Critical Infrastructure Protection: Risks and Best Practices

What is Critical Infrastructure Protection?

Critical infrastructure protection (CIP) involves securing networks, assets, and systems that must operate continuously to ensure the health and safety of regions, countries, or economies.

Due to the continuous development of machine to machine (M2M) networks and the Internet of Things (IoT), devices in industrial environments are increasingly connected to the Internet and can exchange data. M2M and IoT systems are valuable, but in many cases, are not sufficiently secure.

Industrial Control Systems (ICS) are used in many areas of critical infrastructure. They control everything from nuclear power plants and other utilities to heating, ventilation, and air conditioning (HVAC), robotics, and many aspects of physical facilities. Many of these systems have limited computing resources and connectivity. Therefore, network security was not considered a serious issue when they were designed.

However, today it is better understood that ICS systems face severe security issues. On the one hand, because they are critical systems, it is difficult to perform software updates. Antimalware measures may not be implemented due to limited computing resources. Additionally, more than 80% of these systems are owned and managed by the private sector, complicating government security operations.

In this article, you will learn:

• Why is Critical Infrastructure Protection Important?
• The Global Risk to Critical Infrastructure
• Best Practices to Secure Critical Infrastructure
• ‍Incident Response Planning
• Insider Threats Mitigation
• ‍Improved Visibility
• ‍eXtended Detection and Response (XDR)

Why is Critical Infrastructure Protection Important?

Core infrastructure is similar in most countries due to the basic requirements of modern life, but can vary depending on the needs, resources and level of development of the country.

The U.S. Department of Homeland Security (DHS) has identified 16 critical infrastructure areas, including communications, electrical utilities, critical manufacturing, defense systems, chemical manufacturers, emergency services, financial services, healthcare, food and agriculture, transportation systems, and water systems.

All these critical services are at risk of cyber attack. These threats can have catastrophic consequences, endangering entire regions and the global economy. The success of critical infrastructure protection programs depends on strong partnerships between government and business organizations. Success also depends on the security solutions used to manage and implement these plans.

It is important to be aware of the risks that can compromise the integrity of critical infrastructure systems. When considering system and network security, it is common to think about threats from hackers and terrorists. But other threats such as equipment failure, human error and natural causes (for example, the eather) should also be considered. It is important to consider as many of these risks as possible, when choosing a solution that detects and identifies security risks and anomalous behavior.

The Global Risk to Critical Infrastructure

In the Global Risks Report by the 2020 World Economic Forum, cyberattacks on critical infrastructure are identified as a top priority. According to the WEF, attacks on critical infrastructure are now commonplace across many industries including energy, healthcare and transportation.

The new reality is that almost all critical infrastructures operate in a digital environment, and as information technology continues to evolve, vulnerabilities too are evolving. Global connectivity, the IoT and the advent of smart cities further increases the global threat surface and creates new opportunities for attackers. Threat actors, including nation states, terrorists and organized crime, have become more sophisticated, and see critical infrastructure as a priority target.

A few recent examples of recent cyber attacks against critical infrastructure:

• Israel—the national cyber agency successfully stopped an Iranian state-sponsored attack on public water systems.
• Taiwan—the national energy company was hit by a ransomware attack, while NTT, a large communications provider, experienced a network breach.
• United States—a ransomware attack targeted critical infrastructure belonging to a natural gas compression facility. Authorities also announced an attack by a foreign government on two US municipalities.
• United States—in an unprecedented attack, hackers compromised the water system of a city in Florida, and attempted to introduce Sodium Hydroxide to the water, in a quantity that could be dangerous for human consumption. The chemical is regularly used in the water supply to control acidity, but in large quantities, could have posed a health risk to residents.

Best Practices to Secure Critical Infrastructure

There are many ways to improve the security of critical infrastructure and operational technology (OT) systems. Here are a few key best practices.

Incident Response Planning

An important but often overlooked part of OT security is a well-developed and well-executed crisis response plan. There are four key elements to OT incident response:

• Coordination of incident response plans—consolidate all existing policies, business continuity plans, operational and communication plans, and risks facing the organization.
• Cross-functional response team—build a crisis response team including representatives of the entire organization, including headquarters and operational departments, including security, legal, IT, OT, customer service, HR, etc.
• Written plan—develop a written crisis response plan that includes team members and responsibilities, threat indicators, decision procedures, and step-by-step responses for threats most likely to affect the organization. Keep the plan short and simple to make it usable in time of crisis and reduce response time. Plans should ideally be reviewed and updated at least once per year.
• Team training—the response team should be trained regularly on organizational systems, procedures, and new threats facing critical infrastructure. Use planned and unplanned “fire drills” to see that team members are really able to work together to respond effectively to threats.

Insider Threats Mitigation

Insider threats to critical infrastructure are not new, but have changed significantly in the past few decades.

Vendors, contractors, and business partners who have not passed security clearance are often used at critical infrastructure facilities to reduce costs. These individuals have direct access to critical infrastructure, and represent a major risk. In addition, the growing use of cloud services, remote access and web technologies makes it easy for malicious insiders, or attackers with ownership of a compromised user account, to inflict harm.

There are two important ways to address these vulnerabilities:

• Network segmentation—this involves splitting a network into separate parts, with limited access between them. Effective segmentation ensures that even if a malicious insider has access to one organizational system, they have limited ability to perform lateral movement and connect to additional sensitive systems.
• Zero trust—networks, IT and OT components in critical infrastructure organizations must adopt the principle of zero trust. There should be firewalls with strict rules between zones within the network, and any component connecting to another component must be authenticated.

Improved Visibility

Improving visibility into industrial networks and the risks they face is key to improving resilience and operational reliability of critical infrastructure. Effective visibility requires real-time infrastructure monitoring and an constantly updated inventory of network assets.

Equally important is achieving visibility across regional or global facilities. This requires close coordination, and using the same monitoring and security tools, across facilities. Unified visibility reduces maintenance overheads, speeds problem resolution, and improves staff efficiency. It enables decision making based on the most accurate and up-to-date information from across the enterprise.

eXtended Detection and Response (XDR)

XDR is a new approach that improves management, automation, and response of cyber threats. It is well suited for effectively connecting IT and OT, and protecting the networks of critical facilities.

Most organizations today operate endpoints like desktops, servers, and laptops, as well as IT equipment like switches, routers and firewalls, and operational technology (OT) entities like industrial machinery, smart building infrastructure, or IoT devices. According an IBM report, OT attacks increased in 2020 by 2,000% year over year.

XDR security technology goes beyond traditional security information and event management (SIEM) and endpoint detection and response (EDR). It extends protection beyond endpoints, providing detection and response across a wider range of systems and networks. This includes cloud services, local data centers, IT, OT and Internet of Things (IoT) networks.

XDR enables security teams to detect, investigate, and respond to threats across all these systems in one unified interface. It also provides advanced automation features which can help identify and react to complex threats faster.

Industrial Device Security with Cybeats

Looking at embedded devices is quite different than looking at servers in the IT space, it is common that there is no packages or information on the device to tap into for identification of assets to perform security analysis. Based on our vision that follows the NERC-CIP and IEC 62443 requirements, industrial device security has 2 main phases, the first phase is pre-market and the second is post-market. The approach to device security is fundamentally different at every phase. It is imperative to have proper security mechanisms and controls built-in and not bolt on the device from the early stages to mitigate the risks of every phase in the device’s lifecycle, especially if the device is mission critical and human safety might be at stake due to its failure.

During the development phase of the device, security focus is required on multiple aspects such as hardware security, identity of the device, cryptography and vulnerability analysis and assessment activities of its components. Companies are using various tools and open source projects to achieve results on this multiple aspects. Getting significantly successful results is complex taking in account we don’t have unlimited resources and effort we can put into this part of the development work. The first stage focusing on automated successful security program is to gain visibility into the device’s SBOM (Software Bill of Material) and runtime context as fundamental capabilities.

Once we achieve that we can advance to continuous vulnerability monitoring, security gap assessment, and most important vulnerability prioritization aka VPT. We can’t stop here. We need to be able to perform this every time when we change even one line of code in our application or change in a library and it has to be done for every device model in our product lines and every build of the firmware. We are looking at hundreds of such assessments per day. This can be only achieved by DevSecOps approach. Adding to your CI/CD pipeline continuous modeling of the device’s security posture enriching the data with threat intelligence indications of compromise, correlating with vulnerability information, and augmented by deep knowledge of the device’s operational context to understand the threat relevance. All this and more could be provided by utilizing Cybeats IoT security platform.