According to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Manufacturing Profile report, critical infrastructure consists of “essential services and related assets that underpin American society and serve as the backbone of the nation's economy, security, and health”.
These services and assets fall under 16 sectors identified by the US Cybersecurity & Infrastructure Security Agency (CISA), which include healthcare, energy, and transportation. A disruption involving any critical infrastructure could undermine national security, economic security, and public safety.
Critical infrastructure organisations can reap the same types of benefits from migrating to the cloud as those operating in other sectors. For instance, they can use the cloud to flex their IT resources based on their changing needs. They can also manage IT infrastructure costs more effectively by paying only for what they need.
That said, some benefits of cloud migration are unique to critical infrastructure organisations. These advantages include applying remote diagnostics and other types of analysis to the data sent from their operational technology (OT) systems to the cloud. This can help strengthen supply chains against emerging threats and perform preventative maintenance in a way that maximises uptime. However, it can introduce risks for owners of critical infrastructure systems in the process.
Cybersecurity provider Fortinet identifies three risks as particularly relevant. First, the cloud creates new attack vectors by which digital attackers can target critical organisations' OT assets with ransomware and other IT security threats. Second, threat actors can use a misconfigured cloud-based asset to move laterally within a targeted organisation's networks, exfiltrate data, or engage in other malicious activity. Finally, many OT assets and industrial control systems (ICS) are decades old and lack the ability to receive updates remotely. According to Fortinet, these resources make it easier for attackers to perform a network intrusion than their more resilient IT counterparts when migrated to the cloud.
These three challenges increase critical infrastructure organisations' risk of exposure to the common cybersecurity threats identified by the US Department of Homeland Security. They also introduce complexity that creates an opportunity for more sophisticated offensives against OT and ICS systems.
In April 2022, CISA announced in a joint Cybersecurity Advisory alert that advanced persistent threat actors had developed custom-made tools to gain full access to various types of ICS assets as well as supervisory control and data acquisition devices. With full access, attackers can then elevate their privileges, move laterally across the network, and disrupt assets in the OT environment.
Attacks such as this highlight the need for critical infrastructure organisations to adopt appropriate safeguards for the cloud. To do this, they need to look to the shared responsibility model. They can begin by familiarising themselves with Microsoft Azure's shared responsibility model documentation to understand what parts of the cloud Microsoft is securing. Simultaneously, they can ensure security in the cloud by adopting initiatives such as zero trust. They can implement multi-factor authentication, segment the network, enforce the principle of least privilege, enact other complementary security best practices, and establish a secure baseline configuration for Microsoft Azure using standard guidelines from the Center for Internet Security (CIS).
Security would be even easier if critical infrastructure organisations could deploy virtual machine images to the cloud that are already hardened to secure baselines. At the CIS, we agree. Therefore, we developed CIS Hardened Images for Azure and other cloud service providers.
These virtual machine images are unique in that they are pre-hardened to the CIS Benchmarks, which are vendor-agnostic secure configuration guidelines developed through consensus by a global community of cybersecurity experts. The NIST, Federal Risk and Authorization Management Program, and other frameworks recognise the CIS Benchmarks and CIS Hardened Images as a secure configuration standard. To help organisations and industries that require compliance to Defence Information Systems Agency Security Technical Implementation Guide (DISA STIG) standards, CIS also offers select CIS Benchmarks and CIS Hardened Images that map to the STIG standards.
CIS Hardened Images automate the deployment of the recommendations of the CIS Benchmarks. Critical infrastructure organisations that use them don't need to worry about manually hardening their virtual machine images. They can commit their time and resources elsewhere knowing that they are defended against insufficient authorisation, denial of service, and other threats.
According to the Global State Industrial Cybersecurity Survey 2021 from industrial cybersecurity company Claroty, four in five critical infrastructure organisations suffered a ransomware attack over the course of 2021. Nearly half of victims reported that the attack had affected their ICS systems.
To protect themselves against ransomware attacks and other cyberattacks going forward, critical infrastructure organisations need to make meaningful security improvements. This includes using best practices like the CIS Controls, CIS Benchmarks, and CIS Hardened Images as part of their efforts to secure their cloud environments and reduce their attack surface.
Mia LaVada is product owner of CIS Benchmarks and Cloud
This article was originally published in the Summer 2022 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.