Traditional Cybersecurity is no Longer Enough to Protect Critical Infrastructure Networks

bodo23/Getty Images

The previous gold standard of air gapping digital and physical systems isn't feasible.

When it comes to protecting the availability and security of critical infrastructure, the gold standard in cybersecurity has long been air gapping: a hard physical break between information technology and operational technology systems.

In today’s environment, this approach is no longer sufficient—nor is it even feasible. IT and OT are too closely interwoven, and organizations rely on direct connectivity between the two. As such, an incursion into one inevitably will impact the other.

That was evident with last year’s Colonial Gas Pipeline hack, where bad actors infiltrated one system and successfully moved onto the rest of the IT network with ransomware. It was one of the more prominent reminders that hackers have critical infrastructure squarely in their sights, and the situation is escalating—even though their OT networks were not initially compromised. 

Given the number of recent attacks on critical infrastructure organizations, the Cybersecurity & Infrastructure Security Agency warned about a “heightened cyber threat to critical infrastructure organizations” as Russia invaded Ukraine.

So, what can organizations do to better protect themselves against rising threats? 

Rethinking traditional defenses

In the current threat environment, critical infrastructure organizations need a better and more robust approach to cybersecurity—one that considers the increasing convergence of IT and OT systems. Availability is critical and cannot be compromised as it was with the Colonial Pipeline.

Air gapping has been helpful in the past when IT and OT systems were largely independent. However, as we saw with the Colonial Pipeline attack, OT grows more heavily reliant on information flowing from IT systems, making it increasingly impractical to implement more secure data separation between these systems.

Firewalls are a necessary safeguard, but they aren’t sufficient to the task at hand. As a general-purpose defense, a firewall alone won’t deliver the robust security needed to protect the nation’s most vital installations.

Some have implemented “diodes”—unidirectional security gateways placed between two networks with different levels of security—to control the flow of information. But diodes don’t check what’s flowing through; they just restrict movement, passing data blindly in one direction. That’s helpful up to a point, and can work as part of a layered solution, but it does not in itself address the need for secure communications between IT and OT.

Alternative approaches, including cross-domain solutions, should be now considered.

Modern cybersecurity: isolation with communication

A cross-domain solution straddles different domains with different security sensitivities, where operators need some degree of connectivity but cannot afford to allow an open flow of data. With this approach, the IT and OT systems are isolated from one another but can still communicate. The cross-domain solutions in place ensure that only the defined data required for operation is allowed to pass, and all other data is blocked. With these solutions, it becomes possible to facilitate data transfers between the IT and OT boundaries without opening these systems to potential cyber exploits, as with only a diode or firewall in place.

Organizations can take this defense one step further to protect their IT networks with Zero Trust Content Disarm and Reconstruction, which assumes that data entering the network from outside is unsafe or hostile. ZT CDR stops known and unknown threats, zero-day attacks and malware. It extracts the valid business data from email attachments and downloaded files and reconstructs the files with only the good data, ensuring the files are clean and safe to use. 

Bad actors routinely embed malware in complex code, often hidden within seemingly harmless files such as MS Office, PDF or image files. Many times, these files bypass standard virus scanning. ZT CDR strips these files down to their basic information and then rebuilds them, minus the harmful coding, the destructive elements—anything that shouldn’t be in there. This approach is also more effective compared to virus scanning, and faster and less expensive than sandboxing. 

ZT CDR can be used in conjunction with cloud-based security solutions that deliver key functionality as a service. For example, additional security mechanisms, such as remote browser isolation, can operate with ZT CDR. An RBI mechanism isolates all risky web browsing from the users on the IT network and allows data files to be exchanged only after they have been processed using ZT CDR.

The path forward

Taken together, cross-domain solutions and ZT CDR, supported by cloud-based remote browser infrastructure, offer a path forward for organizations tasked with securing critical infrastructure. A modernized approach achieves what air gapping and other traditional cybersecurity measures cannot: the needed collaboration between IT and OT, in a highly secure and available environment.

***

George Kamis is chief technology officer of Global Governments and Critical Infrastructure at Forcepoint. Previously he worked for Trusted Computer Solutions and the U.S. Naval Research Laboratory Center for High Assurance Computer Systems.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.