Author: Shawn Taylor, Senior Director, Solutions Engineering, Xage Security
CISA and a wide coalition of security-focused government bodies have released a series of warnings and recommendations around continued targeting of critical infrastructure by state-sponsored hackers associated with Russian and China.
Volt Typhoon in particular has been called out as a threat after infiltrating organizations in the energy, transportation, water, and communications sectors. Specifically called out has been their tendency to use living-off-the-land tactics and hijacking valid accounts and credentials.
Many of the recommendations made are consistent across joint advisories from numerous regulators and government agencies worldwide. These are foundational security controls that can have an significant impact, with an emphasis on preventing attacks entirely, or mitigating risks early in the attack chain to minimize harm. While these controls are foundational, in some cases implementing them effectively can be its own challenge. But the preventative power of these controls makes them a good use of an organization’s limited resources.
7 High-Impact Critical Infrastructure Protections to Implement Now
(1) Scan for internet devices and disconnect them
Devices like operational technology (OT) assets such as PLCs can sometimes get connected to the internet for convenience, but it can be a big risk. As mentioned in a CNN article, “’Water utilities are being abused by adversaries taking advantage of low-hanging fruit — vulnerable services directly accessible from the internet,’ said Gus Serino, a water-sector cybersecurity expert who is president of security firm I&C Secure.”
Scanning can quickly identify any devices that may have been connected to the internet, enabling organizations to shore up this security weakness. Even operational technology OEMs have begun releasing warnings to their customers. For example, Rockwell Automation has provided guidance multiple times over to disconnect devices from the internet.
(2) Reduce, control, and monitor the attack surface
A risk assessment is a foundational security measure, identifying potential vulnerabilities and which assets or systems are most critical or sensitive. It allows the organization to prioritize—what’s most important to protect and where the most likely attack vectors are.
Equally important is continuing to monitor your attack surface over time. Attack surface management means knowing what targets an adversary or threat actor could go after. That includes devices that are both exposed to the internet and those on the network inside of a traditional firewall-based network perimeter or workloads in the cloud. Each of these potentially represent a different entryway to a network for an adversary.
(3) Carefully control remote access
Remote access can be a particularly appealing target for bad actors, with the potential to carry them deep into target infrastructure. Cleaning up stale user accounts, preventing credential sharing, avoiding using risky VPN or VDI technologies, and keeping firewall rules tight can do a lot for reducing the risks of remote access.
(4) Leverage MFA
Federal security directives and alerts from the TSA and CISA concluded that improved multi-factor authentication (MFA) is required to better secure critical infrastructure and OT environments. The cybersecurity industry agrees that MFA blocks 99.9% of unauthorized login attempts, even if the hackers get a copy of the user’s password through tactics like keystroke logging, password spray, or phishing. For extremely critical devices and environments, having multiple layers of MFA can help to secure key infrastructure.
(5) Ensure password hygiene and rotation
One of the most common means of initial intrusion is via valid credentials that were somehow stolen or leaked. Simple password rotation can drastically reduce the risk of a breach. Using a distributed password vault that automates credential rotation can protect your organization’s passwords from theft and abuse.
(6) Implement device protection and isolation
With the seemingly endless quantities of resources threat actors have at their disposal, the adage “it’s not if, but when” seems to fit critical infrastructure owners and operators. It’s highly recommended to put controls in place to minimize the blast radius and potential collateral damage that could occur due to a successful attack. Device protections are such a control. They permit legit network traffic from known authorized devices and stop traffic that is either dangerous, is not the correct protocol, or is from unknown/unauthorized devices. Such a control can minimize the likelihood of catastrophic damage from an eventual attack.
(7) Establish an allow list
Implementing a zero-trust solution where only authorized identities of devices and users are granted access will achieve the same result of explicitly only allowing specific devices/entities.
How Xage Can Help
Xage can manage much of this for you, making implementing access control and other key security controls much easier with features like automatic credential rotation and built-in multilayer MFA.