In July of this year President Biden issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. It directed the Department of Homeland Security to work with the Department of Commerce in developing cybersecurity performance goals to drive adoption of new practices and internal controls.
“The degradation, destruction or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”
The Memorandum was a follow up on Executive Order 14028 which detailed specific cybersecurity objectives for all federal agencies to adopt. In the recently released memo, CISA has detailed nine different areas where all companies within Critical Infrastructure – and specifically energy, communications, transportation, and water – should have both baseline and enhanced implementations.
Zero Trust Architecture
Both the Executive Order and the National Security Memorandum share many of the same targets. One of these is an overarching goal of implementing a Zero Trust Architecture throughout their organization. Zero trust architecture is not a product that you can buy but rather a collaboration of different organization wide processes. It includes both perimeter defense and interior defense. The goal is to authenticate valid actors and provide them with only the rights that they need to perform their work and nothing else.
Five Pillars of Zero Trust
There are five pillars to zero trust architecture; Identity, Data, Devices, Applications and Systems. Zero trust is a concept of continuous identity authentication and activity authorization based upon the identity of the entity (user or device) and the context of the activity. You should create one digital identity per person and recognize that identity across the enterprise. Multiple factors of authentication need to be used at the application level and least privilege needs to be enforced where it’s possible.
Identity
Identity is at the heart of Zero Trust. Every step of the process calls for an authenticated identity of both people and devices. In the utility environment, identity is used to grant permissions to both people and devices who need to issue commands in the OT network, access information in traditional IT systems or be granted physical access to an area such as a substation control house.
In order to achieve a high level of confidence that a request is valid, organizations need to use multiple factors of authentication. These include Something You Have, Something You Know and Something You Are. The something that you have is a strong credential such as a smart card or derived mobile credential. The something that you know is a PIN number that you’ve setup for yourself. Lastly the something that you are is a biometric factor like a fingerprint.
Once identity is properly authenticated, then proper access can be granted. The principle of Least Privilege is a cybersecurity best practice and a fundamental step in protecting authorized access to high-value data, devices, applications and systems. In a proper zero trust environment access is only granted on a per-session basis and all access requests are logged.
Data
Systems and applications deliver critical data that are used to run utilities. Protecting the availability and integrity of this data is paramount to successfully protecting against a cyberattack. Utilities must make decisions based upon trusted and available information. This information must also be accurate since altered or malicious data can impact decision making.
Devices
Devices run utility applications across the entirety of the transmission and distribution grid. They depend on secure communications and commands for human to device and device to device interactions. Implementing security on devices throughout the grid is highly important whether those devices are in control houses, substation yards or on a distribution pole remotely located 10 miles away from the nearest substation. If it opens, closes, lowers or increases something – secure it.
Applications
Modern utilities run applications across their OT networks. These applications should include the same high security levels of authentication, validation and authorization as enterprise applications if not more so. These applications should use multifactor authentication, enforce least privilege and be properly segmented on the network.
Systems
The systems that utilities run on should never be considered an implicit trust zone. All traffic should be encrypted and all connections should be authenticated. Assets on the system may not be owned or configured by the enterprise and you should consider BYOD. Utility systems should maintain a high level of security of trusted assets between levels and within different control systems.
Identity and Access Management
The core tenets of zero trust can be greatly enhanced with a highly secure identity and access management system that can authenticate, validate and authorize both people and devices and the commands that are generated to access the data, devices, applications and systems that make up a utility organization. An IAM system should include access to IT, OT and Physical assets and systems and have a single digital identity that can easily be updated or revoked enterprise wide.
National Security Memorandum
The memo calls for more than Zero Trust and should be regarded as the building block for all organizations within critical infrastructure as achievable goals and objectives to prevent the next cyberattack from either a nation-state or a malicious actor wanting to hold your utility ransom for a big pay day.
Danny Vital is a senior cybersecurity engineer at XTec, Inc. To learn more about strong authentication, read his article about the Oldsmar water cyberattack and how it could have been prevented here on Energy Central: https://energycentral.com/c/iu/water-cyberattack-highlights-need-strong-authentication