One of the most infamous cyberattacks on critical infrastructure, or CI, occurred in May 2021, when the Colonial Pipeline was hit with ransomware. The breach resulted in shutdown of pipeline operations, a gasoline shortage and a spike in fuel prices.

But the attack, which targeted billing systems, didn’t cause the shutdown. Rather, the pipeline’s operators turned off pumping systems over concerns the attackers could gain control of operational technology, or OT, and place public safety at risk.

The incident illustrates the unique issues that are involved in cybersecurity for CI such as petroleum pipelines, power stations, electric utilities, water treatment plants, dams, ports, and mass transport systems. Exploits that target IT might result in exposed data or business disruption. Attacks involving OT could result in injury, illness, or worse across cities or regions.

That’s why operators of CI manage OT differently from how typical organizations handle IT. Most enterprises continually upgrade systems, with a focus on protecting data. CI operators deploy systems once and hope not to change them for years, with an emphasis on maintaining safety.

But OT-specific approaches are no longer adequate for safeguarding CI, for two reasons. First, OT and IT are becoming interconnected as OT becomes digitized. Second, quantum computing could soon render existing password and data encryption strategies obsolete.

In response, CI operators should borrow approaches from IT security protocols but apply them in OT-specific ways. In particular, they need to conduct thorough risk assessments, embrace zero trust security, and implement micro-segmentation to safeguard CI.

Adapting IT security to OT needs

Where IT people talk about “5 nines” of uptime, or 99.999% availability, OT pros think in terms of 11 nines. Both groups use the term “reliability,” but the difference in degree becomes a difference in kind.

It’s part of why OT managers adhere to the Purdue Model, a framework for industrial control system security, developed at Purdue University in the 1990s. The Purdue Model emphasizes segmentation of operations, processes, controls, and sensors to protect OT from cyberattacks. OT is completely isolated from IT, with the equivalent of a demilitarized zone between them.

The Purdue Model remains a bedrock of OT security. But it’s no longer sufficient, because OT properties are no longer truly separated from IT. OT systems rely on expanding networks of IoT devices. They’re increasingly monitored over remote connections. Some are disconnected from the internet but connected to corporate IT. Others are cut off from IT but exposed to the internet.

Today, CI needs a holistic approach to OT security that adapts traditional IT cyber practices to overcome the shortcomings of piecemeal OT protections.

Know your OT enemies and exposures

Strengthening OT security for the quantum era starts with risk assessment. Many organizations lack a clear picture of how their OT systems are vulnerable – and the potential consequences of those vulnerabilities.

CI organizations can leverage assessment tools designed for IT security by using these tools to identify all the resources on the network, down to the firmware level, and uncover security gaps. Keep in mind that if an assessment tool can find a resource on the network, so can an attacker.

An effective tool should provide the organization with a risk score. But remember that the tool is likely designed for IT, not OT. The organization needs to understand how the tool calculated the risk score and then factor in OT requirements to gain a true understanding of the vulnerabilities. Now the CI organization can prioritize remediations based on the likelihood of attack, the sensitivity of the data, and the criticality of the infrastructure.

Zero Trust with temporal authentication

The federal government has mandated a zero trust approach to cybersecurity, and organizations like NIST have issued zero trust frameworks. While zero trust covers multiple pillars of cybersecurity, from identities to data, the basic idea is “never trust, always verify.”

That means authentication of any user or system that requests access to a resource should be temporary. Every entity should re-authenticate for every resource, every time it wants access. That way, a malicious actor can’t break into the network and gain de facto access to everything.

Zero trust replaces perimeter-focused, defense-in-depth security that hardens the edges but leaves the center vulnerable. It shifts the focus of security to users, which typically are the most vulnerable component of the infrastructure.

Zero trust dovetails with risk assessment, because it’s risk-based. It tailors access control to each entity that wants access. It’s ideal for centralized, mission-critical OT systems supported by a growing number of IoT devices at the edge.

Micro-segmentation for stronger security

The third piece of the OT security puzzle is micro-segmentation. Traditional segmentation involved roadblocks like firewalls and virtual LANs. Micro-segmentation is more sophisticated, enabling organizations to isolate any user, application, or device, no matter where it appears in the infrastructure.

Micro-segmentation is based on identity, with the assumption of least-privilege access. For example, a developer might be granted access to a portion of the system that requires upgrade but be prevented from accessing any other part of the infrastructure.

In the past, segmentation required extensive planning and system upgrades that could take months to realize. In contrast, a micro-segmentation solution based on software-defined networks can be rolled out in one or two weeks. Agencies can deploy either on-prem or in the cloud, with no need to replace hardware.

The OT systems that control critical infrastructure involve unique security and safety requirements. But they’ll increasingly intersect with IT systems and face new vulnerabilities in the quantum computing era. By leveraging risk assessment, zero trust, and micro-segmentation, OT operators can adapt to these challenges while maintaining their traditional focus on CI safety and continuity.

Darren Pulsipher is Chief Solutions Architect Public Sector at Intel Corp.

Have an opinion?

This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.

Share:
More In IT & Networks