How Zero Trust can stop the catastrophic outcomes of cyberattacks on critical infrastructure

Over the last few years, essential organisations and services that support our society have become increasingly vulnerable to sophisticated cyberattacks

So much so, a recent joint cybersecurity advisory showed that 14 out of the 16 critical national infrastructure (CNI) sectors—including emergency healthcare, food and agriculture, and energy distribution—in the US were targeted by sophisticated cyberattacks last year. In fact, 83% of critical infrastructure organisations globally suffered a breach at least once in the last three years.  

CNI organisations have traditionally relied on legacy technology systems, and as they transition to cloud and hybrid environments, the use of outdated internet-facing systems can create unknown vulnerabilities that threat actors can easily exploit.  

CNI organisations are also constantly expanding their operational connectivity, meaning that more systems, networks, and devices are being interconnected to make national services widely accessible. For example, most national service providers can digitally share data between themselves to offer more informed and convenient services to consumers. This continuously expanding interconnectivity is allowing threat actors to exploit IoT-based vulnerabilities more effectively. By breaching a single source of entry, cybercriminals can move laterally to compromise the entire network system.  

Access control is the common pitfall for most of these problems, so a Zero Trust security model becomes the natural solution. Successful cyberattacks on critical infrastructures have the potential to cripple nations, and only by segmenting network layers and incorporating the “assume breach” mentality can CNI organisations mitigate the threat of sophisticated attacks. Implementing a Zero Trust framework can allow organisations to incorporate these practices within their security infrastructure.  

The long-term impact of successful cyberattacks on critical infrastructures 

The impending necessity of Zero Trust should be recognised by every government and CNI provider around the world if they are to have any hopes of mitigating sophisticated attacks like ransomware. Critical Infrastructure is the backbone of a country’s economy and social order. It is impossible to maintain a sustainable society when sectors like emergency healthcare, energy distribution, food and agriculture, education, and financial services are constantly under disruptive threats. 

In May 2021, the US government issued an executive order for federal government agencies, to improve their cybersecurity postures and recommended moving toward a Zero Trust architecture as the solution. Following this executive order, the Pentagon launched a Zero Trust office in December 2021 and in January 2022, President Biden further emphasised the urgency of moving to a Zero Trust architecture by mandating all government agencies to achieve specific Zero Trust goals by the end of the Fiscal Year 2024.  

The US government’s urgent transition toward Zero Trust is evidently based on its experience with treacherous cyber incidents that dominated the headlines over the last few years. Most recently, the Colonial Pipeline ransomware attack in the US caused massive fuel shortages in several states. The company supplies 45% of all fuel on the East coast, including fuel used by the military. The SolarWinds attack in the previous year caused disruption to several homeland security services.  

These are just two examples of the thousands of cyberattack cases on CNI sectors globally that caused significant economic and social damage. But this is just the tip of the iceberg – CNI attacks also pose a serious threat to human lives. The 2017 Triton malware attack on the Saudi petrochemical plant allowed threat actors to release toxic gas into the environment. If the attack wasn’t immediately contained, it could have resulted in mass casualties and death.  

Based on the current trends and trajectory of attacks, it is evident that the targeting of CNI organisations will continue to increase in the coming years. It is an impending need that governments and CNI organisations around the world take a similar approach to President Biden’s executive order and start implementing Zero Trust now before they must learn from a potential nation-crippling cyber incident.  

Understanding the specifics of Zero Trust  

The Zero Trust framework is based on a ‘never trust, always verify’ mindset, meaning that anyone who wants to gain access to the network system must verify their identity and access privileges. This verification is required every single time a user wants to access any application, system, or tool within the critical infrastructure network – whether it’s located on cloud servers or on-prem systems. And importantly, Zero Trust Network Access (ZTNA) technologies are context-aware; they continuously monitor user and device security postures throughout each interaction and make adjustments to access as needed. 

As critical infrastructures continue to use a unique blend of legacy technology and IoT systems, it becomes extremely challenging for security teams to always monitor and identify new vulnerabilities. That’s why CNI organisations need to change their approach to conventional cybersecurity and incorporate a Zero Trust framework that only provides access to true and identifying users. A Zero Trust approach establishes identity-based access control within an organisation, thus reducing the risk from external threats. 

Sophisticated attacks like ransomware usually start with either tricking an employee into executing a malicious payload or exploiting internet-exposed systems. Zero Trust solutions terminate every connection as soon as any malicious traffic is detected – cutting down attack paths before they can reach the target and eliminating attack vectors. Implementing ZTNA allows organizations to cloak the network and create micro-perimeters to ensure that users only connect directly to the apps and resources they need, instead of being granted access to the entire network by default. In the case of devices or applications being compromised, the risk is contained within a small area, restricting it from infecting other assets. 

A Zero Trust model is the definitive answer to reducing critical cyber risks arriving from unknown vulnerabilities. CNI organisations that implement Zero Trust will significantly mitigate the impact of cyberattacks and stop the headlines of another major security incident that can result in a national crisis. 

About the Author 

Kurt Glazemakers is CTO at Appgate. Appgate brings together a set of differentiated cloud- and hybrid-ready security and analytics products and services. These include Appgate SDP, the industry’s leading Software-Defined Perimeter solution, the Consumer Access suite of Risk-Based Authentication and Digital Threat Protection capabilities and the company’s Immunity range of offense-oriented software and adversary simulation services. Today, these products secure more than 1,000 organizations across 40 countries.

Featured image: ©Red150770