CDOTrends

Identity Security and the Future of Critical Infrastructure Operations

By Lim Teck Wee, CyberArk on April 25, 2023
Image credit: iStockphoto/Quardia

Across the globe, demand for critical services is rising alongside population and economic growth. In Singapore, the water demand is expected to double by 2065, with non-domestic sectors making up 60 percent of the usage, according to the Public Utilities Board (PUB).

Similarly, the Energy Market Authority (EMA) found that industrial organizations were the largest electricity consumers at 41.5% during the first half of 2022. Unsurprisingly, the country prioritizes protecting critical information infrastructure (CIIs) against cyberthreats.

During the Singapore International Cyber Week 2022, Senior Minister and Coordinating Minister for National Security Teo Chee Han emphasized the importance of CII cybersecurity as part of the country’s Total Defence initiative. To that end, he called for all operators to work with the Cyber Security Agency of Singapore (CSA) through joint initiatives to detect critical vulnerabilities and attacks and reduce time to recovery.

Related

Yet, with cyber threats showing no signs of slowing down, operators are pressured to boost their defense measures to continue providing essential services for their communities. To resolve this issue,  CIIOs must implement strong identity security that controls the level of privileges users have in their possession to minimize their vulnerability to attacks.

The lack of OT security

Before the rise of digitalization, industrial control systems were typically abstracted from the network, meaning that most operations and modifications were done physically, thus limiting the potential attack risk attackers could exploit.

Today, the need to efficiently serve a growing population has led to utility services combining IT and OT functionalities, bringing previously unconnected tools onto the organization's network. This combination has increased the number of vulnerabilities cyber attackers can exploit by escalating privileges to damage critical operations or steal sensitive data from the network.

Simultaneously, with the growing pervasiveness of mobile devices, utility service providers can now operate, update, and troubleshoot OT equipment more efficiently. However, this also presents cyberattackers with new opportunities to gain access through unguarded devices.

Out of necessity, utility services — including water treatment plants — have an added social responsibility when mitigating cyber risks. Operators need to manage access for employees and vendors in a way that does not expose their assets and processes to malicious threat actors.

Besides that, operators also need to be aware of, and avoid, common security mistakes, including:

 

  • Sharing administrator-level credentials for critical systems not utilized by average users, such as supervisory control and data acquisition (SCADA) solutions
  • Failing to store, manage and distribute credentials securely — including those for air-gapped systems
  • Using the same passwords for multiple accounts. Using an unsecured local area network (LAN) which can expose critical systems to the public Internet
  • Running outdated or unpatched legacy operating systems and software

Even in air-gapped OT environments, securing remote access remains vital to preventing attack vectors from piggybacking authorized users and compromising their systems. Achieving this requires operators to safeguard credentials, control access provisions and monitor sessions for suspicious activities.

It's a matter of zero trust

Due to these risks, the CSA has drafted guidelines for critical information infrastructure operators (CIIOs) to safeguard OT assets. With an eye on adopting least privilege and zero-trust principles to lower the risk of account compromise, these principles should be leveraged by CIIOs. However, before integrating these policies, CIIOs must keep an updated inventory on all accounts to gain visibility on permission details and the level of privileges assigned. From here on, it is just a matter of ensuring access rights are based on the principles of least privilege and separation of duties.

This approach should be supported with multi-factor authentication (MFA) algorithms to enforce a "never trust, always verify" policy that can block threat actors from gaining easy access to the network.

In cases where certain functions are outsourced to external or third-party vendors, CIIOs need to outline the responsibilities of both parties in managing cybersecurity risk. These include the type of access vendors have to the infrastructure and the right of the CIIO to audit their security postures and to monitor outsourced functions.

Users can strengthen their cybersecurity posture by choosing the right solutions without hampering operators' productivity and performance. In particular, identity security solutions enforce privileged access management by eliminating credential sprawl, no matter the environment. Access can be seamless yet secure and compliant with industry-recognized standards by centralizing all credentials in a single console.

For essential service providers like water treatment plants and power stations, greater attention must be given to maintaining operational continuity and reducing cyber threats' impact. For this reason, operators need to adopt identity security, which provides the backbone for zero trust and comprehensive protection. This will reduce risk and strengthen cybersecurity and compliance and ensure critical infrastructure operators and owners remain at the heart of the communities that rely on them.

Lim Teck Wee, area vice president for ASEAN, CyberArk, wrote this article.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Quardia

Related Articles

Related Whitepapers

2017 - 2021 © CDOTrends