Critical Infrastructure, Critical Decisions

An in-depth look at network evolution choices, operational networks, and overall security in critical infrastructures.

When you examine the definitions of Critical Infrastructures¹ covered by the U.S. Government’s Cybersecurity Infrastructure and Security Agency (CISA), you see the mind-bending breadth of its scope. What distinguishes the categories defined is the impact on wide areas of the population or on specific communities, “... should any of these infrastructures be incapacitated or destroyed.”

This article examines how evolving and related networking, security and business models create challenges and decisions for specific critical infrastructures. Instead of attempting to boil this ocean we address three important areas common to implementors and operators. They are:

• Network ecosystem evolution – Network as a Service.
• Operational network business and security challenges.
• Security – the basics that are still constantly ignored leading to high profile incidents.

“The migration to Cloud and hybrid models is a two-edge sword, creating new attack surfaces and Internet connectivity. The days of defending the data center as the principal concern of cybersecurity are long gone.”

The Context: Distinguishing Critical Infrastructures

Looking at CISA’s list (See Figure 1), you will see why it‘s beyond this article’s scope to go into detail of any of the 16 sectors or 70+ interrelated subsectors served more than 80% by non-government organizations.

We have split the list into two groups. The first being where the effect is immediate and rapid response is most critical. The second group has less immediate impact but is also critical.

All are costly undertakings but what distinguishes the first group is that disablement is so much more impactful than even business cost. Making such infrastructures resilient to incapacitation encompasses architectural choices, holistic approaches, threat avoidance, prevention, and automated recovery. Some areas such as “smart cities” pharma companies are not covered but are also critical. The Dallas municipality cyberattack impacting the whole community comes to mind. Those relying on IoT/IIoT devices requiring physical device security are especially vulnerable and open to human error.

Caution is required when looking at approaches based on thinking that predates Cloud proliferation, modern IoT systems, distributed workforces, connected supply chains, current network infrastructures, COVID-19 and state-sponsored cyberattacks.

Critical Decisions: Business Needs for Network as a Service

Changes driven by focus on their mission-critical applications are required by enterprises. They no longer have the resources or time to build handcrafted, complex networks. These requirements include:

• On-demand, services purchased via portals, consumption-based billing without lock-in.
• Seamless access to multi-Cloud workloads and apps located anywhere.
• Agnostic to infrastructure technologies and providers, performance, and security sensitive.
• Business aware to cope with M&A, policy shifts and migration.
• Integrity of real-time operational networks that serve its customers.

2024 will decide how critical infrastructure organizations will reshape their networks based on how Cloud/Service Providers and Supplier/Integrators respond to these needs.

Enter the new Network as a Service. Services offered will vary to match the capabilities and end user organizational requirements, resources, and capabilities. New forms of Managed Services, Infrastructure as a Service and Platform as a Service will help end users feel secure in delegating to their various partners. It will be essential to always look beyond the marketing jargon to verify that functions offered actually meet your needs without having to pay for service functions that you do not want.

What will the likely next phase of the network look like?

This shift is shown in Figure 2 but all the providers and integrators will market their own version reflecting their positioning. The important thing is the shift that began with data center centric to Cloud and network ecosystem is beginning its journey to a new Network as a Service model. This will be inherently more secure than the everything-to-everything connectivity with almost unlimited attack surfaces.

Marrying Business and Network Requirements

These changes will shape how applications and networks are architected and managed, shielding enterprises from the implementations. Three important decisions to be addressed are:

• Will new architectures meet the business drivers with system integrity and save OpEx cost?
• Can this architecture avoid insecure connection to IoT devices via Internet, Cloud-based or other servers beyond the operational networks?
• Companies such as Cisco, Splunk, Zscaler, and Verizon will play important roles here, but inspection of the actual functions offered will be important.

“…the shift that began with data center centric to Cloud and network ecosystem is beginning its journey to a new Network as a Service model. This will be inherently more secure than the everything-to-everything connectivity with almost unlimited attack surfaces.”

Critical Decisions: Critical Infrastructure Operational Integrity

Some more practical considerations:

• As National Transport Safety Board chair Jennifer Homendy said earlier this year of the Ohio rail incident: there is no such thing as accidents and it was 100% preventable. Was this a system and networking failure? Having a trackside generated alarms-only based system not an alert and alarm threshold system with no single point of network failure was a recipe for the disaster that happened. I would hope that after-the-fact other ideas were explored. Fiber optic networks are expanding, yet the pace of implementation is too slow and the prospect of $60k to $80k per mile fiber installation is daunting. Without commercial viability, critical infrastructure systems cannot function, no matter how severe the impact of their incapacitation.
• To address both concerns, adoption of the latest hybrid fiber-copper infrastructure in airport, Smart City, and rail network infrastructures is growing. Fiber/copper can now transmit at fiber speeds, can be instantaneously available as copper is often already in place, provide failover with fiber installations, and provide power for remote monitoring devices. This was addressed in the context of expanding broadband network reach with Actelis in the ISE Magazine article published a year ago.² This important trend is of great benefit throughout critical infrastructures.

Cybersecurity Evolution

The migration to Cloud and hybrid models is a two-edge sword, creating new attack surfaces and Internet connectivity. The days of defending the data center as the principal concern of cybersecurity are long gone. Applying the Zero Trust principles of “Never Trust, Always Verify” in the network, for software suppliers and in the organization is a necessity. Thanks to CISA and the SEC, this has become a corporate imperative. Physical or virtual separation between Information and Operation Technology networks is a big step in the development and protection of your critical infrastructure.

Last but not least, Network as a Service has the potential to reduce the attack surface by harmonizing identity management and authentication. Importantly, it will also lessen the expertise and security work and cost for enterprises—a big advantage. However, it will never remove their overall responsibility to properly delegate to suppliers.

Critical Decisions: Cybersecurity Best Practices

Almost every breach or ransomware attack can be traced back to lack of board oversight, accountability, and lack of understanding of holistic cybersecurity. That applies to security software companies too! In fact, if IT-based defense is the only defense, it ends in tears. The recent high profile MGM Resorts incident likely had multiple weak links but began with lack of board imperative and expertise and yes, hotels and casinos are in the Commercial Facilities category.

Basic Critical Actions to Reduce Risk

Ensure that all these are covered, strengthening weak links, and dramatically reducing risks.

• A holistic cybersecurity approach for whole organization, contractors and beyond. Have the board implement a security policy and step-by-step strategy to strengthen each weak link.
• Curate all critical assets and test resilience. Encrypt all data, network configurations and customer info. Test air-gapped backups in case live data is rendered inoperable or re-encrypted. Employ micro-segmentation to separate and protect data. Automate all software updates.
• Access is via multifactor authentication using passkeys not usernames/passwords, verified with identity management and with no access from non-company devices.
• Insider threat, social engineering strategies, training and least privilege access must be in place.
• Installed phishing, malware, elevation of privilege, lateral movement prevention is in place.
• Adopt Zero Trust principles of Identity and Authentication, access control, least privilege, automated monitoring including blocking of non-typical user behavior.
• Be cybersecurity threat aware, map out avoidance and prevention tasks, automate everywhere.
• Know that all software (especially security software) is not trusted but verified using our Verified Delegation Methodology (see Topic References below).
• Continually assess your security posture, measure progress, take new actions.
• Comply with new SEC rules, with clear documentation demonstrating your security policy is thorough and implemented.

See my "Security as a Service" page for many more details.³

Complement These with Critical Infrastructure Security Specifics

• Use Zero Trust techniques to create trusted routes. Use packet fragmentation over multiple physical paths, limiting access to users and software that has insufficient privilege or fails identity and authorization checks to access remote devices.
• Microsoft’s 2023 Security Report⁴ found 71% of IoT devices are vulnerable, 46% can’t be patched, and 21% use obsolete operating systems. I.e., total physical or virtual separation of Operational Networks from the Internet is essential.
• The ability to intercept video, traffic sensors are seen in movies but video recordings can also be disabled by techniques that bury malware in H264 encoded video files.
• ASCON lightweight cryptography for IoT devices was selected by the U.S. Government earlier this year. Look for early deployment of implementations now becoming available. These will supersede the need to use layer 2 encryption protocols such as the IEEE’s MACsec which has had limited uptake.

Final Thoughts

We have addressed a monster topic, in fact several monster topics! The intention was to provide some valuable guidance on three of the most critical topics: network evolution choices, operational networks, and overall security.

We hope you found it valuable—even if just one or two weak links are strengthened—as you plan and implement the next steps in your network and cybersecurity journey to prevent incapacitation of your critical infrastructure network. Your feedback and requests for more information are greatly appreciated.

TOPIC REFERENCES

• Network as a Service providers (Cisco, Zscaler, Verizon)
• Hybrid fiber – copper network: (Actelis)
• Zero Trust – What it is and isn’t: cybyr.com/zt
• Delegation and software supplier verification: cybyr.com updates to ISE article
• Terminology used here is explained at cybyr.com/cyberpedia
• Be Cybersecurity aware. See cybyr.com/breaking
• See a complete approach to reducing risk with my Holistic Security as a Service
• See Chapter 4 of Microsoft’s October 2023 Digital Defense Report covering IoT vulnerabilities.

REFERENCES AND NOTES

1. CISA, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
2. ISE Magazine, https://isemag.com/14284341
3. Security as a Service, https://cybyr.com/services/
4. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023 (10/23)