continuous verification.

The European-based KuppingerCole analyst group says the ZTA concept is grounded on the assumption that any network is always hostile and thus any IT system, application or user is constantly exposed to potential external and internal threats.

It’s worth noting that Zero Trust security doesn’t focus on specific types of technology, solutions or products. Instead, it refers to a range of all-inclusive technologies and processes, co-opted by specialists to reduce the risk of data breaches by managing user identities, minimising individual access to data and monitoring data flows.

These technologies − working in unison − include multi-factor authentication, virtual private networks, identity and access management, data encryption, privileged access management, user permissions and adaptive authentication for users.

Appropriately, the last words come from Joel Witts from Expert Insights, a cyber security and technology research platform: “It’s important to remember that Zero Trust is a process designed to work across your entire network infrastructure. It is an evolving set of cyber security paradigms that move defences from static, network-based perimeters to focus on users, assets and resources.”

He adds that “implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes. An organisation should seek to incrementally implement Zero Trust principles, process changes and technology solutions that protect its highest value data assets.”