Cybersecurity of Our Infrastructure: Series Conclusion

Current Issues Within Critical Infrastructure:

-The unification of comprehensive practices throughout all critical infrastructure organizations

• Social

  • Reputational Pressures: the shadow of bad press can become can bring the downfall of an organization, causing public distrust in their leadership’s ability to run the company in a logical and profitable manner. Companies watching the backlash of catastrophic cyber attacks allow the motivation necessary for integral cybersecurity applications. (this is also motivation in the opposite situation; when a company is praised for gracefully undertaking a cyber event, it persuades organizations of the benefits cybersecurity consciousness possesses.)

• Moral

  • Moral Pressures: Vocalizing the inherent benefits cybersecurity has, despite the alternate problems (economic, political) it may seem to pose to the public and private groups, can become a tool for optimizing the outcomes cybersecurity focus have on an organization. This is how you incentivize cybersecurity for other companies while ensuring your company’s cyber efforts aren’t misconstrued as biased or frivolous.

• Economic

  • Enforcement: going on the offensive against attacks; the organization hacks into the malicious group’s system and maintains access of their essential data and technologies as a warning not only to the perpetrating organization but to other potential cyber attackers. 

  • Market Pressure: making every organization understand the societal and economic costs of a detrimental cyber attack; this can be accomplished by the pressure of governing organizations to adhere to certain cybersecurity standards or face impactful penalties, or using the high costs cyber insurance pose to persuade all organizations that the investment in all-encompassing cyber protection is worth the avoidance of out-of-pocket costs for inadequate cyber practices. 

• Technical: 

  • Lack of Segmentation:  The use of perimeter security is dwindling but still prevalent within our critical infrastructure technologies. Perimeter security gives a singular barrier between the external and internal systems, and if breached, allows the hacker to navigate through anything within the system. With segmented access, there are multiple checkpoints within the internal system, allowing the protection of majority data when the minority of the internal system has been compromised. With the rise in multifactor authentication and zero-trust architecture, segmentation is more recently considered a foundational necessity. The hope is for all operational and informational systems paramount to the regular activity of our critical infrastructure to implement multiple segmented systems for maximum security caution. 

  • Industrial Internet of Things (IIoT): With the increase in remote work over the past two years, the connectivity of critical systems has gotten broader. This poses some serious cyber risks, as greater connectivity is directly proportional to the potential for successful cyber attacks.  While cyber leaders in all sectors are increasingly aware of the threat the IIoT poses, it will take some time to find a solution to connecting employees remotely in the most secure way possible. 

  • Outdated Technologies: Many of the technologies for our critical infrastructure were developed in the 1970s-80s, making it extremely outdated and unprepared for the cybersecurity practices essential for preemptive and mitigative actions against cyber attacks. What is truly needed is a complete reformation of the OT in our infrastructure, built with cybersecurity as an implicit execution instead of an ad hoc afterthought

Looking to the future:

In 2021, the Biden administration called for further action from all public and private critical infrastructure agencies to protect the U.S. critical infrastructure.  While cybersecurity isn’t the only concern in this call-to-action, it is the prevalent topic discussed in the official fact sheet released by the White House. The improvements are as follows:

• Direct the DHS’s Cybersecurity & Infrastructure Security Agency (CISA) and the DOC’s National Institute of Standards and Technology (NIST) to collaborate with other agencies and develop cybersecurity performance goals for critical infrastructure.

• Formal establishment of the President’s Industrial Control System Cybersecurity Initiative. The ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. The Initiative began in mid-April 2021.

At the same time, the TSA (Transportation Security Administration) issued a Security Directive for critical pipeline owners and operators transporting hazardous liquids and natural gas. They urged them to implement:

• Specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems.

• A cybersecurity contingency and recovery plan

• Conducting an annual cybersecurity architecture design review

More recently, DHS and CISA have provided specific guidelines on how each sector should update its cybersecurity practices. With the growing concern of domestic and international cyber threats, they have designated 8 separate mediums organizations should look for optimal cyber rejuvenation:

1. Account Security

   1. Implement the detection of unsuccessful login attempts: all unsuccessful logins are logged and sent o an organization’s security team or relevant logging system. For IT assets, there is a system-enforced policy that prevents future logins for the suspicious accounts

   2. Changing default passwords: an enforced organization-wide policy and/or process that requires changing default manufacturer passwords for any and all hardware, software, and firmware before being put on any internal or external network.

   3. Multifactor Authentication: Hardware based MFA is enabled when available; if not, then soft tokens should be used; MFA via SMS should only be used when no other options are possible

   4. Minimum Password Strength: Organizations have a system-enforced policy that requires a minimum password length of 15 or more characters for all password protected IT assets, and all OT assets where technically possible

   5. Separating User and Privileged Accounts: No user account should always have administrator or super-user privileges. Administrators maintain separate user accounts for all actions and activities not associated with the administrator role. Privileges are reevaluated on a recurring basis to validate the continued need for a given set of permissions

   6. Unique credentials: organizations provision unique and separate credentials for similar services and assets access on IT and OT networks. Users do not (or cannot) reuse passwords for accounts, applications, services, etc. 

   7. Revoking credentials for departing employees: a defined and enforced administrative process applied to all departing employees by the day of their departure that revokes and securely return physical badges, key cards, tokens, etc., and disables all user accounts and access to organizational resources

2. Device Security 

   1. Hardware and software approval process: Implement an administrative policy or automated process, that requires approval before new hardware, firmware, or software is installed or deployed. Organizations maintain a risk-informed allowlist of approved hardware, firmware, and software, to include specification of approved versions, when technically feasible

   2. Disable Macros by default: a system-enforced policy that disables Microsoft Office macrons, or similar embedded code, by default on all devices. If macros must be enabled in specific circumstances, there is a policy for authorized users to request that macros are enabled on specific assets

   3. Asset inventory: Maintaining regularly updated inventory or all organizational assets with an IP address, including IPv6, including OT. This inventory is updated on a recurring basis, with no less than monthly for both IT and OT

   4. Prohibit connections of unauthorized devices: Organizations maintain policies and processes to ensure threat unauthorized media and hardware are not connected to IT and OT assets, such as by limiting the use of USB devices and removable media or disabling AutoRun.

   5. Document Device configurations: organizations maintain documentation describing the baseline and current configuration details of all critical IT and OT assets, to facilitate more effective vulnerability management and response & recovery activities. Periodic reviews and updates are performed and tracked on a recurring basis.

3. Data Security

   1. Log collection: access and security-focused logs are collected and stored for use in both detection and incident response activities. Security teams are notified when a critical lig source is disabled, such as Windows Event Logging

   2. Secure log storage: logs are stored in a central system, such as a Security Information and Event Management (SIEM) tool or central database, and can only be accessed or modified by authorized and authenticated users. Logs are stored for a duration informed by risk or pertinent guidelines.

   3. Strong and agile encryption: properly configured and up-to-date transport layer (TLS) is utilized to protect data in transit where technically feasible. Organizations should also plan for identifying any use of outdated or weak encryption and updating to sufficiently strong algorithms, and consideration for managing the implications of post-quantum cybersecurity

   4. Secure sensitive data: sensitive data, including credentials, are not stored in plaintext anywhere in the organization, and can only be accessed by authenticated and authorized users. Credentials are stored in a secure manner, such as with a credential/password manager or vault, or privileged account management solution.

4. Governance and Training

   1. Organizational cybersecurity leadership: a named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or  leading strategy development to inform future positioning.

   2. OT cybersecurity leadership: a named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities.

   3. OT cybersecurity training: in addition to basic cybersecurity training, personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training onn at least an annual basis.

   4. Improving IT and OT cybersecurity relationships: organizations sponsor at least one “pizza party” or equivalent of social gathering per year that is focused on strengthening working relationships between IT and OT security personnel, and is not a working event (such as providing meals during an incident response.)

5. Vulnerability management

   1. Mitigating known vulnerabilities: all known exploited vulnerabilities in internent-facing systems are patched or otherwise mitigated within a risk-informed span of time, prioritizing more critical assets first

   2. Vulnerability disclosure/ report: consistent with NIST SP 800-53 Revisions 5, organizationw maintain a public, easily-discoverable method for security researchers to notify organizations’ security teams of vulnerable, mis-configured, or otherwise exploitable assets. Valid submissions are acknowledged and responded to in a timely manner, taking into account the completeness and complexity of the vulnerability. Validated and exploitable weaknesses are mitigated consistent with their severity.

   3. Deploy security.txt files: All public-facing web domains have a security.text file that conforms to the recommendations in RFC 9116

   4. No exploitable services on the internet: assets on the public internet expose no exploitable services, such as RDP. Where these services must be exposed, appropriate compensating controls are implemented to prevent common forms of abuse and exploitation. All necessary OS applications and network protocols are disabled on internet-facing assets.

   5. Limit OT connections to public internent: No OT assets are on the public internet, useless explicitly require for operation. Exceptions must be justified and document, and expected assets must have additional protections in place to prevent and detect exploitation attampts 

   6. Third- party validation of cybersecurity control effectiveness: third parties with demonstrated expertise in cybersecurity regularly validate the effectiveness and coverage of an organization’s cybersecurity defenses. These exercises which may include penetration tests, bug bounties, incident simulations, or table-top exercises, should include both unnanounced and announced tests. Exercises consider both the ability and impact of a potential adversary to infiltrate the network from the outside, as well as the ability of an adversary within the network to pivot laterally to demonstrate potential impact on critical systems.

6. Supply Chain/ Third Party

   1. Vendor/Supplier Cybersecurity Requirements:Organizations’ procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.

   2. Supply chain incident reporting: procurement documents and contracts, such as Service Level Agreements (SLAs), stipulate that vendors and/or service providers notify the procuring customer of security incidents within a risk-informed timefrane as determined by the organization

   3. Supply chain vulnerability disclosure: procurement documents and contracts, such as Service Level Agreements (SLAs), stipulate that vendors and/or service providers notify the procuring customer of confirmed security vulnerabilities in their assets within a risk-informed timeframe as determined by the organization.

7. Response and Recovery

   1. Incident reporting: organizations maintain codified policy and procedures on to whom and how to report all confirmed cybersecurity inciddents to appropriate external entities. Known incidents are reported to CISA as well as other necessry parties within timeframes directed by applicable regulatory guidance or in the absence of guidance, as soon as safety capable. This goal will be revisited following full implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA)

   2. Incident response plans: organizations have, maintain, update, and regularly drill IT and OT cybersecurity incident response plans for both common and organizationally-specific threat scenarios and TTPs. When conducted, tests or drills are as realistic in nature as feasible. IR plans are drilled at least annually, and are updated within a risk-informed time frame following the lesions learned portion of any exercise or drill.

   3. System back ups: All systems that are necessary for operations are regularly backed up on a regular cadence, no less than once per year. Backups are stored separately from the source system and tested n a recurring basis, no less that once per year. Stored information for OT assets includes at minimum– configurations, roles, PLC logic, engineering drawings and tools.

   4. Document network topology: organizations maintain accurate documentation describing updated network topology and relevant information across all IT and OT networks. Periodic reviews and updates should be performed and tracked ona recurring basis.

8. Other

   1. Network segmentation: all connections to the OT network are denied by default unless explicitly allowed for specific system functionality. Necessary communications paths between the IT and OT networks must pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or demilitarized zone, which is closely monitored, captures network logs, and only allows connections from approved assets

   2. Detecting Relevant Threats and TTPs: Organizations have documented a list of threats and adversary TTPs relevant to their organization and have the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats. 

   3. Email security: On all corporate email infrastructure (1) STARTTLS is enabled, (2) SPF(Sender Policy Framework) and DKIM (DomainKeys Indetified Mail) are enabled, and (3) DMARC (Domain-Based Messenger Authentication, Reporting, and Conformance) is enabled and set to “reject.” 

Sources:

https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure/

https://logically.com/blog/the-future-of-cybersecurity-and-critical-infrastructure/

https://www2.deloitte.com/us/en/insights/industry/public-sector/cyberattack-critical-infrastructure-cybersecurity.html