In the wake of escalating threats to critical sectors, such as the discovery of Volt Typhoon, government officials are sounding the alarm over the unprecedented risk of potential mass disruption to our country – including Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, who described these attacks as “the most serious threat to the nation.”
Recognizing that critical infrastructure owners and operators often lack significant resources and struggle to implement basic cyber protocols, the federal government is prioritizing protecting this sector, with the new National Security Memorandum on Critical Infrastructure and updated National Cybersecurity Strategy Implementation Plan.
Federal agencies need to serve as role models for secure and resilient systems by bridging the gap between outdated technology and modern security processes; lest critical infrastructure sectors remain easy targets and the prospect of devastating disruptions to essential services will grow.
Back to basics
To protect critical infrastructure, a vital part of the NSM and other federal plans that involve sector risk management is “ensuring critical services have minimum cybersecurity practices in place.” Existing protections and processes have been unable to keep up with a mushrooming attack surface due to resource constraints, which means critical infrastructure owners and operators need to be in alignment with the federal government.
With 85 percent of critical infrastructure owned or operated by the private sector, public-private collaboration has now become a necessity in order to establish minimum requirements and help critical infrastructure organizations achieve basic cyber hygiene.
Greater collaboration with the private sector can also help ease the gaps in resources and expertise needed to address the challenges associated with growing and more sophisticated cyber threats.
The updated NCSIP emphasizes that in order for the federal digital ecosystem and critical infrastructure stakeholders to grow their cyber posture, they need to share information and best practices. This is a cornerstone of a whole-of-government cybersecurity approach where federal, state, and local governments collaborate closely with private industries to create a unified cybersecurity framework.
Sharing information and best practices facilitates open and transparent communications between public and private sectors, enabling quicker dissemination of threat intelligence, streamlined responses, reduced downtime, and more agile operations.
Not only does this approach break down inefficient, risky silos, but it also allows for a unified response to cyber incidents and the pooling of resources, expertise, and intelligence for real-time sharing and faster decision-making.
Accelerating digital modernization
The combination of insecure internet-facing connections, legacy tech, and traditional security approaches make critical infrastructure easy targets for malicious actors. Improving critical infrastructure resilience is more than just IT and security; it’s about looking at the bigger picture to reduce downtime and risk to people and property.
The federal government should continue pushing technology developers to use secure-by-design tactics, ensuring “out of the box” security and significantly reducing the strain placed on infrastructure owners and operators.
In addition, the adoption of zero trust architectures emerges as a crucial step to harden remote access to industrial control systems (ICS) that rely on a mix of IT and operational technology (OT) assets.
Zero trust is inherently designed to reduce a network’s attack surface, prevent lateral movement of threats, and lower the risk of a data breach. This model leverages least-privileged access controls, granular microsegmentation, and multifactor authentication (MFA) to provide continuous verification of identities and devices, regardless of location, type, or network connection. Crucially, these controls are dynamic and happening continuously.
Historically, OT assets were not designed with security in mind. And almost always, Internet of Things (IoT) devices cannot be modified to accommodate security stack: software, agent, etc. But most critical infrastructure organizations still depend on these antiquated technologies to monitor and control industrial processes.
Considering the unique nature of OT assets, coupled with their specific requirements for operational safety and reliability, owners and operators have strong business justifications for operating older equipment that are incompatible with zero trust security.
Yet, in the absence of zero trust capabilities, these assets have become key attack vectors for malicious actors. While IoT devices may not be the first compromised, they become a “land bridge,” often allowed through by traditional firewalls, to critical backend servers and data centers. Secure digital modernization is therefore essential.
Overcoming challenges
When it comes to critical infrastructure, the risks are limitless, but the resources aren’t.
Requiring and enforcing minimum resilience and security requirements, as well as encouraging minimum cyber hygiene requirements and information-sharing, reinforce that safeguarding national infrastructure is a shared responsibility.
While OT presents challenges to implementing zero trust and modern security, a whole-of-government approach in support of greater collaboration, modern technology with zero trust capabilities, standardization, and accountability – is the only way to secure our critical infrastructure ecosystem and mitigate the risk of disruptive and destructive cyberattacks.
Hansang Bae is Public Sector Chief Technology Officer at Zscaler, a California-based cloud security company.