How move to cloud is impacting essential services industries and how can they adapt to minimize disruptions (Guest blog from Cisco)
Author: Krishna Tata, Manager - Security Risk and Architecture, Cisco
Cloud is ubiquitous now! What was once a vaguely described term that got lumped together with ‘futuristic technologies’ such as intelligent robots or deep machine learning; is today an everyday reality. “Move to cloud” is a major shift for all organizations, in terms of the disruption it creates for people, processes and technologies in use.
Critical infrastructure (CI) related industries, many of whom offer essential services such as power, water, health, food and agriculture are also steadily moving to the cloud. This represents a significant shift for such industries which have traditionally relied on isolation via air-gapped networks. It also presents a peculiar challenge for such industries, as most of them put a high premium on availability or ‘zero downtime’ over other security metrics (confidentiality, integrity and so on)ii. Cloud services introduce newer risks from a cyber security perspective that can have a direct impact on availability metrics, causing service disruptions.
In this article, I will explore the shortcomings in the way organizations are viewing security in essential services and best practices to mitigate risks arising out of introduction of cloud services.
Impact to “essential services”
The US Government’s CISA agency, UK’s CPNI agency and the European Union list several industries which can be considered as “essential services” sectors including transportation, water, food and agriculture, public health, dams, energy and utilities (E&U), emergency servicesiii and other public servicesiv.
Cyber threats from rival nation states and rogue actors are very plausible and also are becoming increasingly common resulting in a loss of continuum of public services that are offered to common citizens.
- Last year, lack of adequate controls in a cloud-based software to prevent access to industrial networks caused service disruption at a US drinking water treatment facility. Poorly controlled cloud software (desktop sharing) had increased sodium hydroxide levels in drinking waterv.
- In another example from this year, a version of the Industroyer malware that spreads via spear phishing emails of cloud-based email systems, obtained access to power grids and almost shut down power supply to a portion of Ukraine’s capital (lack of or poor implementation of cloud native controls to detect phishing)vi.
In short, essential services affect us all and any disruption will tend to impact the way we carry out our daily tasks, not to mention the significant economic costs associated with them.
Unique characteristics of essential services industries present unique challenges from a security standpoint
Cybersecurity is relatively still very new within essential services industries, which is traditionally lower down the priority list for many of these organizations. These industries share several characteristics and unique issues when it comes to cyber security.
There is still a tendency to still take Purdue reference model as a gold standard for segmentation and logical enterprise architecture in the age of Internet-of-things (IoT) and cloud services. This model, which separates various operations and functions into loose logical swim lanes across the enterprisevii to enforce isolation; worked fine for decades until the proliferation of Internet of Things (IoT) devices, cloud services and myriad of other enterprise-wide software and tools. IoT devices and cloud agents, don’t necessarily straddle the logical levels of the Purdue model and will need to interact with cloud from anywhere.
Legacy devices are also ubiquitous in industrial control networks. These range from Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems. These are often very old, running proprietary firmware and operating on proprietary protocols, which are notoriously difficult to secure or harden. Upgrading these legacy devices are often complex projects that are not necessarily undertaken, given the extreme importance placed on ‘zero downtime’.
In addition, lack of risk assessments being performed for 3rd party cloud services being purchased, to determine native security controls and controls that need to be implemented; also increases the risk of disruption within industrial control networks.
A holistic cyber security program focused on cloud and third parties to improve security preparedness is needed
There is no silver bullet when it comes to addressing security concerns arising out of cloud adoption within CI industries that provide essential public services. It is impossible and also counter-productive to stop the proliferation of cloud services within corporate and even control networks. There are things that can be done and initiatives that can be undertaken to mitigate the risk.
Establishing a comprehensive cloud securityviii program that consists of all domains such as Access Control, Communications Security, Data Security, and Threat Modeling, focused on adoption of newer cloud technologies, is imperative. This should also be backed by a governance program that proactively addresses security as it pertains to cloud services/software being brought in. Additionally, risk assessments of all 3rd party cloud services and PaaS services on a component-by-component basis to determine risk before any product is brought into the network will ensure risk is quantified and viewed appropriately. Threat modeling of various threat vectors can and should be leveraged for risk assessments.
Securing industrial control networks shouldn’t just involve perimeter security, but a whole range of security controls that the security program must implement, including lateral segmentation, possibly micro-segmentation, device level security, and device access control. Special controls must be in place for IoT devices as well.
Lastly, though Purdue model will continue to be foundational framework, a more hybrid model that factors in the reality that IoT devices and cloud services will not necessarily follow logical swimlanes, should be adopted. Knowing data flows including API calls within and outside of the networks is very critical to come up with the best segmentation strategy.
There is a gradual blurring of lines between corporate and control networks, which will only accelerate in future. The continued proliferation of cloud and the constant evolution of internet-of-things will make essential services the single most important sector that will keep security professionals constantly on their toes!
Organizations should buckle-up for these changes by prioritizing cybersecurity around introduction of newer cloud and non-cloud technologies, to effectively react to security challenges in this era of extremely volatile geopolitics - and position themselves for success long into the future.
i) Risks to critical infrastructure that use cloud services
ii) NIST Special Publication 800-82 Revision 2 - Guide to Industrial Control Systems (ICS) Security
iii) Critical Infrastructure Sectors - Cybersecurity & Infrastructure Security Agency
iv) Critical National Infrastructure - CPNI
v) Alert (AA21-042A) | Compromise of U.S. Water Treatment Facility | Cybersecurity & Infrastructure Security Agency
vi) Alert (AA22-110A) | Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | Cybersecurity & Infrastructure Security Agency
vii) Introduction to ICS Security Part 2 | SANS
viii) Cloud Security Technical Reference Architecture