Two recent incidents have made the cost of not protecting our infrastructure and natural resources abundantly clear. First, there was the widely publicized SolarWinds attack that infected more than a dozen utility companies, and oil and gas manufacturing entities. Then, there was a dangerous incident in Florida, where a hacker gained access to a water treatment plant and attempted to poison the water supply for 15,000 residents.
These and other events underscore the imminent threat to critical infrastructure. Utilities are high-value targets for hackers rife with outdated systems, low numbers of employees with proper security expertise, and other factors. They rely on a complex set of connected operational technology (OT) and information technology (IT) systems. Given these factors, it’s perhaps unsurprising that utilities experienced a 595% year-over-year increase in distributed denial-of-service (DDoS) incidents in 2020.
Bolstering cybersecurity within these complicated critical infrastructure environments requires securing OT/IT network boundaries, and controlling and inspecting communications between users and across segmented networks in a “cross-domain” manner. Let us take a closer look at each of these strategies to understand how to successfully protect our nation’s infrastructure against those who would seek to exploit it and cause potentially catastrophic damage.
Securing OT/IT Network Boundaries
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sent out significant warnings about the dangers posed by hackers exploiting the boundaries between OT and IT, including a joint statement with the National Security Agency (NSA) citing vulnerabilities in OT systems as an ongoing concern. And yet, it’s not just OT systems that are vulnerable; both OT and IT networks are susceptible to initial intrusion. When an adversary gains access to one, they can easily move laterally to the other, compromising the entire system. This happened in early 2020 when a hacker gained access to the IT system of a natural gas company and subsequently infiltrated the organization’s OT network, prompting CISA to issue guidance on pipeline security.
To prevent similar incidents, it’s important utilities and other critical infrastructure companies take steps to secure the boundaries and physically segregate or segment their OT and IT networks and systems. This can be done through data diodes—hardware devices that enforce one-way data transfers between networks. Data diodes allow utilities to segment and isolate their operational assets and create boundaries between segmented networks, making it difficult for hackers to attack since data only flows in one direction. However, that data is not filtered or controlled and can possibly cause harm to the OT systems—see Stuxnet.
Controlling and Inspecting Cross-Domain Communications
Diodes are just one component of protecting segmented networks. In a cross-domain environment, the exchange of information is allowed across domains based on certain predetermined criteria or by adhering to a security policy that has been defined for an exchange of information. For example, limiting only defined control data to be transferred from the IT network to the OT.
Cross-domain “guards” complement diodes by ensuring only the right information gets to the right people. Unlike diodes, guards have the ability to validate data and files, and detect malware. They allow communications to flow uninterrupted while ensuring data meets the defined policy for data transfer and that it is free of vulnerabilities. If the data does not comply with the allowed data set or if a vulnerability is detected, the guard stops the exchange before other parts of the system can be infected.
Cross-domain guards are much more targeted than traditional firewalls. Firewalls are built to handle the needs of a wide range of communications channels (or ports) to fulfill the needs of the enterprise. Even when firewalls are used at home, they are a protection gateway that supports a wide range of services to include general purpose computing, video streaming, and the Internet of Things (IoT) without much data inspection.
Cross-domain guards are optimized to filter data at the application level. They focus on the inspection of data within specified files that are needed to cross security boundaries. They are very targeted and only transfer data that adheres to the cross-domain guard’s policy. They are ideal for sustaining uninterrupted communications without sacrificing security. These cross-domain solutions can also be coupled with data diodes to provide high-assurance data flow.
Confronting the Looming Threat
While the recent power outages across Texas were the result of a powerful winter storm, they provided a view into the potential for destruction that a cyberattack could have on critical infrastructure. The impact may not be so different from the ice and snow that Texas endured. Indeed, in the hands of particularly skilled attackers, the effects could actually be worse and of longer duration.
The lessons of SolarWinds, Florida, and Texas show that now is the time to proactively plan to protect our critical infrastructure. Incorporating cross-network and cross-domain security measures into those plans is a good and significant first step.
—George Kamis is Chief Technology Officer for government markets at Forcepoint.