Cloud Security for Critical Infrastructure Organizations and Essential Services

According to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Manufacturing Profile report, critical infrastructure consists of “essential services and related assets that underpin American society and form the backbone backbone of the country’s economy, security and health”.

These services and assets fall under 16 sectors identified by the US Cybersecurity & Infrastructure Security Agency (CISA), which include healthcare, energy and transportation. A disruption involving critical infrastructure could jeopardize national security, economic security and public safety.

Critical infrastructure organizations can reap the same kinds of benefits from migrating to the cloud as those operating in other industries. For example, they can use the cloud to scale their computing resources as their needs change. They can also manage IT infrastructure costs more effectively by only paying for what they need.

That said, some benefits of migrating to the cloud are unique to critical infrastructure organizations. These benefits include applying remote diagnostics and other types of analysis to data sent from their operational technology (OT) systems to the cloud. This can help harden supply chains against emerging threats and perform preventive maintenance in a way that maximizes uptime. However, this can introduce risks for owners of critical infrastructure systems into the process.

Cybersecurity provider Fortinet identifies three risks as particularly relevant. First, the cloud is creating new attack vectors through which digital attackers can target organizations’ critical OT assets with ransomware and other IT security threats. Second, attackers can use a misconfigured cloud asset to move laterally within a targeted organization’s networks, exfiltrate data, or engage in other malicious activities. Finally, many OT assets and industrial control systems (ICS) are decades old and lack the ability to receive updates remotely. According to Fortinet, these resources make it easier for attackers to perform network intrusion than their more resilient IT counterparts when migrating to the cloud.

These three challenges increase the risk of critical infrastructure organizations being exposed to common cybersecurity threats identified by the US Department of Homeland Security. They also introduce complexity that creates an opportunity for more sophisticated offensives against OT and ICS systems.

In April 2022, CISA announced in a joint cybersecurity alert that advanced persistent threat actors had developed bespoke tools to gain full access to various types of ICS assets as well as supervisory control devices. and data acquisition. With full access, attackers can then elevate their privileges, move laterally across the network, and disrupt assets in the OT environment.

Such attacks underscore the need for critical infrastructure organizations to adopt appropriate cloud protections. To do this, they must turn to the shared responsibility model. They can start by familiarizing themselves with the Microsoft Azure Shared Responsibility Model documentation to understand which parts of the cloud Microsoft secures. Simultaneously, they can ensure security in the cloud by adopting initiatives such as zero trust. They can implement multi-factor authentication, segment the network, enforce the principle of least privilege, adopt other complementary security best practices, and establish a secure baseline for Microsoft Azure using standard guidelines from the Center for Internet Security ( CIS).

Security would be even easier if critical infrastructure organizations could deploy virtual machine images in the cloud that are already hardened to secure baselines. At CIS, we agree. Therefore, we have developed CIS hardened images for Azure and other cloud service providers.

These virtual machine images are unique in that they are pre-hardened according to CIS Benchmarks, which are vendor-neutral secure configuration guidelines developed by consensus by a global community of cybersecurity experts. NIST, the Federal Risk and Clearance Management Program, and other frameworks recognize CIS benchmarks and CIS hardened images as a secure configuration standard. To assist organizations and industries that require compliance with DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) standards, CIS also offers CIS references and CIS enhanced images that correspond to STIG standards.

CIS Hardened Images automates the deployment of CIS Benchmark recommendations. Critical infrastructure organizations that use them don’t have to worry about manually hardening their VM images. They can focus their time and resources elsewhere knowing that they are defended against insufficient authorization, denial of service and other threats.

According to the Global State Industrial Cybersecurity Survey 2021 by industrial cybersecurity firm Claroty, four out of five critical infrastructure organizations experienced a ransomware attack in the year 2021. Nearly half of victims reported that the attack had affected their ICS systems.

To protect against ransomware attacks and other cyberattacks in the future, critical infrastructure organizations need to make significant security improvements. This includes using best practices such as CIS controls, CIS benchmarks, and CIS hardened images as part of their efforts to secure their cloud environments and reduce their attack surface.

Mia LaVada is the product owner of CIS Benchmarks and Cloud

This article originally appeared in the Summer 2022 issue of Technology Record. To receive future issues straight to your inbox, sign up for a free subscription.

Michelle J. Kelley