Around the world, critical infrastructure including energy, transportation, and healthcare is rapidly digitizing. Companies are connecting information technology (IT) and operational technology (OT) to increase operational efficiency and reduce costs. But converging these systems without also taking effective security measures creates unacceptable levels of risk. Organizations need to adopt and exercise an “assume breach” mindset, recognizing that breaches are inevitable, and policies need to be in place to stop a bad actor and limit their impact once they are in the system.
The Current State of Play
The good news is that the majority of organizations recognize the need to harden their security postures. According to a recent Gartner report, 81% are moving beyond cyber awareness and actively searching for vulnerabilities in their systems.
Critical infrastructure is a prime target for bad actors, which is why the federal government is taking strides to better secure critical infrastructure through new policies, tactics, and dedicated committees. An attack could cause widespread blackouts, make national transportation systems grind to a halt, and put lives at risk. Such was the case during the Colonial Pipeline cyberattack two years ago. Not to mention, attackers expect their victims to pay their ransom demands to restore encrypted systems.
What are the aspects of the public sector’s IT and OT connections that open the gate to risks, and what are the solutions available to address them?
Assuming Breach is Critical to Building Resilience
Older legacy systems were typically designed for a pre-digital age where cybersecurity was not a priority, so it’s difficult to guarantee the safety of any connected systems using normal network controls. In the past, agencies often implemented security measures through the podium model. This approach organized networks by layer, each separated by a firewall. The security challenge is that each layer is a trusted network. If malware infects one layer it can quickly spread undetected to all workloads and endpoint devices connected to it.
In the energy sector, heavy reliance on OT has increased exposure to ransomware attacks. Once bad actors gain access to the organization, malware may spread throughout connected systems, or the attacker can manually infiltrate the network to deploy it in critical areas. Conversely, if the main IT environment is compromised, ransomware can spread across all connected cyber-physical systems.
With the understanding that there is not a one-size-fit-all approach to detecting and mitigating a cyberattack, the most effective way for the critical infrastructure to protect itself is to become more proactive by exercising an “assume breach” mindset.
Zero Trust Reduces Risk in Today’s Hyperconnected Environments
During and following the pandemic, which forced many people to work from home, organizations installed different systems and applications onto single devices like laptops, mobile phones, etc. Therefore, there are many areas for compromise, which calls for a shift in thinking from protecting a network to protecting each of these loose endpoints.
Exercising an assume breach mindset is less a matter of keeping the bad actors out and more a matter of implementing policies that only allow trusted individuals in. With single devices running multiple applications, it is essential that you control which other endpoints and networks a device interacts with, understand the potential risks, and put in place the appropriate rules when necessary.
OT and IT are converging, moving away from separate worlds to become an integrated function. Security must converge as well to protect both of these environments.
The Biden administration issued its zero-trust mandates to compel the US government to shift its cybersecurity approach to build resilience. Regardless of where organizations believe they need to adopt a zero-trust mindset and how frequently the term surfaces in cybersecurity conversations, the principles are becoming globally recognized and implemented. It’s about shifting the mindset and changing people’s approach to cybersecurity, not adopting a specific solution. It would be remiss for organizations not to foster this mindset, as they will be unable to plan accordingly in the case of an attack and the subsequent consequences.