How move to cloud is impacting essential services industries and how can they adapt to minimize disruptions (Guest blog from Cisco)
Author: Krishna Tata, Manager - Security Risk and Architecture, Cisco
Cloud is ubiquitous now! What was once a vaguely described term that got lumped together with ‘futuristic technologies’ such as intelligent robots or deep machine learning; is today an everyday reality. “Move to cloud” is a major shift for all organizations, in terms of the disruption it creates for people, processes and technologies in use.
Critical infrastructure (CI) related industries, many of whom offer essential services such as power, water, health, food and agriculture are also steadily moving to the cloud. This represents a significant shift for such industries which have traditionally relied on isolation via air-gapped networks. It also presents a peculiar challenge for such industries, as most of them put a high premium on availability or ‘zero downtime’ over other security metrics (confidentiality, integrity and so on)ii. Cloud services introduce newer risks from a cyber security perspective that can have a direct impact on availability metrics, causing service disruptions.
In this article, I will explore the shortcomings in the way organizations are viewing security in essential services and best practices to mitigate risks arising out of introduction of cloud services.
Impact to “essential services”
The US Government’s CISA agency, UK’s CPNI agency and the European Union list several industries which can be considered as “essential services” sectors including transportation, water, food and agriculture, public health, dams, energy and utilities (E&U), emergency servicesiii and other public servicesiv.
Cyber threats from rival nation states and rogue actors are very plausible and also are becoming increasingly common resulting in a loss of continuum of public services that are offered to common citizens.
- Last year, lack of adequate controls in a cloud-based software to prevent access to industrial networks caused service disruption at a US drinking water treatment facility. Poorly controlled cloud software (desktop sharing) had increased sodium hydroxide levels in drinking waterv.
- In another example from this year, a version of the Industroyer malware that spreads via spear phishing emails of cloud-based email systems, obtained access to power grids and almost shut down power supply to a portion of Ukraine’s capital (lack of or poor implementation of cloud native controls to detect phishing)vi.
In short, essential services affect us all and any disruption will tend to impact the way we carry out our daily tasks, not to mention the significant economic costs associated with them.
Unique characteristics of essential services industries present unique challenges from a security standpoint
Cybersecurity is relatively still very new within essential services industries, which is traditionally lower down the priority list for many of these organizations. These industries share several characteristics and unique issues when it comes to cyber security.
There is still a tendency to still take Purdue reference model as a gold standard for segmentation and logical enterprise architecture in the age of Internet-of-things (IoT) and cloud services. This model, which separates various operations and functions into loose logical swim lanes across the enterprisevii to enforce isolation; worked fine for decades until the proliferation of Internet of Things (IoT) devices, cloud services and myriad of other enterprise-wide software and tools. IoT devices and cloud agents, don’t necessarily straddle the logical levels of the Purdue model and will need to interact with cloud from anywhere.
Legacy devices are also ubiquitous in industrial control networks. These range from Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems. These are often very old, running proprietary firmware and operating on proprietary protocols, which are notoriously difficult to secure or harden. Upgrading these legacy devices are often complex projects that are not necessarily undertaken, given the extreme importance placed on ‘zero downtime’.
In addition, lack of risk assessments being performed for 3rd party cloud services being purchased, to determine native security controls and controls that need to be implemented; also increases the risk of disruption within industrial control networks.
A holistic cyber security program focused on cloud and third parties to improve security preparedness is needed
There is no silver bullet when it comes to addressing security concerns arising out of cloud adoption within CI industries that provide essential public services. It is impossible and also counter-productive to stop the proliferation of cloud services within corporate and even control networks. There are things that can be done and initiatives that can be undertaken to mitigate the risk.
Establishing a comprehensive cloud securityviii program that consists of all domains such as Access Control, Communications Security, Data Security, and Threat Modeling, focused on adoption of newer cloud technologies, is imperative. This should also be backed by a governance program that proactively addresses security as it pertains to cloud services/software being brought in. Additionally, risk assessments of all 3rd party cloud services and PaaS services on a component-by-component basis to determine risk before any product is brought into the network will ensure risk is quantified and viewed appropriately. Threat modeling of various threat vectors can and should be leveraged for risk assessments.
Securing industrial control networks shouldn’t just involve perimeter security, but a whole range of security controls that the security program must implement, including lateral segmentation, possibly micro-segmentation, device level security, and device access control. Special controls must be in place for IoT devices as well.
Lastly, though Purdue model will continue to be foundational framework, a more hybrid model that factors in the reality that IoT devices and cloud services will not necessarily follow logical swimlanes, should be adopted. Knowing data flows including API calls within and outside of the networks is very critical to come up with the best segmentation strategy.
There is a gradual blurring of lines between corporate and control networks, which will only accelerate in future. The continued proliferation of cloud and the constant evolution of internet-of-things will make essential services the single most important sector that will keep security professionals constantly on their toes!
Organizations should buckle-up for these changes by prioritizing cybersecurity around introduction of newer cloud and non-cloud technologies, to effectively react to security challenges in this era of extremely volatile geopolitics - and position themselves for success long into the future.
Combining cloud technology with company values to make a difference in local government
#CloudFuture Guest blog by Centerprise International
Cloud Week 2022
We bring you news, views and insights from the technology sector on what cloud computing can enable in the UK
i) Risks to critical infrastructure that use cloud services
ii) NIST Special Publication 800-82 Revision 2 - Guide to Industrial Control Systems (ICS) Security
iii) Critical Infrastructure Sectors - Cybersecurity & Infrastructure Security Agency
iv) Critical National Infrastructure - NPSA
v) Alert (AA21-042A) | Compromise of U.S. Water Treatment Facility | Cybersecurity & Infrastructure Security Agency
vi) Alert (AA22-110A) | Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | Cybersecurity & Infrastructure Security Agency
vii) Introduction to ICS Security Part 2 | SANS
viii) Cloud Security Technical Reference Architecture
Chris Hazell
Sue Daley
Sue Daley
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy. She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame. A key influencer in driving forward the data agenda in the UK Sue is co-chair of the UK government's National Data Strategy Forum. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.
- Email:
- [email protected]
- Phone:
- 020 7331 2055
- Twitter:
- @ChannelSwimSue,@ChannelSwimSue
Laura Foster
Laura Foster
Laura is techUK’s Head of Programme for Technology and Innovation.
She supports the application and expansion of emerging technologies, including Quantum Computing, High-Performance Computing, AR/VR/XR and Edge technologies, across the UK. As part of this, she works alongside techUK members and UK Government to champion long-term and sustainable innovation policy that will ensure the UK is a pioneer in science and technology
Before joining techUK, Laura worked internationally as a conference researcher and producer covering enterprise adoption of emerging technologies. This included being part of the strategic team at London Tech Week.
Laura has a degree in History (BA Hons) from Durham University, focussing on regional social history. Outside of work she loves reading, travelling and supporting rugby team St. Helens, where she is from.
- Email:
- [email protected]
- LinkedIn:
- www.linkedin.com/in/lauraalicefoster
Authors
Krishna Tata
Krishna Tata is currently a Manager of Information Security Risk and Architecture in Cisco’s Customer Experience (CPX) group, helping align AWS-based cloud security architecture and posture of the organization to best practices. Previously, he has been core member of the global OT Security and AWS-security practice at IBM specifically aligned with the industrial market. Krishna has several years of experience in OT and Cloud Security and Risk Management domains, primarily in the areas of Cloud security (focused on AWS) including deploying cloud-native security tools for AWS, OT security architecture and design, SIEM tool deployments, security and compliance assessments including NIST 800-53 and NERC CIP, ISO 27001 and FedRamp assessments.