Ransomware and malware continue to wreak havoc on the manufacturing industry and critical infrastructure. One approach used to defend against this threat that’s gaining momentum, including with the Biden administration, is adopting zero-trust principles. Zero trust is a security framework requiring all users, whether inside or outside of the organization’s network to be authenticated, authorized and continuously validated before gaining access to applications and data.
How can zero trust help protect critical infrastructure? It’s not the only option, but it’s an excellent solution for both information technology (IT) and operational technology (OT), said Ritesh Agrawal, CEO and co-founder at Airgap Networks.
Critical infrastructure vulnerabilities
With recent attacks on water/wastewater facilities, food and beverage makers and the transportation sector, it seems critical infrastructure is more vulnerable than ever. One of the primary reasons is that critical infrastructure is going through a transition phase that has been accelerated because of the COVID-19 pandemic.
“The IT and OT gap has really shrunk quite a bit because of COVID,” Agrawal said. “People had to open up their critical infrastructure to access from locations that were traditionally not allowed. That has completely changed the geometry of their connectivity and increased vulnerability overall. Traditionally, the critical infrastructure has been a bit behind the IT infrastructure in terms of their technology adoption, and rightfully so. You don’t have as much luxury for downtime as a 24/7 operation versus an IT organization that could take a weekend to upgrade their gear or change anything. These assets are typically more expensive compared to an IT laptop for that matter.”
A typical machine used in critical infrastructure could cost millions of dollars, weigh a ton and have been running for decades. It’s not something organizations can easily upgrade. On the OT side, many companies have relied on the idea of an air gap, or physical security. Several factors — from COVID to advancements in technology to the adoption of the Internet of Things (IoT) — have made that a relic of the past and contributed to a higher number of vulnerabilities in recent years.
When it comes to protecting essential networks, there are several areas security leaders should focus on, Agrawal said. It all begins with visibility. Industrial spaces must know what they have, and that comes down to asset inventory and management. Once they know which assets are vulnerable, they have the ability to understand the overall risk posture. Then, it’s essential to segregate those devices though segmentation. The idea is to contain the blast radius so an IT breach doesn’t spill over into OT and vice versa.
Then you need to establish some access-control mechanism to reduce the internal attack surface. One infected device should not infect another. Once you understand which of the segments is more vulnerable and restrict access to those devices, the next step is vulnerability management.
“The organization should also be focusing on ongoing monitoring and detection,” Agrawal said. “Security is not a one-and-done business, as you already know. We need to be able to monitor this on a regular basis. And regardless of all that you do, there is still a chance that you might get breached.”
That’s why it’s important for every organization to create a solid incident response and management solution and to partner with their vendors. Attackers are getting smarter and using new tools like ChatGPT to get into organizations and create havoc, so you need to take tangible steps to help secure your assets and educate your team.
The perfect zero-trust example
Why is zero trust a good solution to these problems? Agrawal said the lightbulb moment for him came when he was working with telecommunications companies and asked himself the question, “Why don’t we see breaches on endpoints like cellphones?” If something happens to an AT&T or Verizon subscriber, that problem never jumps to another subscriber like IT and OT breaches tend to.
“My initial instinct was that the telco subscriber network probably employs a lot of security tools to safeguard their endpoints. My learning was it’s quite the opposite,” Agrawal said. “They do not buy security appliances to the extent that the enterprise IT organizations do. And as an entrepreneur, that created a spark in my brain that said, ‘I’ve got to scratch the itch here.’ … I figured out that the reason for all of these endpoints to be as safe as they are is because each of these endpoints is segregated in a network of its own, a so-called network of one. This is a perfect zero-trust environment.
“And trust me, the reason the mobile network is secure is not because these endpoints are more secure. As a matter of fact, Android is touted to be the most vulnerable operating system on the planet as of now. So, bottom line, they’re as secure as they are because they’re all put in a network of one.”
Zero trust in complex OT environments
When dealing with complex OT environments like critical infrastructure, zero trust is an excellent solution, but it’s also much harder to implement. Agrawal said OT is probably a decade behind IT in terms of modernization, which makes it much more difficult to add any new technology. The second thing that makes OT more complicated is that it deals with regulated devices, so even if the organization wants to make changes, they’re often not authorized to.
For these reasons — and despite the complications — zero trust becomes even more important in OT environments. Agrawal said the goal should be to make zero trust easy for organizations that may be behind in terms of technology adoption, especially as the U.S. government is now touting zero trust as essential for critical assets.
Protecting critical infrastructure all starts with awareness — making sure you understand that there is vulnerability in your systems. Attackers are becoming more dangerous with the adoption of new technologies like artificial intelligence (AI). Complex OT networks need to adopt solutions like zero trust to help protect the communities they serve and ensure the safety of the populace.
“[Threat actors] have realized that attacking critical infrastructure is relatively easier for all of the good reasons we discussed earlier. They get paid sooner because this is critical infrastructure,” Agrawal said. “If you bring down a factory, some analysts have reported that the cost to the downtime is about $17,000 per minute, which totally makes sense. If you’re a Coca-Cola factory doing $100 million a day or whatnot in your factory, and if you bring it down, you can do the math pretty easily. And they’re under pressure to pay out. Unlike an IT organization that may have a disaster recovery plan, you cannot have a disaster recovery plan for a hospital or for an airport. It’s just down. It’s down. There’s nothing you can do about it.”