Adopting Zero Trust to Avoid Critical Infrastructure Risks
Utility companies are highly vulnerable to cyber-attacks, but a structured Zero Trust approach can reduce risks and impacts in such a scenario
The risk of a cyber-attack against a utility service such as power, water, and gas suppliers, is immediate. It concerns government authorities due to its strong impact.
2021 showed exponential growth in ransomware attacks, targeting companies and governments worldwide, causing significant loss and uncertainty. However, when a cyber-attack affects a critical infrastructure provider, the potential to disrupt is higher. The media is full of stories on how cyber-attacks have impacted industries worldwide. This keeps increasing, pushing organizations to adopt defense solutions.
Two other cases in November 2021 did not have the same ending. The North American company Delta-Montrose Electric Association (DMEA), from Colorado, lost 25 years of data after a cyber-attack. The attack brought most of their internal network services down, affecting the help desk, payment processing, collecting systems, and other tools.
In November 2021, the Australian company CS Energy was hit by a cyber-attack which their CEO described as a growing and concerning trend. According to the Daily Telegraph, the attack was interrupted at the last minute, right before impacting two big coal plants. If successful, the attack would have cut the power supply from 1.4 to 3 million homes.
In May 2021, the most famous case was the Colonial Pipeline, offline after a ransomware attack. The 5,500 miles oil pipeline delivers fuel to refineries all over the Gulf Coast to New Jersey. It supplies almost half of the gasoline and diesel consumed on the US East Coast. A significant percentage of Virginia, Georgia, North Carolina, and South Carolina gas stations were out of fuel, according to GasBuddy. The attack was interrupted after a USD 4.5 million bounty payment was made to the hackers.
The Risk is Here, Now
Although most utility companies are aware of cyber-security risks, there are investment inconsistencies to protect their assets. The cyber risk may increase as digital transformation accelerates, and an example is a growing and complex demand to implement Smart Meters. Organizations must address risks immediately.
Several power suppliers have many business units to generate and distribute their resources. Some policies allow that the OT to use the IoT (Internet of Things) technology, as management solutions are not well proved – from a security point of view – to monitor operations, which might contain severe vulnerabilities. Added to a large and distributed workforce, contractors that need access to critical systems into utility companies, the lack of an access policy increases these organizations’ fragility. Supply chain attacks may come from those weak points.
The organizational design works better when the cyber-security team has visibility in the OT and IT networks. It allows leaders to think of architecture to prevent cyber-attacks on the company assets. An elemental infrastructure demands connectivity with an internet supply chain. Moreover, OT systems may demand connection with the IT network for data collection and maintenance, to name a few.
How do you address all these risks?
More Than a Solution
There is no single solution that fits all sizes and solves all problems, but Zero Trust significantly reduces risks. Zero Trust is leaving the ‘trend’ stage to become a cyber-security strategy for any business. 80% of organizations, according to App Gate research, will adopt Zero Trust in 2022, and 96% believe that implementing it will neutralize cyber-attacks.
Leadership is taking Zero Trust seriously.
In the opposite way of usual thinking, a power supply provider in Latin America recently adopted an innovative view about security, using the Zero Trust concept. And more organizations from the utility market are going in the same direction, for good.
Research from Symmetry Systems and Osterman Research released a report from 125 IT and security decision-makers of medium and large organizations detailing how they will implement Zero Trust. 53% said that ransomware was their worst issue and motivator, expecting that architecture would enhance cyber-security protection and block data violations by 144%.
Zero Trust architecture changes how organizations conceive of their IT and OT networks. In the old model, all equipment and devices were on the same network and trusted each other. The Zero Trust concept premise does not rely on anything: networks, machines, or users, requiring real-time authentication from who or what access data.
Mobile devices, cloud services, and work from home exponential growth pose a challenge to the Zero Trust model. It increases the adoption complexity. However, even in a conservative business space like power supply, focusing on the weakest and critical points eliminates the vulnerabilities generators.
According to several consulting firms’ research in recent years, the top vulnerabilities are:
- Credential stealing
- Lack of proper device and systems management
- No data encryption
Through an integrated platform, the Latin American Power Supply company adopted – as part of their Zero Trust strategy – a passwordless strategy to guarantee user non-repudiation, avoiding credential stealing, a usual technique for phishing and malware.
Once the user authenticates on critical IT asset management (servers, websites, databases, cloud services, certificates, and more) it gets managed from a unique point. Users access their resources – only the ones which they need for their tasks, the least privileged – without knowing credentials. This approach adds a security layer, guiding users to reach resources only through the Critical Asset Management platform. In a more robust configuration, managers can configure resources to be accessible only inside the solution, avoiding direct access from the internet. This extra layer avoids cyber-attacks like DDoS – Distributed Denial of Service.
All user access to systems, local or remote, occurs through a secure, audited tunnel. This access method eliminates the VPN (Virtual Private Network) risk, which happens to be an attack vector in several recent scenarios. VPNs also generate IT management overheard due to certificates creation and distribution, passwords, client software installation, to name a few.
The adopted solution allows OT network management, especially new devices that demand internet connection. The platform handles the IT and OT elements with the same approach, complying with Zero Trust. These two worlds tend to live in the same environment to satisfy the ongoing digital transformation, managed from a unique console for ease administration.
Zero Trust architecture is not limited to the workforce but is essential for contractors and suppliers who access internal IT and OT systems. Organizations must pay attention to the supply chain as a cyber-security attack surface. Managing it is a critical issue, and Zero Trust can help.
The most notable cyber-security supply chain event occurred at the beginning of 2020. When hackers silently entered the SolarWind’s network to inject malicious code into their software, it all started. At the time, several organizations worldwide were using the Orion system to manage their networks. SolarWind’s had 33,000 clients using Orion, according to SEC documents; and reported that 18,000 were affected by the malicious code. As SolarWind’s have many high-level clients, including Fortune 500 companies and US government agencies, the violations had a significant impact.
David Kennedy, an ex-Marine who led US cyber-security military missions and the NSA (National Security Agency), told CNBC that a threat to supply chain is something that keeps him awake at night. According to him, this kind of attack has the potential to freeze world operations.
All the previous tactics target the organization’s operations, sensitive data protection. It also aims to comply with data privacy regulations (like the Brazilian LGPD and the recent IoT regulations from the UK and the US), in addition to the best cyber-security practices in the market.
What Comes Next?
Cyber-security strategies, like Zero Trust, are an ongoing work, it should never stop. Keep searching, and improving, the best security practices are a must, as cyber-criminals are always pushing and exploring vulnerabilities.
Compliance with data protection regulations is also a constant requirement. It enables organizations to run their core businesses, aligned with the international legislation, while raising the bar to make exploitation harder for internet criminals.
In addition to cyber-security resilience, Zero Trust architecture implementation by the Latin American Power Supply company covered the Brazilian LGPD (General Data Protection Law) compliance requirements. The platform can audit, log, record resource sessions, and more. Their next step is to protect legacy IoT and OT devices, using the same strategy.
Return on Investment with Zero Trust
Reducing the Risk of Data Breach
Reducing the risk of data breach can reach up to 50%
In medium and large companies, savings can be as much as $20 per employee per month. Advanced Auditing can reduce by up to 25%.
Technical support calls can be reduced by up to 50%. Agility to deliver new infrastructure can be reduced by up to 80%.
GDPR – Overview of Fines and Penalties
Insufficient legal basis for data processing
Insufficient legal basis for data processing
Non-compliance with general data processing principles
How it Works?