There are no boundaries in cyberspace. That fact has accelerated sharing of threat intelligence across the defenders, but it exponentially raises the threat of cyberattacks.
This reality is underscored by the war in Ukraine, “the first major conflict involving large-scale cyber operations,” according to the U.S. Cybersecurity and Infrastructure Agency (CISA). A major concern is that malicious activity—such as wiper attacks that erase all data from hard drives—will spill over from Ukraine to other nations, including the U.S.
In April 2022, for instance, the U.S. government secretly removed malware from organizations around the world to preemptively thwart Russia-backed cyberattacks. CISA’s latest “Shields Up” campaign advises that “every organization—large and small—must be prepared to respond to disruptive cyber incidents.”
The power industry is no exception. Critical infrastructure is a highly vulnerable target for rogue nations. These malicious actors have strong incentives and dedicated resources for undermining our national security. And with sometimes outdated operational technology (OT) and limited cybersecurity regulations, critical infrastructure has already fallen victim to attacks, such as the Colonial Pipeline breach that halted vital petroleum operations in 2021.
The good news is that highly attainable strategies and technologies can protect power industry enterprises from cyberattacks and reduce their cyber risk.
The Power of Zero Trust
“Zero Trust” has become a byword in government cybersecurity, with the National Institute of Standards and Technology (NIST) issuing detailed guidelines on achieving a Zero Trust architecture. Zero Trust is also increasingly embraced by the private sector, and the electric power industry should be no exception.
The concept behind Zero Trust is “never trust, always verify.” That means, for instance, not allowing users to gain access to a system once and then move laterally throughout the network. Rather, Zero Trust requires that all users, devices, applications, and other entities verify their identity each and every time they attempt to access a system or data.
For example, many organizations currently allow employees and contractors to use virtual private networks (VPNs) to access corporate resources from remote devices. Once those users log in over the VPN, they can potentially reach all company systems and data.
A far more secure approach is Zero Trust Network Access (ZTNA), which requires that workers and devices use only specific network protocols, and which limits access only to the data and systems those entities are specifically authorized to use. That way, cyberattacks don’t spread from one system or network to another.
Ensuring Least-Privilege Access
But employees no longer access data and applications only in corporate data centers. Today, information technology (IT) resources reside wherever business needs to get done. Workloads might operate in Google Cloud, documents might be stored in Microsoft 365, data might be shared in Dropbox, and so on.
As a result, the “attack surface” of your organization has grown considerably. The perimeter of the network is no longer the four walls of your building. So, it’s no longer adequate to simply protect the perimeter.
The solution begins with the concept of least-privilege access, which gives users only the IT privileges they require to do their jobs. For example, if users only need to use certain data on certain systems, they shouldn’t be able to access other data on other systems. Nor should they be able to perform tasks such as installing new software or running data backups.
Implementing least-privilege access starts with knowing who is accessing your data and how they’re accessing it. Most organizations lack clear visibility into this. Effective cybersecurity tools can help you understand and control who’s reaching which data and systems—and help prevent attackers from using stolen credentials to wreak havoc on your network.
The MFA Imperative
Another crucial tool for protecting data and systems is multifactor authorization (MFA). In the past, MFA was seen as state-of-the-art, but in the face of today’s advanced persistent threats, it’s an absolute must.
MFA combines what the user knows (a password), who the user is (a biometric), and what the user has (a device or token). Even stronger MFA adds an “out-of-band” element such as a code sent to a smartphone or a challenge-and-response step the user has to click through.
Banks and other businesses that deal in sensitive data use MFA to reinforce their security. Enterprises in the power industry should, as well. MFA ensures that passwords aren’t the only barrier between your data and a malicious actor. In fact, Microsoft research shows that accounts are 99.9% less likely to be compromised with MFA.
Content Disarm and Reconstruction
A final aspect of cybersecurity that operators of critical infrastructure shouldn’t overlook is protecting digital content. That includes all the Microsoft and Google documents, PDFs, images, and so on that your teams create, access, and share every day.
The text, images, and other elements in digital files are encoded using standard formats. But cyber attackers can also hide malicious code in those files. When the infected file is opened, the malicious code executes, potentially damaging systems or stealing data.
The solution is content disarm and reconstruction (CDR). CDR works by deconstructing and reconstructing files as they traverse your network in real time. The technology extracts the valid code from a file and then builds a new, fully functional but malware-free file. The original file, along with any hidden malware, is quarantined or destroyed.
CDR shifts the focus from file-based malware detection to prevention. Instead of seeking out a malware needle in the haystack of files moving around your enterprise, CDR takes a Zero Trust approach, assuming that all content is potentially dangerous and ensuring that all files are rendered safe. Modern CDR technology is able to perform these functions and sanitize content faster than traditional security antivirus.
For operators of critical infrastructure, the hazards of new, more persistent and more dangerous cyberthreats will continue. In response, organizations up and down the power supply chain must take new steps in protecting their systems and data. Fortunately, there are proven strategies and technologies for safeguarding your operations. These solutions could literally keep the lights on—for your business and for the customers you serve.
—Petko Stoyanov is the Global Chief Technology Officer (CTO) at Forcepoint, where he focuses on strategy, technology, innovation, and go to market for the company’s solution portfolio.