Critical infrastructure is now a prime target for hackers and hostile nation states, as evidenced by attacks on Ukraine’s power grid and oil and gas production in the Middle East, along with multiple attacks on U.S. assets. Given their age, combined with the digital transformation of operational technology and pressure to integrate with information technology, many of these infrastructure systems are becoming increasingly vulnerable to cyberattack.
This exposure is amplifying federal agencies’ calls for industry to take action. In October, the Cybersecurity and Infrastructure Security Agency (CISA) issued voluntary cross-sector Cybersecurity Performance Goals to provide a common set of foundational cybersecurity practices for critical infrastructure operators. In November, the National Institute of Standards and Technology announced it is seeking public input on a new cybersecurity reference architecture for the water and wastewater systems sector. Both of these actions resulted from the Biden Administration’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. These build on 2016 Department of Homeland Security guidance that did not result in sufficient industry action.
Operators need to improve their cybersecurity measures. Yet it can be challenging to know where to start and how to prioritize what may seem like an overwhelming task. The following insights may help.
Identify the Weakest Points
Even with the multitude of possible points of entry and the many types of exploits that may be utilized, the most common cyber threat vectors fall into three primary categories:
- Connected Process Control Systems
The rise of automated and connected process control systems (PCSs), such as human-machine interfaces (HMIs), programmable logic controllers (PLCs), data historians, and supervisory control and data acquisition (SCADA) systems, enables water operators to increase operational efficiency, proactively maintain equipment, and remotely manage systems and devices. Unfortunately, it also increases exposure to cyberattacks that can disrupt utility assets and even impact supply. Most currently installed devices have little to no security functionality; many cannot even be updated or patched.
- External Connections
External connections for remote access, vendors and supply chains provide opportunities for unauthorized ingress into utility networks. Many operations now require connections to third parties from the secure operational technology network. That means the security of operators’ networks is only as strong as the security of the vendors that have trusted access.
Insider Threats and Stolen CredentialsWorkers that are closest to the physical systems within a utility’s network have the most opportunities to perpetrate a cyberattack or cause accidental exposure. It is incumbent upon critical infrastructure operators to thoroughly vet employees to assess their trustworthiness. But training is also essential to teach them about avoiding increasingly common exploitative attacks like spear phishing or social engineering that create security loopholes through stolen credentials.
Five Steps to Strengthen Defenses
There is no one solution to securing those different threat vectors. Traditionally operators have deployed standard software-based cybersecurity technologies like firewalls and role-based access for security. While these technologies are highly valuable defensive tools, software by its nature is still vulnerable. Hardware-enforced technologies such as data diodes can fortify defenses by allowing only one-way data flow to isolate operational technology networks from external cyberthreats, while still allowing data sharing with outside users and systems.
- Build Defense-in-Depth
A defense-in-depth approach prevents a cybersecurity architecture from relying on a single strategy or element to defend a network. An appropriate approach should include a combination of user authentication, data encryption, firewalls, security information and event management (SIEM), antivirus, and data diodes to block threats and significantly reduce attack vectors.
- Secure Process Control Systems
PCSs are typically third-party devices and applications for automating and monitoring processes within a utility’s environment. They are typically controlled and monitored by a centralized SCADA system, which should be the first priority for PCS security planning. Connected PCSs need to be secured against inbound file transfers (like software updates), outbound data transfers, and remote command and control. Hardware-enforced diode security can scan, filter and transfer files integral to PCS operations—such as email, alerts, historian data and patches—preventing unauthorized access while allowing critical data to be shared to IT networks.
- Secure Third-Party Connections
External connections increase network exposure. That includes connections to current and former third parties that may have access to sensitive data and systems. Operators frequently overlook trusted connections when thinking they have successfully isolated their control systems from external access. To reduce the risk of supply chain cyberattacks, operators should maintain a list of all connections and eliminate any that are unnecessary or redundant. Convert any two-way connections used only for monitoring to one-way outward connections. Also convert any two-way connections that only transfer data into the network (software updates, etc.) to one-way in. Whatever two-way connections remain should be heavily monitored. As noted in the Department of Homeland Security’s Seven Strategies to Defending Industrial Control Systems, data diodes will harden each of these data paths to significantly reduce the risk of external cyberattack.
- Implement Network Segmentation
Operators commonly disconnect operational systems from external access, especially those who have outdated systems or limited cybersecurity resources. But complete disconnection eliminates access to both would-be attackers and authorized users. Data diodes can allow safe transfer of data outside the operational network, but the effective “air gap” prevents unauthorized external access to sensitive operational technology systems.
- Minimize Insider Threat Opportunities
Thoroughly vet staff with sensitive system access and limit that access based on the “least privilege” principle. By limiting or eliminating external access points and implementing more sophisticated authentication, organizations can also mitigate, contain, or prevent some of the most common types of attacks from inside the operational technology network. While there is no way to fully prevent insider threats, containing the threat of stolen credentials or “insider-by-proxy” is an important consideration for any critical infrastructure operator.