Exploring New Networking and Cybersecurity Strategies
The definitions of Critical Infrastructures covered by the U.S. Government’s Cybersecurity Infrastructure and Security Agency (CISA), reveal the mind-bending breadth of its scope. What distinguishes the categories defined is the impact on wide areas of the population or on specific communities, “… should any of these infrastructures be incapacitated or destroyed.”
This page examines how evolving and related networking, security and business models create challenges and decisions for specific critical infrastructures. Instead of attempting to boil this ocean we address three important areas common to implementors and operators. They are:
- Network ecosystem evolution – Network as a Service
- Operational network business and security
- Security – the basics that are still constantly ignored leading to high profile incidents
The Context: Distinguishing Critical Infrastructures
Looking at CISA’s list below, you will see why it‘s beyond this page’s scope to go into detail of any of the 16 sectors or 70+ interrelated sub- sectors served more than 80% by non-government organizations. These are covered in detail on the CISA site.
We have split the list into two groups. The first being where the effect is immediate and rapid response is most critical. The second group has less immediate impact but is also critical.
All are costly undertakings but what distinguishes the first group is that disablement is so much more impactful than even business cost. Making such infrastructures resilient to incapacitation encompasses architectural choices, holistic approaches, threat avoidance, prevention, and automated recovery. Some areas such as “smart cities” pharma companies are not covered but are also critical. The Dallas municipality cyberattack impacting the whole community comes to mind. Those relying on IoT/IIoT devices requiring phys- ical device security are especially vulnerable and open to human error.
Caution is required when looking at approaches based on thinking that predates Cloud proliferation, modern IoT systems, distributed workforces, connected sup- ply chains, current network infrastructures, COVID-19 and state-sponsored cyberattack.
|CISA-Defined Sectors||Sub-Sectors Where Very Fast Response Is Required to Protect Life Include|
|Communications||Undersea, satellite & terrestrial, dedicated & Internet networks. 5G, fiber, microwave & copper, access networks, Wi-Fi|
|Dams||Management, water retention, control, and energy conversion systems, etc.|
|Defense||Location infrastructure systems, communications systems|
|Emergency services||Law enforcement, fire, rescue, emergency medical services|
|Energy||Electrical generation, grid systems, oil refineries, pipelines, natural gas, wind, solar|
|Financial services||Financial management, money storage, transfers|
|Information technology||IT systems, data center, Cloud, edge, applications software, networks|
|Nuclear sector||Active, test reactors, medical products & waste management|
|Transportation systems||Aircraft, traffic control, airports, highways & traffic management, road delivery & hazardous material transport; rail passenger, freight networks, stations|
|CISA-Defined Sectors||Sub-Sectors Where Measured Response Is Required|
|Chemical||Basic, specialty, agricultural, consumer products|
|Commercial facilities||Entertainment, lodging, malls, outdoor events|
|Critical manufacturing||Machinery, electrical & transportation equipment|
|Food and agriculture||Farming, food distribution, retail stores|
|Government facilities||Federal, state, local government education, law offices|
|Healthcare, public health||Hospitals, epidemic prevention & treatment, etc.|
|Water and wastewater||Capture, purification, storage, distribution of water & wastewater|
|Reported Recent Threats by Sector||Recently reported Critical Infrastructure events: Q4 2023|
More to follow here.
|Commercial facilities: Hotels & Casinos||MGM Resorts . Sept/October 2023|
|Transport: Rail Security||Rolling stock security by Siemens|
|Transport: Aircraft||Fears of aircraft system penetration|
|Transport: Rail Security||TSA revises rail cybersecurity|
|Health Care||McLaren Health Care data breach impacts 2.2 million people|
|Water||Philadelphia Water Treatment. Internet connected IoT devices attacked by threat actors.|
|Transport: Shipping||Australian ports hit|
|Energy: Nuclear sector||Breach of 5700 employee credentials at US Nuclear facilitiy|
|Telecommunications:||Escalating Global Risk Environment for Submarine Cables|
|This section will be expanded to highlight and reference Critical Infrastructure threats and developments as they occur.|
Business Needs for Network as a Service
Changes driven by focus on their mission-critical applications are required by enterprises. They no longer have the resources or time to build handcrafted, complex networks.
These requirements include:
- On-demand, services purchased via portals, consumption- based billing without lock-in.
- Seamless access to multi-Cloud workloads and apps located
- Agnostic to infrastructure technologies and providers, performance, and security sensitive.
- Business aware to cope with M&A, policy shifts and
- Integrity of real-time operational networks that serve its
2024 will decide how critical infrastructure organizations will reshape their networks based on how Cloud/Service Providers and Supplier/Integrators respond to these needs.
Enter the new Network as a Service. Services offered will vary to match the capabilities and end user organizational requirements, resources, and capabilities. New forms of Managed Services, Infrastructure as a Service and Platform as a Service will help end users feel secure in delegating to their various partners. It will be essential to always look beyond the marketing jargon to verify that functions offered actually meet your needs without having to pay for service functions that you do not want. This work is being developed within ONUG.net’s NaaS working group.
What will the likely next phase of the network look like?
This shift is shown in Figure 2 but all the providers and integrators will market their own version reflecting their positioning. The important thing is the shift that began with data center centric to Cloud and network ecosystem is beginning its journey to a new Network as a Service model. This will be inherently more secure than the everything-to-everything connectivity with almost unlimited attack surfaces.
Marrying Business and Network Requirements
These changes will shape how applications and networks are architected and managed, shielding enterprises from the implementations. Three important decisions to be addressed are:
- Will new architectures meet the business drivers with system integrity and save OpEx cost?
- Can this architecture avoid insecure connection to IoT devices via Internet, Cloud-based or other servers beyond the operational networks?
- Companies such as Cisco/Splunk, Zscaler, and Verizon will play important roles here, but inspection of the actual functions offered will be important.
Critical Infrastructure Operational Integrity
Some more practical considerations:
As National Transport Safety Board chair Jennifer Homendy said earlier this year of the Ohio rail incident: there is no such thing as accidents and it was 100% preventable. Was this a system and networking failure? Having a trackside generated alarms-only based system not an alert and alarm threshold system with no single point of network failure was a recipe for the disaster that happened. I would hope that after-the-fact other ideas were explored.
Fiber optic networks are expanding, yet the pace of implementation is too slow and the prospect of $60k to $80k per mile fiber installation is daunting. Without commercial viability, critical infrastructure systems cannot function, no matter how severe the impact of their incapacitation.
To address both concerns, adoption of the latest hybrid fiber-copper infrastructure in airport, Smart City, and rail network infrastructures is growing. Fiber/copper can now transmit at fiber speeds, can be instantaneously available as copper is often already in place, provide failover with fiber installations, and provide power for remote monitoring devices. This was addressed in the context of expanding broadband network reach with Actelis in the ISE Magazine article published a year ago. This important trend is of great benefit throughout critical infrastructures.
The migration to Cloud and hybrid models is a two-edge sword, creating new attack surfaces and Internet connectivity. The days of defending the data center as the principal concern of cybersecurity are long gone. Applying the Zero Trust principles of “Never Trust, Always Verify” in the network, for software suppliers and in the organization is a necessity. Thanks to CISA and the SEC, this has become a corporate imperative.
Physical or virtual separation between Information and Operation Technology networks is a big step in the development and protection of your critical infrastructure.
Last but not least, Network as a Service has the potential to reduce the attack surface by harmonizing identity management and authentication. Importantly, it will also lessen the expertise and security work and cost for enterprises—a big advantage. However, it will never remove their overall responsibility to properly delegate to suppliers.
Cybersecurity Best Practices
- Almost every breach or ransomware attack can be traced back
to lack of board oversight, accountability, and lack of understanding
of holistic cybersecurity. That applies to security
software companies too! In fact, if IT-based defense is the only
defense, it ends in tears. The recent high profile MGM Resorts
incident likely had multiple weak links but began with lack of
board imperative and expertise and yes, hotels and casinos are
in the Commercial Facilities category
Basic Critical Actions to Reduce Risk
- Ensure that all these are covered, strengthening weak links, and dramatically reducing risks.
- A holistic cybersecurity approach for whole organization, contractors
and beyond. Have the board implement a security policy and step-by-step strategy to strengthen each weak link.
- Curate all critical assets and test resilience. Encrypt all data, network configurations and customer info. Test air-gapped backups in case live data is rendered inoperable or re-encrypted.
- Employ micro-segmentation to separate and protect data. Automate all software updates.
- Access is via multifactor authentication using passkeys rather than usernames/passwords, verified with identity management and with no access from non-company devices.
- Insider threat, social engineering strategies, training and least privilege access must be in place.
- Installed phishing, malware, elevation of privilege, lateral movement prevention is in place.
- Adopt Zero Trust principles of Identity and Authentication, access control, least privilege, automated monitoring including blocking of non-typical user behavior.
- Be cybersecurity threat aware, map out avoidance and prevention
tasks, automate everywhere.
- Know that all software (especially security software) is not trusted but verified using our Verified Delegation Methodology
- Continually assess your security posture, measure progress, take new actions.
- Comply with new SEC rules, with clear documentation
demonstrating your security policy is thorough and implemented.
See the “Security as a Service” page for many more details.
Operational Technology Cybersecurity Specifics
- Ensure that the organization’s Security Policy calls out protection of specific OT areas to address
- Use Zero Trust techniques to create trusted routes. Use packet fragmentation over multiple physical paths, limiting access to users and software that has insufficient privilege or fails identity and authorization checks to access remote devices.
- Microsoft’s 2023 Security Report found 71% of IoT devices are vulnerable, 46% can’t be patched, and 21% use obsolete operating systems. I.e., total physical or virtual separation of Operational Networks from the Internet is essential.
- The ability to intercept video, traffic sensors are seen in movies but video recordings can also be disabled by techniques that bury malware in H264 encoded video files.
- ASCON lightweight cryptography for IoT devices was selected by the U.S. Government earlier this year. Look for early deployment of implementations now becoming available.
These will supersede the need to use layer 2 encryption protocols such as the IEEE’s MACsec which has had limited uptake.
Last but not least: Address the Top Four OT Threats
- Eliminate external remote access that are part of the same trusted domain.
- Use Zero Trust to limit access to verified, known applications.
- Remove any access to IoT devices via the Internet.
- Properly curate all IoT devices eliminating those cannot be protected, updated or isolated.
We have addressed a monster topic, with the intention of providing guidance on three critical areas: network evolution choices, operational networks, and overall security. We hope you found it valuable—even if just one or two weak links are strengthened—as you take the next steps in your network and cybersecurity journey to prevent incapacitation of your critical infrastructure network.