There is no secure critical infrastructure without identity-based access
Organizational security strategy has long been defined by an internal perimeter enclosing all a company’s information in a single secure location. Designed to keep external threats out through firewalls and other intrusion prevention systems, this security model permits trusted insiders virtually unrestricted access to corporate IT assets and resources. Practically speaking, this means any user who has access to the network could also access proprietary and sensitive information, regardless of their job title or requirements.
As companies continue to struggle with differentiating between authorized users and attackers, many are turning to identity-based solutions to better secure their systems while maintaining business continuity and employee productivity. In fact, Gartner forecasts that by 2024, 30% of large enterprises will implement new identity-proofing tools to address common weaknesses in workforce identity processes and networks.
Unfortunately, critical infrastructure organizations are lagging far behind when it comes to adopting identity-based security and modernizing their systems, which often include both operational technology (OT) and information technology (IT) components. Whereas OT systems were once separated from other technologies and considered largely impenetrable, IT and OT are now converging or, at the very least, running side by side. This development has introduced a proliferation of new and dangerous risks.
Indeed, despite the rising threats facing critical infrastructure systems, IBM’s latest Cost of a Data Breach report found that while 41% of organizations overall have implemented some level of identity-based access solutions, only 21% of critical infrastructure organizations have done so. Likewise, 54% of organizations claim their IT departments are not advanced enough to handle today’s cyberattacks. This lack of adoption of more advanced security solutions heightens these organizations’ vulnerability to insider threats or attackers who manage to breach the insecure perimeter.
Why are threats to critical infrastructure increasing?
In the past few years, digital transformation processes have increased the challenge of securing a company’s data and controls. This is particularly true in the realm of operational technology. Objects that had once been purely physical, such as a pump or valve, now have digital sensors or controls attached to them. While this digital transformation has allowed for greater efficiency, it has also led to a massive growth in the number of devices, equipment and systems that need to be secured – inevitably increasing the attack surface.
Aside from digital advancements, geopolitical tensions also serve as a driving force behind both OT and IT cyber-attacks, as some nations and actors see cyberattacks as way a fuel global disruption without resorting to traditional combat. In fact, the IBM report cited above also reveals that ransomware and destructive attacks represented 28% of breaches amongst critical infrastructure organizations studied. This showcases how threat actors are seeking to fracture global supply chains, disrupt economies, and generally wreak havoc on an international scale.
How does identity-based security help mitigate cyber risks for critical infrastructure?
Unlike perimeter-based security that grants access based on inherited parameters, identity-based access ensures that users are explicitly verified and then continuously authorized as they seek access to various resources. This approach also limits the ability of attackers to gain visibility into potential application vulnerabilities.
When it comes to critical infrastructure, perimeter-based technology is especially problematic because remote access is often vital to operations. Operators regularly need to manage distributed OT systems offsite and from different parts of the world, and third-party vendors also frequently need access to perform crucial tasks, such as maintenance. By replacing legacy remote access solutions that predominantly work on a perimeter-based scale with an identity-based solution, OT/IT organizations can secure remote, on-site, and third-party users at the same time and with a single platform.
How can OT/IT companies best implement identity-based solutions?
Before integration of an identity-based solution ever takes place, organizations must first decide how to operate their OT and IT departments most effectively. Typically, many companies choose to converge their OT and IT departments as critical infrastructure becomes more digitized and they seek to improve efficiency. However, it’s been found that by permanently merging the two departments, organizations are also increasing the risk of breaches or hacks that can permanently compromise an OT system. Rather than permanently integrating these two departments, companies should consider having their IT interface (instead of integrate) securely with their OT to provide both security and efficiency.
Once businesses understand how identity-based solutions operate, they can start the process of implementing the security model into their organization, beginning with adding a multi-factor authentication (MFA) to critical and legacy applications. MFA essentially means that additional authentication factors are needed beyond a simple password to validate a user.
Second, organizations should then begin a phased approach of gradually adding different access points for different groups of users, based on their level of risk. In most cases, especially when it comes to critical infrastructure, third-party vendors are the most vulnerable link in an organization’s security chain. By ensuring strong authentication for these parties (e.g., contractors and suppliers), businesses can significantly reduce the risk of an attack. After strong authentication in enacted, these vendors can then be migrated to full identity-based access.
As cyberattacks against critical infrastructure continue to increase, organizations in these vulnerable environments must recognize the holes and challenges their current security models possess.