The new premise for cyber defense strategy is that the organization is already compromised. That’s because in all likelihood, it is.
Billions of devices are being connected to the Internet, a trend that will accelerate over the next few years as the IIoT (Industrial Internet of Things) unfolds. But many organizations don’t have a complete and accurate record of what’s on their network now.
Moreover, patches are either out of date or not even possible for devices managed by industrial control systems (ICSs), where multiple operating systems and versions might be at play. But ICS security systems need to be integrated with IT security if cybersecurity objectives are to be met. In a previous post we underscored the importance and urgency for OT/IT convergence.
Vulnerable “Users” Include Machines
As more of the data from all those connected devices traverses hybrid computing environments, the attack surface expands dramatically. Yet organizations continue to overinvest in yesterday’s technologies.
Ingrained cybersecurity strategies remain built around stateful firewalls, intrusion prevention systems, web gateways, endpoint protection software and mobile device management, which were architected for a different age. They have proven to be no match for the current threat environment.
Highly virtualized distributed computing architectures, cloud-based applications and increasingly mobile users have opened new attack surfaces and vectors for cybercriminals and malicious insiders by erasing the traditional network perimeter. These bad actors exploit vulnerabilities with more sophisticated and innovative attacks that target privileged users who have access to valuable data assets.
An organization’s greatest vulnerability is its users. But in the IIoT world, a “user” may be a machine. Cyberattackers seek to collect as much information as possible – and of greater value – by gaining escalated credentials that provide broader access to even more users and data. In machine-to-machine communications, that data could result in damage to, or control over, critical infrastructure and loss of life.
While human users may fall victim to social engineering attacks such as phishing, machine users can also be targeted by known vulnerabilities published on the web. But network-connected IIoT devices have a unique threat posture and behavior that differs from other connected devices. One way to protect all users is to adopt a zero trust strategy with strong identity verification.
Zero Trust and Identity Verification
The cloud is becoming an ever-greater factor in the amount of data organizations gather, store, analyze and use. In this world, the network has no perimeters. And so perimeter security is dead. The focus shifts to people and devices that are connected to the network.
The increasing network complexity – and the systems that are meant to protect them – leads to a greater number of problems. More data spread across multiple locations, some with critical dependencies on the network, coupled with new application development methods and the way that databases replicate result in a very complex system that is more vulnerable to attacks.
In this environment, zero trust is critical. Zero trust starts with the premise that no user or endpoint within the network is secure. As such, each user or endpoint accessing network resources must authenticate and be verified at every point.
A zero trust model prioritizes risks across the organization. These risks include business interruption, intellectual property loss, private data theft, regulatory noncompliance, physical plant and personal injury, and reputational damage. It then prioritizes the data associated with these risks.
For users, the focus is on identity. Enabling multifactor authentication, closing outdated authentications, gaining insight into why identities are blocked, and monitoring user access and activity are basic security governance best practices. Also, providing access to only those applications and data sets that they need to do their job represents a component of microsegmentation strategy.
We wrote about microsegmentation and Host Identity Protocol in out last post.
Microsegmentation is a strategy that provides more granular security in order to minimize an attacker’s ability to compromise an entire network and wreak havoc with critical infrastructure. It prevents lateral movement between hosts by creating secure zones down to the individual workload.
Host Identity Protocol is one approach to implementing a microsegmentation strategy. It too is focused on identity; specifically cloaking the identity of the host while it maintains a connection to the network. Machines can only communicate with other machines once they are mutually authenticated.
Cybersecurity strategy for both OT and IT teams needs to evolve. Adopting the standpoint that you’ve been breached shifts your priority to restricting the movement of the intruder once they are in your environment.
The objective then is to limit their capabilities – and the damage they can do. OT/IT convergence would facilitate this objective. It would also ensure that users – human or machine – have access to only those assets for which they are legitimately authenticated.
This article first appeared on LinkedIn.