Traditional Cybersecurity is no Longer Enough to Protect Critical Infrastructure Networks

When it comes to protecting the availability and security of critical infrastructure, the gold standard in cybersecurity has long been air gapping: a hard physical break between information technology and operational technology systems.

In today’s environment, this approach is no longer sufficient—nor is it even feasible. IT and OT are too closely interwoven, and organizations rely on direct connectivity between the two. As such, an incursion into one inevitably will impact the other.

That was evident with last year’s Colonial Gas Pipeline hack, where bad actors infiltrated one system and successfully moved onto the rest of the IT network with ransomware. It was one of the more prominent reminders that hackers have critical infrastructure squarely in their sights, and the situation is escalating—even though their OT networks were not initially compromised. 

Given the number of recent attacks on critical infrastructure organizations, the Cybersecurity & Infrastructure Security Agency warned about a “heightened cyber threat to critical infrastructure organizations” as Russia invaded Ukraine.

So, what can organizations do to better protect themselves against rising threats? 

Rethinking traditional defenses

In the current threat environment, critical infrastructure organizations need a better and more robust approach to cybersecurity—one that considers the increasing convergence of IT and OT systems. Availability is critical and cannot be compromised as it was with the Colonial Pipeline.

Air gapping has been helpful in the past when IT and OT systems were largely independent. However, as we saw with the Colonial Pipeline attack, OT grows more heavily reliant on information flowing from IT systems, making it increasingly impractical to implement more secure data separation between these systems.

Firewalls are a necessary safeguard, but they aren’t sufficient to the task at hand. As a general-purpose defense, a firewall alone won’t deliver the robust security needed to protect the nation’s most vital installations.

Some have implemented “diodes”—unidirectional security gateways placed between two networks with different levels of security—to control the flow of information. But diodes don’t check what’s flowing through; they just restrict movement, passing data blindly in one direction. That’s helpful up to a point, and can work as part of a layered solution, but it does not in itself address the need for secure communications between IT and OT.

Alternative approaches, including cross-domain solutions, should be now considered.

Modern cybersecurity: isolation with communication

A cross-domain solution straddles different domains with different security sensitivities, where operators need some degree of connectivity but cannot afford to allow an open flow of data. With this approach, the IT and OT systems are isolated from one another but can still communicate. The cross-domain solutions in place ensure that only the defined data required for operation is allowed to pass, and all other data is blocked. With these solutions, it becomes possible to facilitate data transfers between the IT and OT boundaries without opening these systems to potential cyber exploits, as with only a diode or firewall in place.

Organizations can take this defense one step further to protect their IT networks with Zero Trust Content Disarm and Reconstruction, which assumes that data entering the network from outside is unsafe or hostile. ZT CDR stops known and unknown threats, zero-day attacks and malware. It extracts the valid business data from email attachments and downloaded files and reconstructs the files with only the good data, ensuring the files are clean and safe to use. 

Bad actors routinely embed malware in complex code, often hidden within seemingly harmless files such as MS Office, PDF or image files. Many times, these files bypass standard virus scanning. ZT CDR strips these files down to their basic information and then rebuilds them, minus the harmful coding, the destructive elements—anything that shouldn’t be in there. This approach is also more effective compared to virus scanning, and faster and less expensive than sandboxing. 

ZT CDR can be used in conjunction with cloud-based security solutions that deliver key functionality as a service. For example, additional security mechanisms, such as remote browser isolation, can operate with ZT CDR. An RBI mechanism isolates all risky web browsing from the users on the IT network and allows data files to be exchanged only after they have been processed using ZT CDR.

The path forward

Taken together, cross-domain solutions and ZT CDR, supported by cloud-based remote browser infrastructure, offer a path forward for organizations tasked with securing critical infrastructure. A modernized approach achieves what air gapping and other traditional cybersecurity measures cannot: the needed collaboration between IT and OT, in a highly secure and available environment.

***

George Kamis is chief technology officer of Global Governments and Critical Infrastructure at Forcepoint. Previously he worked for Trusted Computer Solutions and the U.S. Naval Research Laboratory Center for High Assurance Computer Systems.