How to Protect Critical Infrastructure Access

By Chris Niggel, Regional CSO, Americas, Okta

Concerns about cybersecurity attacks against critical infrastructure are nothing new. By the time the Department of Homeland Security created the National Cyber Security Division (now part of CISA) in 2003, concern in the IT community was already running hot. The attackers seemed to have a leg up on defenders. They often still do. But enterprises that properly implement robust security systems are far less likely to be compromised in a significant way.

Critical infrastructure attacks happen all the time and all over the world. America's most recent major incident was the Colonial Pipeline ransomware attack in May 2021, which resulted in gasoline shortages and panic buying, mostly in the southern United States. In April 2022, ransomware attackers hit at least 25 agencies of the Costa Rican government, crippling some and leading the President to declare a state of emergency. Government services, including healthcare, were disrupted nationwide.

How Do Attackers Get In?

Certain attack techniques have always been popular among cybercriminals because they are powerful and have widespread vulnerabilities, so the attacks are frequently successful. The most significant attacks of this kind exploit weakly protected network identities and poorly controlled privileges. The opening where the Colonial Pipeline attackers entered was an account in an old VPN that did not have multifactor authentication. The Costa Rica ransomware attackers also obtained privileged credentials that were not sufficiently protected.

How Do They Do All That Damage?

Such attacks give the attacker a foot in the door, but they don't necessarily get sufficient privileges to conduct a successful attack. The account they use to access the network may have limited privileges. Attackers will then try to move laterally in the network to an account with greater privileges and the ability to do real damage.

These attackers strike gold when they gain access to an account with standing privileges. This means the account always has privileged access whether or not it's needed. This can include full access to a critical resource, such as a database, a device, or just a particular file.

With this level of access, attackers can often do unthinkable damage, such as encrypting whole databases, stealing and/or deleting vast amounts of confidential data, or installing malware to monitor and interfere with operations.

Addressing Critical Infrastructure Access Risks

Identity and access management (IAM) can be a complex and difficult problem to tackle in a modern, heterogeneous enterprise. But with time, the right resources, and expertise, many organizations manage to solve it. An effective IAM solution allows you to set policies and deploy them where appropriate, even across the whole network. It automates common and important — but boring and error-prone — tasks like onboarding and password resets. It eases the widespread deployment of important security technologies like multifactor authentication.

For standing privileges, enterprises often deploy a different level of management, called privileged access management (PAM). PAM applies elevated protection to especially powerful and, therefore, dangerous accounts. It may apply additional security checks for users requesting access to the account, such as additional factors and geolocation. A good PAM solution allows time-limited access to the critical resource only after the user follows a defined approval procedure. The PAM solution also logs everything it and users do for audits and debugging purposes.

The result of a trustworthy PAM implementation is to have no standing privileges. All privileged access must be approved, and users who get approval don't see the actual credentials. Some powerful accounts, such as the Linux root, Active Directory Domain Administrator, and database administrators, cannot be eliminated, but it's possible to minimize the need to use them.

The cloud is an important component of all IT these days, and the industry is also moving to cloud-based solutions for IAM and PAM. They allow the solution partner to use its full resources to help protect your assets and manage distributed facilities and applications.

A cloud solution that combines IAM and PAM is more effective than either alone, as it uses a single directory for all identities rather than requiring synchronization between two or more. The user experience is likely to be more consistent as well.

Compliance and Insurance: Two Reasons to Act

Compliance obligations, especially for audits, are a compelling reason to adopt IAM and PAM solutions. A well-implemented system allows you to confidently say and demonstrate that you have protected access to critical resources. Nobody likes to spend money on cost centers such as security software. But disrupting revenue is even worse, and compliance failures can easily disrupt revenue. An effective IAM solution makes most aspects of maintaining IT compliance an accessible goal.

Anyone who buys cybersecurity insurance knows that costs and terms are getting worse. But, in the same way that auto insurance companies will lower your premiums if you demonstrate you are a safe driver, cybersecurity insurance companies may also lower premiums if you can demonstrate you take effective measures to prevent an attack. There is no better measure to demonstrate this than to implement IAM and PAM effectively.

Get Help

If it were easy to solve these problems, everyone would have done it already. But IT security at this level in a complex enterprise is a very hard problem to solve. That's why the custodians of critical IT infrastructure should involve a trusted partner in the solution. When choosing a partner, look for one with the experience, mature solutions, and expertise to customize the solution to your particular needs.

About the Author

Chris Niggel is the Regional CSO, Americas, at Okta, where he is responsible for corporate security compliance, third-party risk, and responding to customer security inquiries. Prior to Okta, Chris spent six years leading the adoption of cloud technologies at LinkedIn, helping them grow from 350 to over 6,800 employees. He started his career designing, developing, and delivering content management, system administration, and messaging solutions for customers such as Nestle, Cisco, AMD, Telus, and the US Department of Defense. During the winters, Chris has almost 15 years of experience as a ski patroller, search and rescue, and teaching ski mountaineering and outdoor survival.