Resilient Critical Infrastructure Starts with Zero Trust
This article was originally published on MeriTalk on June 30, 2022.
From the Colonial Pipeline breach to the JBS ransomware attack, the past year has shown us that cyberattacks on U.S. critical infrastructure are more relentless, sophisticated, and impactful than ever before – and all too often threaten the economic stability and wellbeing of U.S. citizens.
Because of this, critical infrastructure protection remains a top focus for the Federal government. The Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO) laid out specific security mandates and requirements that agencies must meet before Fiscal Year 2024 in order to bolster organizational and supply chain resilience. One critical component the EO specifically articulated is the advancement toward a Zero Trust architecture – a cybersecurity methodology first introduced nearly a decade ago, and predicated on the principles of “least privilege” and “assume breach.”
In March 2022, President Biden reaffirmed the 2021 EO with his “Statement… on our Nation’s Cybersecurity”, again pointing to Zero Trust as a cybersecurity best practice as the U.S. looks to improve domestic cybersecurity and bolster national resilience in the wake of an emerging global conflict. Further, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 signed into law in March 2022 will require private sector infrastructure operators to report cyber incidents and ransomware payments to the government – boosting the U.S. focus on protecting critical infrastructure.
Embracing "assume breach"
In order to bolster ongoing resilience efforts, organizations across the Federal government and private industry alike must start taking a proactive approach to cybersecurity. This starts with rethinking the way we fundamentally approach security.
Digital transformation has dramatically expanded the attack surface. Today, modern IT architecture is increasingly a hybrid mix of on-premises, public clouds and multi-clouds – opening up new doors for attackers to not just gain access, but also move across environments with ease. As the frequency and severity of breaches continue to increase, our industry is rapidly adopting an “assume breach” mindset – an understanding that even with the best preventative and rapid detection technologies, breaches are going to happen.
Think of the recent cybersecurity industry shifts this way: The first security era was solely focused on protection. In a walled in, on-premises data center the focus was on perimeter security – build a digital wall and keep the bad guys out. About a decade ago, a wave of high-profile breaches woke us up to the fact that a wall can’t keep the bad guys out entirely. From there, the focus shifted from perimeter-only security to the second security era of rapid detection and response – find the bad guy quickly after they scale the wall.
Now we are in the third wave of security: Focus on containment and mitigation. This is where Zero Trust capabilities like Zero Trust Segmentation (i.e., microsegmentation) can help. For example, in the event that bad actors gain access to a Federal agency, Zero Trust Segmentation can help limit their impact by containing the intrusion to a single compromised system – vastly limiting access to sensitive data.
In fact, according to a recent study from ESG, organizations leveraging Zero Trust Segmentation are 2.1X more likely to have avoided a critical outage during an attack over the last 24 months, have saved $20.1M in the annual cost of downtime, and have averted five cyber disasters annually.
Going back to basics
As harrowing cyberattacks remain the norm, it’s never been more essential for critical infrastructure organizations to prioritize practicing and maintaining proper cybersecurity hygiene. Cyber hygiene is nothing revolutionary – it’s about adopting and putting the basics into practice, day in and day out.
In 2021, the White House issued a memo outlining key best practices for organizations looking to safeguard against ongoing ransomware attacks: make sure you’re backing up your data, patch when you’re told to patch, test your incident response plans, double check your team’s work (i.e., account for human error), and segment your networks, workloads and applications accordingly.
With proper cybersecurity basics in place, Federal agencies are better positioned to expand upon ongoing resilience efforts – like accelerating their Zero Trust journeys.
Building resilience starts now
In the end, prioritizing proactive, preventative cybersecurity approaches like Zero Trust, and mandating them at a national level, will have positive long-term benefits on the nation’s security posture and overall resilience. But good cybersecurity hygiene and building real resilience is an ongoing effort. It’s important to start small. For example, start by segmenting your most critical assets away from legacy systems. That way, if a breach occurs, it can’t spread across your hybrid architecture to reach mission critical information. From there, you can move to larger, wider resilience undertakings.
But as with any goal, it’s important to not make “perfect” the enemy of good. In other words, not having a perfect plan shouldn’t be a barrier to starting somewhere. What is important is getting started today. Bad actors are evolving, emerging and now rebranding – and any cybersecurity hygiene practice (big or small) helps uplift organizational resilience. In the end, especially when it comes to public sector operations, we’re all only as strong as the weakest link in our supply chain.
Remember “assume breach,” put the basics into practice, and prioritize securing your most critical infrastructure with Zero Trust security controls first.