In early May 2021, a Russian cyber-criminal group hit Colonial Pipeline, the largest U.S. oil and natural gas pipeline system, with a devastating ransomware attack. The exploit maliciously encrypts computer files, making them inaccessible unless the victim pays a ransom. To contain the threat, Colonial was forced to temporarily shut down portions of its operations along a 5,500-mile path from Texas to New Jersey—one of the largest disruptions of critical infrastructure in U.S. history. The incident highlights a fact that increasingly keeps managers of critical infrastructure up at night: the nation’s sprawling transmission, distribution, and utility infrastructure for electricity, natural gas, and water is at heightened risk of cyberattack.
The problem is threefold. First, critical infrastructure is being progressively digitized, leaving it more vulnerable to cyber-criminal exploits. Second, information technology (IT) and operational technology (OT) are increasingly interconnected, making IT breaches a significant OT risk. And third, adversaries from disgruntled employees to rogue nation-states have growing capability to assail the sometimes-neglected cyber defenses of industrial control systems (ICSs).
Fortunately, there are solutions for organizations that recognize the acute nature of the threat and the clear benefits of effective protections. In particular, electric, gas, and water utilities should invest in “zero-trust gateways” that restrict cyberattacks before they can wreak havoc.
Connecting the Digitized Dots
Utility business functions have long run on enterprise software. Their industrial operations have by now been thoroughly automated. But increasingly, both IT and OT are being augmented by emerging capabilities such as internet-of-things (IoT) technologies. IoT sensors deployed throughout the infrastructure, from pipeline monitors to equipment controls, continually capture, store, and transmit ever-expanding quantities of data.
More and more, these industrial data streams are centrally aggregated and shared with business systems. The resulting interconnection of IT and OT means that operational equipment once isolated from internal and external networks now presents adversaries with a broadening attack surface.
Some of these networks are accessed by utility employees and external service providers. Others are machine-to-machine connections. Each type of interconnectivity carries with it its own advantages and risks, but all require cyber protections.
Many of these systems already benefit from built-in data safeguards: authentication, encryption, firewalls, antivirus software, and so on. But these rudimentary cyber protections are no longer enough, in part because utilities are increasingly interconnected with supply chain partners. If an adversary hacks into a vendor’s system and then moves laterally into your organization’s network, your ICSs fall victim to attack.
The SolarWinds hack is a prime example of this vulnerability. SolarWinds makes software that helps thousands of organizations manage their IT infrastructure. Hackers gained superuser status that allowed them to insert malicious code into the company’s software product. When SolarWinds customers performed software updates, the malware gave the attackers remote access to the victims’ IT environments.
Necessary but Not Cyber-Sufficient
Utility CIOs and cybersecurity teams can implement two tactical solutions that go a long way in protecting OT systems. While these techniques might have limited application in increasingly interconnected environments, utilities should consider them in the right situations.
Air-Gapping. An air gap provides physical space between a critical ICS and less-secure networks. Air-gapping can separate an ICS from external access or from interfacing with enterprise IT systems that themselves are eternally connected.
But in today’s environments, with IoT enablement and with integrated IT and OT, air gaps are useful in fewer places. And air gaps aren’t fool-proof. The notorious Stuxnet computer worm of 2010, which was deployed against Iran’s nuclear program, jumped an air gap on a USB drive.
One-Way Data Diodes. Unidirectional data transfer creates a boundary between trusted and untrusted networks through a one-way, physically secure communication channel. The approach uses optical technology in place of electrical signals to send data from one secure network to another, allowing data to enter but not exit.
Data diodes are simple to deploy and require little or no ongoing maintenance. And they can help organizations comply with requirements such as North American Electric Reliability Corp. (NERC) guidance on diodes. But while they’re highly effective in situations that need only one-way data transfer, they’re not appropriate for IT-OT connections that require two-way communication. In addition, they do not validate data.
Guarding ICSs with Zero-Trust Gateways
Ultimately, though, utilities require a more comprehensive approach to protecting their IT and OT networks—especially at crucial connection points. The solution is a zero-trust gateway that provides a “data guard” between IT and OT.
At its highest level, “zero trust” is a cybersecurity concept that means, by default, no user, system, or organization is trusted, and access is granted only on an as-needed basis. The paradigm combines strict identity verification and explicit permission for every person or entity attempting to access network resources.
In the past, zero trust was targeted at external users and systems. Increasingly, it also applies to internal people and processes, effectively protecting against malicious actors, human error, and intruders who slip in through partner systems. However, that’s not enough to protect against the expanded threat landscape of critical utilities.
Today, zero trust needs to be extended to the connection points between IT and OT. And it likewise needs to be applied not just to users but also to data.
Utilities can implement zero-trust gateways at connection points that require uni- or bi-directional automated transfer of highly complex data. Deep content inspection, at the byte level, as well as data validation and filtering, can ensure highly secure data sharing among multiple domains. That includes big data moving among sensitive networks and clouds. Such capabilities can be tailored to each organization’s unique requirements, risks, and security policies.
Zero-trust gateways allow only specified control data to get through. Even if attackers penetrated a utility’s environment through a supply chain partner, the attackers would have no way of pivoting to move laterally from IT to OT. What’s more, zero-trust gateways complement one-way data diodes by providing data inspection of the data flowing into or out of the OT network.
Zero Trust Supports Utilities’ Security Efforts
In late April 2021, the Department of Energy (DOE) kicked off a 100-day plan to tighten the security of ICSs in electric utilities and to secure the energy-sector supply chain. The action, coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) and the electricity industry, reflects the growing recognition that utilities need to place cybersecurity front and center.
Strong cybersecurity is imperative to national security. It’s equally important for the protection of citizens in communities large and small, and to the business operations of the electric, gas, and water utilities that serve them. A zero-trust mindset at the highest level, along with zero-trust gateways at the nexus of IT and OT, will help ensure the cyber protections utilities need, and can empower utilities to safely and effectively perform against their mission.
—George Kamis is CTO, Global Governments and Critical Infrastructure, at Forcepoint.