George WilkesMarch 31, 2022
PODCAST: Zero Trust Security for Critical Infrastructure
Globally, cyberthreats against critical infrastructure are at an all-time high and breaches can lead to debilitating security, health and economic crises. So how can federal agencies and supporting public sector organizations use Zero Trust security to ensure continuity, consistency and efficiency to guard against cyberattacks on vital ecosystems comprising IT, IoT and OT technologies?
As reported in a Feb. 9, 2022 joint cybersecurity advisory, in 2021 authorities in the U.S., Australia and the U.K. observed “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors.”
Last year’s White House executive order on improving the nation’s cybersecurity called out critical infrastructure specifically and points to Zero Trust as the solution.
The unique challenges of securing critical infrastructure and how Zero Trust security can prevent catastrophic outcomes of cyberwarfare are discussed on this Zero Trust Thirty podcast episode featuring industry insiders Jim Anthony and Michael Friedrich. Listen below to learn:
- The crux of critical infrastructure and why so many sectors qualify
- How the cyberattack of a cream cheese manufacturer (yep, food supply chains are critical infrastructure) led to a months-long delay in stocking store shelves
- Some of the unique challenges organizations that oversee critical infrastructure are facing and how Zero Trust can solve them
Tips for securing critical infrastructure
Critical infrastructure involves a unique mixture of legacy operational technologies (OT) that weren’t previously internet-facing and new technology like Internet of Things (IoT) devices. According to The State of IoT/OT Cybersecurity in the Enterprise, 60% of respondents say IoT/OT devices are one of the least secured parts of their organizations’ IT/OT infrastructure. Between poor security and a complex environment, critical infrastructure administrators have a lot to tackle. Here are a few tips from Michael and Jim on how to think about security for critical infrastructure:
- Separate OT from IT: When OT and IT are on the same network, threat actors can essentially get two for the price of one. Administrators of critical infrastructure need to recognize what is IT as opposed to OT and segment them to reduce the attack surface. In the Colonial Pipeline attack, the company disconnected the system that controls the physical pipeline for this very reason.
- Zero Trust is about more than humans and OT devices: Data is the common thread running through systems connected to other networks. The principle of default deny access to anything or anyone connecting to networks and accessing data is the key to improving security and is the core of Zero Trust.
- Start with identity. When applying the Zero Trust framework to critical infrastructure, defining identity is the first step of the journey. Identity-centric access control is about enforcing the principle of least privilege to reduce risk.
Additional Zero Trust for critical infrastructure resources
Webinar: Zero Trust for critical infrastructure
Blog: The CISA Zero Trust maturity model series – Part 1: Start with identity
Solution Brief: Zero Trust Network Security Purpose-Built for Federal Agency Critical Infrastructure