GUEST ESSAY: Recalibrating critical infrastructure security in the wake of evolving threats

By Joseph Bell

For all the discussion around the sophisticated technology, strategies, and tactics hackers use to infiltrate networks, sometimes the simplest attack method can do the most damage.

The recent Unitronics hack, in which attackers took control over a Pennsylvania water authority and other entities, is a good example. In this instance, hackers are suspected to have exploited simple cybersecurity loopholes, including the fact that the software shipped with easy-to-guess default passwords.

Related: France hit by major DDoS attack

The Unitronics hack was particularly effective given the nature of the target. Unitronics software is used by critical infrastructure (CI) organizations throughout the U.S. in different industries, including energy, manufacturing, and healthcare. Unitronics systems are exposed to the Internet and a single intrusion caused a ripple effect felt across organizations in multiple states.

Attacks like the one on Unitronics are a good reminder for all CI organizations to reassess their cybersecurity policies and procedures to ensure they can repel and mitigate cybersecurity threats. Here are three strategies they should pursue in 2024 to minimize the chance of a Unitronics-style hack.

Attack surface

Building perimeter defense systems and keeping services in-house have traditionally been two of the most common ways to defend IT infrastructure. The problem with this from a security perspective is that there tends to be no segregation between services. All an attacker needs to do is infiltrate one application to have access to the entire network.

Moving services to the cloud segregates applications and significantly reduces the potential blast radius. Years ago there was some skepticism about public cloud service providers’ security policies, but the reality is that most of those services are now highly secure. The largest ones, such as Amazon and Microsoft, have stringent protocols for securing their cloud infrastructures.

Still, CI organizations need to perform the appropriate due diligence before signing any agreements. At a minimum, cloud providers should have the same robust security practices as the organizations themselves. It’s also important to assess the provider’s patching environment and cadence, the processes they use to discover and manage vulnerabilities, whether they have a security operations center, and so forth.

Vetting process

Normally, the vetting process for a technology provider falls strictly under the purview of IT. But as cybersecurity threats evolve, it’s equally important to involve the chief information security officer (CISO) and their team in the due diligence process for any vendor an organization may consider using.Once again, the Unitronics attack offers a great example of why involving security teams early and often is a good idea. An advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) noted that attackers achieved their mission “likely by compromising internet-accessible devices with default passwords” included in Unitronics software. An IT team primarily interested in functionality, features, and integration capabilities may overlook such flaws. However, security experts are trained to identify these issues and therefore can ensure that the software is vulnerability-free and follows good cybersecurity best practices.

Eventually, more organizations may want to consider appointing their CISOs to head all of IT. Having a shared organizational structure in which IT reports directly to the CISO will help make certain that both the technical and security needs of the organizations are met, and that security is at the forefront of all technology purchasing decisions.

In the meantime, security teams should be the points of contact for Cybersecurity Maturity Model Certification (CMMC) audits. These audits are performed by third-party assessor organizations and are used to gauge the cybersecurity maturity of organizations that supply technology to the defense industrial base, including CI organizations. The CMMC program includes a progressive framework to ensure vendors meet National Institutes of Standards and Technology (NIST) cybersecurity standards. Vendors that meet these standards are less likely to contain vulnerabilities that could infect CI organizations through their supply chains.

Continual testing

While performing rigorous assessments before vendors are onboarded is important, so is performing ongoing internal and external penetration tests to simulate attacks and test for potential weaknesses. For example, OT systems have become highly connected, making them an obvious target for hackers. Penetration testing can identify vulnerabilities within these systems and allow security teams to find areas where traditional network segmentation techniques aren’t effective. This is often the case with nation-state threats and other highly skilled threat actors.

Once the systems are physically separated, organizations can install data diodes and data guards to ensure the secure transfer of information between networks in ways that prevent threat actors from compromising them. A data diode facilitates a uni-directional stream of information from one device to another, preventing bi-directional data flow. A data guard, meanwhile, ensures that only the intended structured and unstructured data is transferred across these networks.

These strategies denote a shift from reactive to proactive cybersecurity and a new way of thinking about cybersecurity defense. Organizations must move from a “trust but verify” mindset to a Zero Trust approach. Organizations that adopt this mindset while embracing the cloud, employing a shared responsibility model, and performing continual testing will take the fight to the attackers and gain a much-needed advantage.

About the essayist: Joseph Bell is Chief Information Security Officer at Everfox.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone