Securing Critical Infrastructure with These Essential Steps

By Mario Chiock

8 min read

Last week, President Biden held a summit with top business leaders to discuss improving our nation’s cybersecurity, calling it a “core national security challenge.” I couldn’t agree more.

In recent months we’ve seen high-profile cyberattacks on federal agencies, energy pipelines and food supply chains. In particular, critical infrastructures are the hot target. The fact that some of these attacks may be government sponsored makes them particularly pernicious because the motivations would not be merely financial, but geopolitical and malicious, designed to wreak havoc.

The U.S. government has defined 16 critical infrastructure sectors as vital to our national interest. You may think your organization does not fit the definition of “critical infrastructure,” but the definition is a moving target. When supply chains get disrupted in one part of the economy, it has a ripple effect across a broad ecosystem of related industries.     

As a cybersecurity veteran in the energy industry, I’ve dealt with more than my share of attacks and would like to share some of what I’ve learned. To secure critical infrastructure, it’s best to think about cybersecurity best practices in terms of three categories: People, Process and Technology.  

People

  1. Build a cybersecurity culture. Foster a culture of safety. I used to start every meeting with a “safety moment” to make sure no one ever lost sight that safety was our top priority. I translated that to cybersecurity and created more than 200 cybersecurity moments. You can do the same.
  2. Train and test your employees. Have a cybersecurity awareness and training program. Make sure the entire organization understands the fundamentals of cybersecurity hygiene. Test them regularly with phishing and other realistic socially engineered attacks.
  3. Encourage everyone to report suspicious activity. One of my credos is “everyone is responsible for cybersecurity.” If your people feel it, they will report suspicious activities and you will have built-in crowd-sourcing to stop attacks early using your people as human sensors.

Process

  1. Minimize your attack surface. With the growth of mobile work and the Internet of Things, there is potential for a rapidly growing attack surface. You can minimize risk with extensive visibility and a variety of other process tools such as: classifying systems; inventorying assets; auditing accounts and permissions; minimizing access, and adopting a Zero Trust architecture.
  2. Test your incident response plan. Build a playbook; do drills; test your incident response plan on an ongoing basis, at least once a year at executive level and preferably more often than that with the rest of the organization.
  3. Measure and document your baseline. Use the NIST Cybersecurity Framework and OWASP guides and tests to make sure your organization is using best practices. Review your internal controls and automate important processes in your Security Operations Center, cyber threat intelligence and other key areas.

Technology

  1. Continue monitor configuration and ensure you can leverage threat intelligence and get real-time alerts when they happen.
  2. Use next-generation firewalls. You cannot stop today’s attacks with traditional firewalls. Stop using older technology because it may be less expensive. Replacing it is much less costly than a breach.
  3. Modernize your detect and response capability with visibility across all sources, while using machine learning and other intelligent tools to prioritize alerts.
  4. Leverage automation and single-pane-of-glass management, with a data lake of all security events.
  5. Segment your network, using software-defined wide-area- network (SDWAN) technology and the newer secure access service edge (SASE) technology.
  6. Make sure everyone uses multi-factor authentication and no critical infrastructure can be vulnerable to a single factor password.
  7. Use a platform model that provides multi-layer protection with integrated, cloud-delivered solutions that let your organization gain synergy by orchestrating all key cybersecurity technologies.

 

The Palo Alto Networks Advantage

Now, I want to talk more about technology. To me, Palo Alto Networks’ next-generation firewalls are essential to securing critical infrastructure. 

To secure any environment, physical or cyber, organizations must first identify and classify the assets capable of doing the most damage if compromised. Next, define and document operational requirements and implement least privilege access based on the principle of Zero Trust. Be sure to include applications and services and their expected usage to limit the potential for abuse. This will help you craft a cybersecurity posture that incorporates the key technology considerations I mentioned earlier, and align to standards like NIST and IEC-62443. 

Palo Alto Networks’ NGFWs allow teams to deploy with minimum disruption while providing the capability to quickly revert to the previous run state, ensuring no impact to production systems or services. Requisite network and application segmentation is simple to implement, manage, and support the IEC-62443-3-2 standard for “zones and conduits.” The NGFWs can enforce access policies uniformly across ICS devices in the field and support systems in the control center and the public cloud without the requirement for complicated integrations.

Attack Surface Management 

Beyond simplifying network and application segmentation, it’s important to bolster least privilege access by implementing multi-factor authentication. Be sure the deployment of multi-factor authentication considers guidance from the IEC-62443-3-2 standard. 

To reduce critical infrastructure’s attack surface, you’ll need services that provide continuous and consistent monitoring of the environment, and increase your security team’s ability to respond to potential incidents. Here, again, Palo Alto Networks has it down.  

  • Its App-ID service is ICS and SCADA aware, providing teams continuous visibility into what is ingressing or egressing the environment. App-ID provides contextual understanding for any user or machine communication streaming to and from critical devices.
  • Its Threat Prevention service is also ICS and SCADA aware. It includes malware prevention, delivering real-time alerts on events. It also provides an IPS/IDS protecting OT infrastructure against exploits, malware, and command-and-control (C2) traffic. And it protects vulnerable and unpatchable OT systems, such as legacy HMI, Historian, PLC, and engineering workstations.
  • Unlike other ICS network security monitoring solutions dependent on pre-existing signatures to identify devices, its IoT Security service uses machine learning to discover devices. This approach does not probe actively, eliminating the risk of methods that cause OT/IoT devices to crash. As cloud-based, its IoT Security can also utilize device-level intelligence across the Palo Alto Networks customer base to enable precise device personalities. 

When these services are paired with WildFire, it’s even better. WildFire is next-generation malware analysis and sandboxing technology that also works to reduce the attack surface in OT and IoT environments. It uses community-sourced threat intelligence and advanced malware analysis to automatically and quickly detect and prevent unknown threats. WildFire stops zero-day variants of advanced threats, such as CrashOverride, Triton, BlackEnergy, and Petya.

Adding URL Filtering enables safe internet access from OT by automatically preventing attacks that leverage the web as an attack vector. It protects against phishing links in emails, phishing sites, HTTP-based attacks, malicious sites, and pages that carry exploit kits.

Using a signatureless approach, Wildfire and URL Filtering proactively prevents weaponized files, credential phishing, and malicious scripts without compromising business productivity. 

ML-Powered NGFW

What’s really interesting is Palo Alto Networks’ inline machine learning (ML) infrastructure, which drives the ability to detect and respond to new and unknown cyber threats. 

The inline machine learning service leverages intelligence gathered from WildFire and URL Filtering to accelerate the detection of malicious activity. Without inline ML, the initial detection of new or unknown ICS and SCADA threats is effectively impossible. As the NGFWs run their analysis in the cloud, protections scale and evolve, continuously adding detection capabilities while minimizing operational impact to the control network. 

What’s more, Palo Alto Networks Hardware and virtual NGFWs apply ML-based prevention capabilities, which provide a powerful defense against polymorphic malware variants and quickly mutating web-based threats. Because the NGFWs can rapidly ingest and process massive amounts of data, the ML-based engine can make instant decisions and enable rapid response to prevent threats, rather than waiting on an answer from a thorough static, dynamic, or other analysis processes. Leveraging ML also lets you capture changes in an executable file without signatures, which addresses evasion techniques threat actors use to circumvent detection. 

With ML-powered NGFWs in place, OT security teams can: 

  • Stop new ICS and SCADA threats instantly, preventing initial infection and potential spread.
  • Maintain operations and the speed of business as they stop weaponized files and malicious scripts without sacrificing user experience for system performance.
  • Future-proof the defenses of the ICS environment, enabling them to evolve with the latest attacks.

There’s a lot more that can be said. My point is, Palo Alto Networks’ NGFWs and the supporting suite of services are essential to securing critical infrastructure. Start here and you’ll be in good hands.

Mario Chiock, a Schlumberger Fellow Emeritus, served as CISO at Schlumberger, where he was responsible for developing the company’s worldwide cybersecurity strategy. He is widely recognized for his leadership and management in all aspects of cybersecurity. Chiock serves on the advisory boards of Palo Alto Networks, Onapsis, Prismo Systems, Clearedin and Qualys. He was involved in the formation of the ONG-ISAC.