With a focus on the future challenges of securing today and tomorrow’s infrastructure, EMEA-based Fortinet Field CISOs Joe Robertson and Alain Sanchez recently shared their thoughts on this important topic, commenting on the urgency around securing infrastructure and important strategies to help defend OT organizations.
JR (Joe Robertson): One of the key factors in defining infrastructure is that it's technology that everybody uses. For example, though you don't usually think of a street this way, it is technology. If you go back to the Roman era, the Roman roads were technology. They were “the internet” 2000 years ago. Roads are still technology that is used by society today. So, when we talk about infrastructure, whether it's roads or electricity or plumbing or public transportation, these are all critical infrastructures to our modern society.
When critical infrastructure is not functioning, for whatever reason, this creates blockages in society. We have to be aware that attackers are looking at ways to disrupt societies. These are considerations that governments are worried about, and justifiably so.
AS (Alain Sanchez): I see two factors for accelerating people realizing the importance and challenge of securing infrastructures. The first factor—which accelerated significantly over the last three years in the infrastructure domains—is the merger between OT and IT. In the eyes of everyone—governments’ and citizens’—and all the ecosystem of vendors, production has become more integrated with IT systems. Not just manufacturing, even buildings are becoming intelligent.
Another example, we have sensors in bridges that are now connected. When you have a torsion or retention or erosion of the materials that compose a bridge, these stresses are now measured and collected. Then the data goes into an expert system that assesses whether or not the bridge needs to be closed for enhancements and reconstruction.
JR: I would echo that. The digitization of infrastructure has grown by leaps and bounds over the last 15 years. Recently, I was speaking with a major operator of European motorways and he said every bridge and every tunnel that they have—and they've got a lot of them—actually has a little mini data center in it that is managing not just the lights, but the signalization. They are managing the traffic flows and taking stress measurements. Imagine that duplicated by buildings, trailways, bridges, and more!
AS: A second factor is that we have learned—and we are learning the hard way—is that war is not a thing of the past. We have bad actors in many countries and they're really targeting at our critical infrastructures. They see it as a way to achieve many of the goals of a war.
AS: The first thing that happened when the Russians invaded in Ukraine—in the very first day—they occupied nuclear power plants, including the site of Chernobyl. So, utilities are targets, and we’re back to the primary challenge that they were not built to resist cyberattacks. They were primarily built to serve a purpose—a utility.
JR: When it comes to infrastructure, there is a good parallel with what we're seeing in enterprises where there is a multiplication of edges. Each of those sensors is an edge and each of them is a potential attack vector for a hacker. If you shut down a tunnel, you can cause a tremendous amount of trouble—not just traffic jams but delays to shipping, for example. And when we talk about utilities like power and water, it becomes even more critical. As soon as you have any power failure in a city, things grind to a halt.
JR: As far as protecting what we have now, a lot of tools have been put in place to secure IT over the last 30 years—everything from firewalls and intrusion protection systems to EDR systems to other tools for your SOC. Now, infrastructure is under attack, too, but on the operations side, they don't have 30 years of experience, protecting themselves. It’s a challenge to put in place tools that understand not only IT security, but also how attackers are trying to infiltrate the operations environment—regardless of whether it's utilities or roads or rail or airlines. It's important to understand what attackers are trying to do and put tools in place to block attacks on the physical infrastructure.
AS: I would suggest a three-step methodology to get control of the challenges of infrastructure sensors. The first one is to get visibility, because in a typical IT infrastructure you have the IT backbones and the servers and more, but you don't see what's behind the switches. You don't see the connectors, the pumps, the tanks—
JR: The PLCs. The programmable logic controllers?
AS: Exactly. They are behind the switches and the server. So, the first thing is to acquire this visibility and have a proper inventory. We have a cyberthreat assessment report with the methodology developed by Fortinet. It's really a kind of a bible to get to this first stage of visibility. It will do the asset inventory for OT. The principle is the same as in IT—you cannot protect what you can't see.
The second thing to do is segmentation. You need to create segments that make sense from a security perspective. This will help prevent lateral movement by an attacker. You stop people who have access to one lab from accessing all the labs, or who have gotten into one pump and from having access to all pumps.
Step three is to secure access to all these things. For example, if you have a switch between two pieces of equipment, you must bring the traffic up to a firewall so that the switching is done within your policies. You have to encrypt OT traffic because too much of it is still not encrypted strongly enough; only a few years ago these assets used to be physically disconnected (air-gapped) from IT.
These three major building blocks of a methodology are needed to secure infrastructures. And in each of these steps Fortinet has the expertise and tools and track record to help do it right.
JR: Keep in mind that there are lots of different attack methods that can be used and there are different steps along the way. And protecting any environment—whether it is IT or OT—involves not just the technology, but it also involves psychology. It involves understanding what the attacker is doing and why he's doing it and trying to block him. That's why there are so many different tools because they're looking for different tactics, different signatures, different indicators of compromise.
What’s important is that these different tools not act independently. They should be interacting with each other, because if you have separate tools that are managed differently and completely separately that leaves “space” in between them that the attackers will try to get through. And that's why you want to put in place a mesh architecture of connections amongst the different devices, so that they're updating each other.
For example, if a sandbox finds an unknown risk, it doesn't just report it up to a sandbox manager, but it tells the firewall, and so on. This should be done without intervention of a human being. It should be done by the machines at machine speed because that's the speed that hackers are working at.
If there’s an attack on a utility—on a power generating station—you don't have hours and days to find that it's happening and break the connections. You need to stop that immediately before generators start to overheat or spin out of control. A cybersecurity mesh architecture that is functional in both IT and OT is the best solution.