Protecting Critical Infrastructure with the Rigor of Classified Networks
About This Session
State actors have long targeted classified government systems used to store secrets and sensitive intelligence. Over the past few years, they have expanded their targets to include critical infrastructure systems of utilities and oil & gas networks.
Given the importance of this critical infrastructure and the extent to which it is under threat, its cybersecurity is imperative and has traditionally been protected by an air gap. This solution is complicated by the need to maintain an “always on” stack of legacy technologies in the OT network, the need for the business to have a clear picture of OT telemetry data to inform operations, and business outcomes on the IT network. These competing objectives have led to a variety of ad hoc solutions to protect OT networks and the IT networks that interface with them.
The past 5 years have taught us that such security measures are not enough. The 2021 ransomware IT attack against Colonial Pipeline, the Volt Typhoon actors “living off the land” in critical infrastructure, and Salt Typhoon actors compromising US telecoms show a different approach is needed. Fortunately, the structure of IT, critical IT, and OT systems strongly mirrors that of sensitive US Government networks, which can provide a framework for securing critical infrastructure.
A key principle of architecture for sensitive networks is protecting junctures between systems of different risk levels, using software to bridge slightly differing risk gaps and hardware to bridge high-risk or high-consequence gaps. While software-enforced controls are not new to the industry, hardware-enforced security (Hardsec) is a government innovation that has not been widely adopted in critical infrastructure. Hardsec converts all data flowing through them into a known-good format and uses a hardware verifier running on a separate management plane to verify that content is safe.
Implementing Hardsec at the juncture points between IT and OT systems can enable critical infrastructure industries to better manage risk across this network gap and provide higher levels of assurance that a compromise of the IT network will not spread into the OT network – a far better alternative to makeshift and often unvetted solutions to bridge protected enclaves and the broader network.
Security that comes from these cross-domain security measures can compound across a larger industry sector. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers or ad hoc collaborative networks to understand best practices to minimize risks at these critical network junctures.
Audience Learnings:
-The increased nation-state threat to critical infrastructure networks.
-The complexity in securing OT networks composed of legacy systems intended to be kept on a segregated network.
-Ways to implement techniques used by government to secure critical infrastructure networks.
Given the importance of this critical infrastructure and the extent to which it is under threat, its cybersecurity is imperative and has traditionally been protected by an air gap. This solution is complicated by the need to maintain an “always on” stack of legacy technologies in the OT network, the need for the business to have a clear picture of OT telemetry data to inform operations, and business outcomes on the IT network. These competing objectives have led to a variety of ad hoc solutions to protect OT networks and the IT networks that interface with them.
The past 5 years have taught us that such security measures are not enough. The 2021 ransomware IT attack against Colonial Pipeline, the Volt Typhoon actors “living off the land” in critical infrastructure, and Salt Typhoon actors compromising US telecoms show a different approach is needed. Fortunately, the structure of IT, critical IT, and OT systems strongly mirrors that of sensitive US Government networks, which can provide a framework for securing critical infrastructure.
A key principle of architecture for sensitive networks is protecting junctures between systems of different risk levels, using software to bridge slightly differing risk gaps and hardware to bridge high-risk or high-consequence gaps. While software-enforced controls are not new to the industry, hardware-enforced security (Hardsec) is a government innovation that has not been widely adopted in critical infrastructure. Hardsec converts all data flowing through them into a known-good format and uses a hardware verifier running on a separate management plane to verify that content is safe.
Implementing Hardsec at the juncture points between IT and OT systems can enable critical infrastructure industries to better manage risk across this network gap and provide higher levels of assurance that a compromise of the IT network will not spread into the OT network – a far better alternative to makeshift and often unvetted solutions to bridge protected enclaves and the broader network.
Security that comes from these cross-domain security measures can compound across a larger industry sector. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers or ad hoc collaborative networks to understand best practices to minimize risks at these critical network junctures.
Audience Learnings:
-The increased nation-state threat to critical infrastructure networks.
-The complexity in securing OT networks composed of legacy systems intended to be kept on a segregated network.
-Ways to implement techniques used by government to secure critical infrastructure networks.
Speaker
Adam Maruyama
Field CTO, Digital Transformation & AI - Everfox
Adam Maruyama is the Field CTO for Digital Transformation and AI at Everfox. He advises strategy around countering emerging threats like adversarial AI and advises customers on using trusted, high-assurance solutions to securely adopt the latest technologies, including AI, into their environment. Before his time in the private sector, Adam served over 15 years as a US intelligence officer supporting cyber and counterterrorism operations and co-led drafting the 2018 National Strategy for Counterterrorism. Adam has also served commercial and government customers at McKinsey & Company and Palo Alto Networks. Adam has been published extensively in AI, cybersecurity, and policy publications.