November marks National Critical Infrastructure Security and Resilience Month and is a timely reminder to keep this conversation at the forefront. Global critical infrastructure speaks to a common theme: sectors that are vital to security, economic security, public health, or safety. The pandemic has reshaped the landscape of critical infrastructure with a new generation of organizations now deemed as ‘critical.’ Most would consider hospital emergency rooms as traditional critical infrastructure, but what about medical research labs? Now that the world anxiously awaits a vaccine to end this pandemic, it’s clear these services are now even more critical than ever to our collective health, society, and economy. Adversaries know this too and continue to target the supply chains and assets of these critical systems, taking advantage of our heightened technology dependence.
Embedding trust and resilience into critical infrastructure continues to be a moving target. We used to focus purely within enterprises and businesses, but today the interconnectivity of cloud and third-party delivered services have completely upended how we assess risk. Regardless of the challenges – new or old – the focus must be on the trustworthiness and integrity of the technology and processes, ensuring we embed trust and resilience into the core of critical infrastructure.
Technology is no longer an extension of critical infrastructure, but rather at the core of it. The network sits between critical data, assets, and systems, and the users and services that leverage or operate them. It is uniquely positioned not only to add essential visibility and controls for resiliency, but also a well-placed and high-value target for attackers. Resiliency of the network infrastructure itself is crucial.
Resilience is only achieved by building in steps to verify integrity with technical features embedded in hardware and software. Secure boot ensures a network device boots using only software that is trusted by the Original Equipment Manufacturer. Image signing allows a user to add a digital fingerprint to an image to verify that the software running on the network has not been modified. Runtime defenses protect against the injection of malicious code into running network software, making it very difficult for attackers to exploit known vulnerabilities in software and hardware configurations. Equally important, vendors must use a Secure Development Lifecycle to enhance security, reduce vulnerabilities, and promote consistent security policy across solutions.
All of this might sound like geek mumbo-jumbo, but these are non-negotiables in today’s world. Whether it is a critical robot on a manufacturing line, a connected valve at a water treatment plant, or the network infrastructure that keeps them all connected and running – without verification check points along the way, you have no idea if your underlying technology is authentic, unmodified, and ultimately up to your standards.
Suppliers are being targeted as a route into our critical systems. The premise behind Zero Trust applies here too and dictates that we must verify the security of all who connecting into those critical systems. That includes the complex web of vendors that make the technology we ultimately sell or consume. How does the vendor secure their own network, and the data of many? As we dive deeper into it, we can see that the security of our suppliers and their own supply chain increasingly becomes complicated, especially when intellectual property (IP) is involved, and implemented across a massive network of global suppliers of hardware, software, and cloud-based services. Geopolitical, cyber, and continuity risks can translate into the misuse, tamper, and even counterfeit of IP and solutions.
We must take a layered approach, using a combination of security technology (e.g. technical innovation to enhance counterfeit detection or to identify non-authorized components or users), physical security (e.g. camera monitoring, security checkpoints), logical (e.g. multi-factor authentication for workers), and information security (e.g. network segmentation). These security and privacy foundational requirements must be applied to the end-to-end lifecycle of solutions in the supply chain, from design to decommission, across collaborative partnerships. It’s beyond geography-based security and privacy, it must be steeped in the supply chain process and in the technology itself. Everyone has a stake in the game, and all suppliers must be held accountable and to the same high standard.
The increase of remote working, and therefore remote access, has heightened the importance of monitoring regular versus abnormal activity across all both the traditional enterprise as well as the vastly distributed cloud services. Migration to digital capabilities requires critical infrastructure providers to keep pace with the latest threat monitoring and detection technologies. It requires machine speed capabilities of visibility and control. It takes an integrated, holistic architecture of solutions that work together, communicate, and automate actions to make it easier to address incidents faster and less complex, relying less on human actions. To achieve this, we must look end-to-end across our systems, avoiding piecemeal projects and solutions, to ensure consistent security capabilities that are scalable, agile, and fast.
Security capabilities are ever-evolving. Machine learning algorithms can help detect anomalies from normal network and user behavior. That data can then be used for informing control-based policies to mitigate attacks. Application, network, and endpoint security must work together, and as we look to deploying solutions, we need to look at the integration and consistency of those capabilities.
Traditional or new, critical infrastructure is made up of complex networks and systems that sustain our global society and economy, a disruption to one can cause a ripple effect of consequences beyond borders. Regardless of a global pandemic, natural disaster, social unrest or even when it operates like clockwork, trust and resilience must be built in at every step.
To learn more about how Cisco embeds trust into everything we do, visit our Trust Center.