CRITICAL INFRASTRUCTURE

Exploring New Networking and Cybersecurity Strategies

crit

This page is based on the article published December 2023. Click here. This page will continue to be developed to include new choices as they mature.

The definitions of Critical Infrastructures covered by the U.S. Government’s Cybersecurity Infrastructure and Security Agency (CISA), reveal the mind-bending breadth of its scope. What distinguishes the categories defined is the impact on wide areas of the population or on specific communities, “… should any of these infrastructures be incapacitated or destroyed.”

This page examines how evolving and related networking, security and business models create challenges and decisions for specific critical infrastructures. Instead of attempting to boil this ocean we address three important areas common to implementors and operators. They are:

    • Network ecosystem evolution – Network as a Service
    • Operational network business and security
    • Security – the basics that are still constantly ignored leading to high profile incidents

The Context: Distinguishing Critical Infrastructures

Looking at CISA’s list below, you will see why it‘s beyond this page’s scope to go into detail of any of the 16 sectors or 70+ interrelated sub- sectors served more than 80% by non-government organizations. These are covered in detail on the CISA site.

We have split the list into two groups. The first being where the effect is immediate and rapid response is most critical. The second group has less immediate impact but is also critical.

All are costly undertakings but what distinguishes the first group is that disablement is so much more impactful than even business cost. Making such infrastructures resilient to incapacitation encompasses architectural choices, holistic approaches, threat avoidance, prevention, and automated recovery. Some areas such as “smart cities” pharma companies are not covered but are also critical. The Dallas municipality cyberattack impacting the whole community comes to mind. Those relying on IoT/IIoT devices requiring phys- ical device security are especially vulnerable and open to human error.

Caution is required when looking at approaches based on thinking that predates Cloud proliferation,  modern IoT systems, distributed workforces, connected supply chains, current network infrastructures, COVID-19 and state-sponsored cyberattack.

CISA-Defined Sectors Sub-Sectors Where Very Fast Response Is Required to Protect Life Include
Dams Management, water retention, control, and energy conversion systems, etc.
Defense Location infrastructure systems, communications systems
Emergency services Law enforcement, fire, rescue, emergency medical services
Energy Electrical generation, grid systems, oil refineries, pipelines, natural gas, wind, solar
Healthcare, public health Hospitals, epidemic prevention & treatment, etc.
Nuclear sector Active, test reactors, medical products & waste management
Transportation systems ighways & traffic management, road delivery & hazardous material transport; rail passenger, freight networks, stations
Water and wastewater Capture, purification, storage, distribution of water & wastewater
CISA-Defined Sectors Supporting Infrastructure
Communications Undersea, satellite & terrestrial, dedicated & Internet networks. 5G, fiber, microwave & copper, access networks, Wi-Fi
Information technology IT systems, data center, Cloud, edge, applications software, networks
CISA-Defined Sectors Sub-Sectors Where Measured Response Is Required
Chemical Basic, specialty, agricultural, consumer products
Commercial facilities Entertainment, hotels, casinos, lodging, malls, outdoor events
Critical manufacturing Machinery, electrical & transportation equipment
Food and agriculture Farming, food distribution, retail stores
Government facilities Federal, state, local government education, law offices
Financial services Financial management, money storage, transfers
Reported Recent Threats by SectorReported Critical Infrastructure Events: Q4 2023 onward. Last updated September 2024.
CI: General
Commercial facilities:
Hotels & Casinos
Energy:
Nuclear, Wind, Renewable, Electricity  sector
Health Care
  • McLaren Health Care data breach impacts 2.2 million people. (Dec 23)
  • Notron healthcare (Kentucky) – 2.5 million patient security breach. (revealed Dec 23)
  • Change Healthcare breach impacts one third of the U S population. Ransom of $22m paid. Details. (March 2024)
  • Ascension Healthcare’s 140 hosptials in 19 states have patient treatment and  information severely compromised. See article.
Telecom
  • Escalating Global Risk Environment for Submarine Cables.  (Dec 23)
  •  CNN reported that several cables in the Red Sea have been cut impacting 25% of Internet traffic between Asia and Europe. (March 2024)
Transport:
Aircraft
  • Fears of aircraft system penetration. (Nov 23)
Transport:
Rail Security
Transport:
Shipping
Water

Critical Decisions:
Business Needs for Network as a Service

Changes driven by focus on their mission-critical applications are required by enterprises. They no longer have the resources or time to build handcrafted, complex networks.

These requirements include:

  • On-demand, services purchased via portals, consumption- based billing without lock-in.
  • Seamless access to multi-Cloud workloads and apps located
  • Agnostic to infrastructure technologies and providers, performance, and security sensitive.
  • Business aware to cope with M&A, policy shifts and
  • Integrity of real-time operational networks that serve its

2024 will decide how critical infrastructure organizations will reshape their networks based on how Cloud/Service Providers and Supplier/Integrators respond to these needs.

Enter the new Network as a Service. Services offered will vary to match the capabilities and end user organizational requirements, resources, and capabilities. New forms of Managed Services, Infrastructure as a Service and Platform as a Service will help end users feel secure in delegating to their various partners. It will be essential to always look beyond the marketing jargon to verify that functions offered actually meet your needs without having to pay for service functions that you do not want. This work is being developed within ONUG.net’s NaaS working group.

What will the likely next phase of the network look like?

This shift is shown below but providers & integrators will market their own version. The important thing is the shift that began with data center centric to Cloud and network ecosystem is beginning its journey to a new Network as a Service model. This will be inherently more secure than the everything-to-everything connectivity with almost unlimited attack surfaces. The diagram was inspired by our work in the ONUG Collaborative

Marrying Business and Network Requirements

These changes will shape how applications and networks are architected and managed, shielding enterprises from the implementations. Three important decisions to be addressed are:

  • Will new architectures meet the business drivers with system integrity and save OpEx cost?
  • Can this architecture avoid insecure connection to IoT devices via Internet, Cloud-based or other servers beyond the operational networks? Hence the separate connection from OT Networks in the diagram.
  • Companies such as Cisco/Splunk, Zscaler, and Verizon will play important roles here, but inspection of the actual functions offered will be important.

Critical Decisions:
Critical Infrastructure Operational Integrity

Some more practical considerations:

As National Transport Safety Board chair Jennifer Homendy said earlier this year of the Ohio rail incident: there is no such thing as accidents and it was 100% preventable. Was this a system and networking failure? Having a trackside generated alarms-only based system not an alert and alarm threshold system with no single point of network failure was a recipe for the disaster that happened. I would hope that after-the-fact other ideas were explored. 

Fiber optic networks are expanding, yet the pace of implementation is too slow and the prospect of $60k to $80k per mile fiber installation is daunting. Without commercial viability, critical infrastructure systems cannot function, no matter how severe the impact of their incapacitation.

To address both concerns, adoption of the latest hybrid fiber-copper infrastructure in airport, Smart City, and rail network infrastructures is growing. Fiber/copper can now transmit at fiber speeds, can be instantaneously available as copper is often already in place, provide failover with fiber installations, and provide power for remote monitoring devices. This was addressed in the context of expanding broadband network reach with Actelis in the ISE Magazine article published a year ago. This important trend is of great benefit throughout critical infrastructures.

Cybersecurity Evolution

The migration to Cloud and hybrid models is a two-edge sword, creating new attack surfaces and Internet connectivity. The days of defending the data center as the principal concern of cybersecurity are long gone. Applying the Zero Trust principles of “Never Trust, Always Verify” in the network, for software suppliers and in the organization is a necessity. Thanks to CISA and the SEC, this has become a corporate imperative.

Physical or virtual separation between Information and Operation Technology networks is a big step in the development and protection of your critical infrastructure.
Last but not least, Network as a Service has the potential to reduce the attack surface by harmonizing identity management and authentication. Importantly, it will also lessen the expertise and security work and cost for enterprises—a big advantage. However, it will never remove their overall responsibility to properly delegate to suppliers.

Critical Decisions:
Cybersecurity Best Practices

  • Almost every breach or ransomware attack can be traced back
    to lack of board oversight, accountability, and lack of understanding
    of holistic cybersecurity. That applies to security
    software companies too! In fact, if IT-based defense is the only
    defense, it ends in tears. The recent high profile MGM Resorts
    incident likely had multiple weak links but began with lack of
    board imperative and expertise and yes, hotels and casinos are
    in the Commercial Facilities category

Basic Critical Actions to Reduce Risk

  1. Ensure that all these are covered, strengthening weak links, and dramatically reducing risks.
  2. A holistic cybersecurity approach for whole organization, contractors
    and beyond. Have the board implement a security policy and step-by-step strategy to strengthen each weak link.
  3. Curate all critical assets and test resilience. Encrypt all data, network configurations and customer info. Test air-gapped backups in case live data is rendered inoperable or re-encrypted.
  4. Employ micro-segmentation to separate and protect data. Automate all software updates.
  5. Access is via multifactor authentication using passkeys rather than usernames/passwords, verified with identity management and with no access from non-company devices.
  6. Insider threat, social engineering strategies, training and least privilege access must be in place.
  7. Installed phishing, malware, elevation of privilege, lateral movement prevention is in place.
  8. Adopt Zero Trust principles of Identity and Authentication, access control, least privilege, automated monitoring including blocking of non-typical user behavior.
  9. Be cybersecurity threat-aware, map out avoidance and prevention
    tasks, automate everywhere.
  10. Know that all software (especially security software) is not trusted but verified using our Verified Delegation Methodology 
  11. Continually assess your security posture, measure progress, take new actions.
  12. Comply with new SEC rules, with clear documentation
    demonstrating your security policy is thorough and implemented.
    See the “Security as a Service” page for many more details.

Critical Infrastructure:
Operational Technology Cybersecurity Specifics

  • Ensure that the organization’s Security Policy calls out protection of specific OT areas to address.
  • Virtually air-gapping of OT from IT networks is challenging since it’s not easy to isloate all outside connections or ensure that externally hosted software is secure.. 
  • Use Zero Trust techniques to create trusted routes. 
  • Use of packet fragmentation over multiple physical paths.
  • Llimiting access to users and software that have insufficient privilege or fail identity and authorization checks to access remote devices.
  • Microsoft’s 2023 Security Report found 71% of IoT devices are vulnerable, 46% can’t be patched, and 21% use obsolete operating systems. I.e., total physical or virtual separation of Operational Networks from the Internet is essential.
  • The ability to intercept video, traffic sensors are seen in movies but video recordings can also be disabled by techniques that bury malware in H264 encoded video files.
  • ASCON lightweight cryptography for IoT devices was selected by the U.S. Government earlier this year. Look for early deployment of implementations now becoming available.
    These will supersede the need to use layer 2 encryption protocols such as the IEEE’s MACsec which has had limited uptake.

Address the Top Four OT Threats

  1. Eliminate external remote access to elements that are part of the same trusted domain. 
  2. Use Zero Trust to limit access to verified, known applications.
  3. Remove any access to IoT devices via the Internet.
  4. Properly curate all IoT devices eliminating those cannot be protected, updated or isolated. 
Final Thoughts

We have addressed a monster topic, with the intention of providing guidance on three critical areas: network evolution choices, operational networks, and overall security. We hope you found it valuable—even if just one or two weak links are strengthened—as you take the next steps in your network and cybersecurity journey to prevent incapacitation of your critical infrastructure network.

Acknowledgements

This work draws from many sources including the U.S. government’s ongoing work by CISA on Critical Infrastructures, lightweight encryption definitions (February 2023), Microsoft’s analysis of IoT vulnerabilities (October 2023) . In 2024 this work has been contributed to The Cloud Security Alliance Zero Trust Working group, to the ONUG.net NaaS and OT projects working groups. It draws upon work from and with with networking company Actelis, from contributors to the Cloud Security Alliance, from countless articles and work on holistic cybersecurity in 2023-2024.