Behavioral Risk analysis at the Center
By Nathan Howe, Director of Transformation Strategy at Zscaler
Nathan Howe, Vice President of Emerging Technology at Zscaler
Attacks on software supply chains have put the technology world on high alert. The complicated networking of the most diverse approaches of different companies with their suppliers creates a jungle of systems that is difficult to monitor. The insight of corporate security to monitor for unwanted intruders and malicious code often ends at the border of your IT ecosystem. In addition, connections to the open Internet or partner networks remain largely unknown there. Visibility into all data streams is required, which must be controlled by the IT department in order to reduce the attack surfaces. What lessons should have been learned after the ransomware incident on the energy sector provider of critical infrastructures a year later?
Attackers focus on the weakest link
The vulnerability through which the blackmailers were able to infiltrate the oil pipeline was an unused VPN connection. The cybercriminals were able to use this connection as a gateway because it did not have multi-factor authentication or was controlled by an IT system for suspicious behavior. Since this prominent attack, the groups have stepped up their activities on these types of vulnerabilities, because a high ransom can be extorted by attacking such targets. There are chats on the darknet in which KRITIS employees are offered up to $ 30,000 for their credentials, such as usernames and passwords.
These types of insider attacks bypass the standard security controls and usually remain undetected by classic IT security. However, they pose an immense danger. It is irrelevant whether the attackers get their authentication information with the knowledge of the users or capture it through phishing or other hacking techniques. It is important to realize that the user is still the weakest link in the protection of CRITIS.
It follows that technical solutions must focus primarily on the monitoring of unusual behavior of individual employees. The behavioral risk analysis therefore comes to the fore for hedging. If a user suddenly seeks access to applications on the net that do not match his activity profile, the alarm bells should ring. Today, deception technology with the help of “honey pots” can reveal this unusual behavior. In addition, attack vectors must be eliminated from remote access solutions.
Challenge Legacy Systems
The issue that CRITIS are vulnerable to supply chain attacks is not new in itself. For a long time, however, the security of such infrastructures has been neglected, and for good reason. The operational technology systems (OT) for the operation of the infrastructures are not linked to the classic IT security. In addition, the need to ensure security of supply does not make it easy to shut down for upgrades. Due to the longevity of the production and control systems for critical infrastructures, there are also many older operating systems with partly outdated software in this environment. Support engineers often rely on Windows 98 or XP laptops for updating firmware and gain access to an entire network via link layer. There is no question that these unpatched laptops can pose a security risk for a long time.
In addition to the risk posed by longevity, modern systems have usually already expanded into the cloud via sensors and thus require a transition to the Internet. Here, too, attack vectors arise that require the attention of the IT teams. Any connection of third parties via VPNs theoretically means the possible access to network infrastructures. Here, the concept of privileged remote access via a browser can provide the necessary security. The support employee no longer has access to the entire network environment and can still perform the necessary upgrades or updates. This approach is made possible by Zero Trust through its policy-based granular allocation of access rights at the level of the required application.
Developing an understanding of the danger
In order to efficiently secure production facilities and operational technology, IT security must converge with the OT environment. Zero Trust has already found its way into many companies in the course of hybrid work environments for remote access. The next step is to capture an unrestricted overview of software that is available in a company infrastructure. The area of responsibility of the CIO must therefore expand beyond its limits of the IT environment. After all, gaps can only be identified and defensive measures taken if an inventory is made of what is being used in the company and what may still be lying dormant in the OT infrastructure unnoticed.
The insight into OT systems has often been neglected and attacks such as the Colonial Pipeline Hack clearly demonstrate the potential for danger. Transferring knowledge and zero-trust-based solutions from IT to the OT world provides the necessary insight into all data streams and secures third-party access to critical infrastructures. Inventory brings back an overview of possible security gaps, and with the help of threat intelligence, operators can monitor all data streams seamlessly.