How Multi-Layer MFA Can Secure Critical Infrastructure

By Vishal Gupta, VP of Product Management

Critical infrastructure systems are the latest target of cyberattacks. From the Colonial Pipeline ransomware attack to Okta’s January 2022 breach by Lapsus$, bolstering security for these complex environments has never been more crucial.

Federal security directives and alerts from the TSA and CISA concluded that improved multi-factor authentication (MFA) is required to better secure operational technology (OT) environments. The cybersecurity industry agrees that MFA blocks 99.9% of unauthorized login attempts, even if the hackers get a copy of the user’s password through tactics like keystroke logging, password spray, or phishing.

But what about the remaining attacks not blocked by ordinary MFA? It’s estimated that a cybersecurity attack occurs every 39 seconds—equating to almost one billion attacks each year. This means almost one million attacks would bypass MFA, most commonly through MFA fatigue attacks (also referred to as MFA bombing attacks). With MFA fatigue attacks, hackers attempt to trick users into approving an MFA initiated approval request on a secondary device, such as a mobile phone. This is typically achieved by sending multiple authentication requests to the user in hopes that they accept one unintentionally, exploiting the likelihood of human error.

There are more and more publicly reported incidents of MFA fatigue attacks – Lapsus$ group’s breach of Okta in January 2022 and the recent Uber September 2022 breach are well popularized. Hackers typically send frequent MFA requests in the middle of the night, or may send less frequent MFA requests over a few days to avoid suspicion as well as use social engineering tactics to get the target organization’s personnel to approve the MFA request. Regardless of which method they use, they have the same intent: get the user to approve just one request to gain access to their account.

When it comes to industrial control systems (ICS) and real-world operations—which includes critical infrastructure related to energy, utilities, defense, transportation, manufacturing, and related industries—attacks can cause major system shutdowns, impacting the crucial services and safety for communities these operations serve, and impact the operators’ bottom lines. These complex environments filled with distributed, legacy technologies are also notoriously hard to secure, and most of the technologies aren’t inherently equipped to support MFA. Thus, operators can’t rely on traditional MFA built into the equipment to protect essential services.

There is an urgent need for innovative security solutions that can keep critical infrastructure systems secure and online. Implementing the Purdue model has been a traditional security approach that remains helpful but which doesn’t offer the required protection against modern and sophisticated cyber risks. Defensive measures must also advance to counter the newest threats.

Xage’s newly released distributed, multi-layer MFA is designed specifically for real-world operations and combines zero trust access control with a defense in-depth authentication strategy. The solution provides multiple MFA deployment options and complements the aforementioned Purdue model. In addition, since users must reconfirm their identity to access each subsequent layer in the operation, Xage unlocks granular independent user verification down to even an individual operational site or even a singular OT asset. As a result, compromise of an individual authentication factor, such as during an MFA fatigue attack, doesn’t allow the hacker to infiltrate further assets, systems, or applications.

Xage’s solution fingerprints every protected device and user across the entire ICS network and allows user access to only specific devices based on policy authorization. A remote access session can even be time-bound, scheduled, and short-lived using a one-time password. If adversaries do infiltrate one layer or an individual site, they’re quickly isolated and unable to access the rest of the systems.

Ultimately, layered MFA enforcement empowers organizations with critical infrastructure to enforce layered defense across their operations. This keeps crucial systems online by containing breaches by nation-state actors or hacker groups via MFA fatigue attacks. With Xage, not only can today’s critical operations secure their vast networks of assets, but they can also meet new federal security requirements for zero trust and MFA.