Author: Roman Arutyunov, Co-Founder and SVP of Products, Xage Security
The U.S. Department of Energy’s National Renewable Energy Laboratory (NREL) has released a public report outlining the procedures and outcomes of the first cohort of the NREL-led Clean Energy Cybersecurity Accelerator (CECA) program. Xage Security was one of three cybersecurity solution providers to participate in the first CECA cohort.
The mission of CECA is, in part, to “bolster the security of emerging technologies to ensure the U.S. Energy Grid outpaces evolving threats.” The first CECA cohort focused on solutions that provide authentication and authorization for industrial control systems, to mitigate attacks on the energy grid. The public report notes that “Exploitation of weak authentication and authorization controls can lead to malicious actors gaining access and privilege to critical devices, systems, and information, and can cause impact to system operation.”
In keeping with its mission, CECA emulated advanced adversary behavior inside their Advanced Research on Integrated Energy Systems (ARIES) cyber range, described as “a scalable cyber-physical environment used for controlled threat emulation”. Within ARIES, CECA tested the abilities of Xage to prevent attackers from achieving their objectives against operational assets. CECA tested Xage’s ability to block attacks coming in through various avenues, including pathways for attackers to gain initial access, spread laterally, or escalate privileges within the attack simulation environment.
MITRE ATT&CK Techniques Used in CECA Testing
The testing conducted by CECA used various combinations of the MITRE ATT&CK Tactics and Techniques illustrated here. These Tactics and Techniques were recombined into various scenarios to test different phases and approaches an advanced persistent threat could take in an end-to-end killchain. The attack scenarios were developed based on real-world observed attacks against operational assets. The full public report contains more detailed descriptions of the sequences of MITRE Tactics and Techniques used in the various scenarios tested by CECA.
Figure 3: MITRE ATT&CK tactics (blue) and techniques (red) used in Cohort 1 threat scenarios. Graphic by NREL
1. The importance of designing systems that focus on protection, with defense in depth, to prevent breaches.
CECA strongly advocates for a defense-in-depth approach that assumes a network breach will occur, and places authentication and authorization mechanisms inside critical operational sites. Using identity-based access control with multifactor authentication (MFA) not only at the perimeter, but at every layer of the operational environment, is an important step to hardening your overall system against attacks.
How Xage Addresses This Security Principle
Xage offers defense-in-depth built for industrial control systems. The Xage approach does not only detect, but prevents cyberattacks by controlling every interaction with every asset, including user-to-machine and machine-to-machine interactions via granular, identity-based access policy. Every interaction is individually authenticated and authorized, and access policies are dynamically enforced. Xage provides the option to require phishing-resistant MFA at every layer, so that even if an attacker successfully gets past the IT security perimeter, they will be stopped by an MFA challenge at the OT DMZ or a subsequent layer before they can do harm.
2. The importance of placing protection as close to your critical assets as possible.
The ability to place access control points at key locations in your environment to block attackers from moving laterally is vital. If an attacker gets past the IT perimeter, you still need to block them from accessing deeper layers of your environment. If they get into the operational network, you need to prevent them from accessing the most critical assets. For example, various substation assets should still be protected, even if an attacker breaches the OT network.
How Xage Addresses This Security Principle
Xage can be deployed at every layer of the environment, from cloud to IT, to DMZ to the OT edge, assuring that every device, including the furthest field assets, is protected against attacker compromise and lateral movement, even if the adversary has breached other layers of the environment.
3. Detections alone are not enough to defend networks.
Eliminating implicit trust zones, and establishing in-depth authentication for every asset interaction at multiple layers of your environment is a necessary approach to defending against breaches, including living-off-the-land attacks.
How Xage Addresses This Security Principle
Xage adheres to the principles of zero trust by only allowing asset interactions that are explicitly allowed by identity-based policy. Whether from user-to-machine or machine-to-machine, Xage proactively prevents attackers from moving laterally within an environment. Additionally, Xage rotates credentials on a per session or schedule basis to protect against credential compromise. When sessions are complete, accounts are disabled, credentials are rotated, and previously allowed interactions are blocked further reducing the attack surface.
An overarching takeaway from this testing is that those responsible for industrial cybersecurity need new tools and approaches built specifically for their needs. IT-centric approaches are not sufficient to protect these critical assets.
Next Steps for Xage Security
Xage Security has participated in numerous programs in partnership with federal organizations to move the state of the art forward in cybersecurity for industrial control systems and critical infrastructure. From our participation in the Joint Cybersecurity Defense Collaborative (JCDC) with the Cybersecurity and Infrastructure Security Agency (CISA), to our ongoing work with the U.S. Department of Defense, U.S. Air Force, U.S. Space Force, and other agencies, Xage is committed to bringing Zero Trust cybersecurity to critical assets from the strategic core to the tactical edge across every critical infrastructure industry, including clean energy and renewable power.
Xage is already delivering zero trust cybersecurity to clean energy producing organizations. Just one example of this is Xage customer Leeward Energy, which is responsible for 25 Wind and Solar facilities driving over 2700MW of energy production. This and other customers in the renewable space have demonstrated that Xage’s Zero Trust Remote Access and Identity-based Access Control solutions can deliver security in challenging, highly distributed environments like those being embraced by the modern power industry.
To learn more about Xage’s participation in the NREL CECA Program, you can read their news release here. To download the free and publicly available report, please visit https://www.nrel.gov/docs/fy23osti/86205.pdf
