Top Four Considerations for Zero Trust in Critical Infrastructure

TL;DR

• Increased efficiency = increased risk. Critical infrastructure organizations are using nearly 100 SaaS apps on average and 60% of their most sensitive data is stored in the cloud.
• Threat actors aren’t naive to this, leading to a whopping 93% of critical infrastructure organizations seeing more attacks; mostly caused by human error, known vulnerabilities, and (shocker) privileged accounts not having MFA.
• Regulators have clapped back by tightening compliance mandates across the globe, enforcing zero-trust, 100% MFA adoption, and incident reporting.
• The answer? A context-rich approach to authentication and access management, bringing zero-trust without the compromise to your user experience. How? For that, you’ll have to take a scroll.

Want to listen to this blog instead? Watch our on-demand webinar.

How did we get here? Digital transformation and the impact it had on critical infrastructure

With hardly any industry excluded, the en-masse digital transformation observed over the past decade has completely redefined how we think about security, especially in critical infrastructure. While digital migration has made many things easier, it doesn’t come without a cost. Businesses within the critical infrastructure category face arguably the most risk with so much at stake. In this case, the affordability of any security mishap whatsoever is minimal—if at all acceptable. Thus, why so many organizations have adopted a zero-trust security strategy to protect their bottom line.

While there are so many aspects to think about when developing a zero-trust security strategy for your critical infrastructure organization, in this blog, we’ll be highlighting the 4 key areas you and your team should consider.

But first, what constitutes critical infrastructure?

What is critical infrastructure? A set of systems so vital to a nation’s functioning and minimum viable requirements. Things like security, energy, water, transportation, and communications system. Arguably, banks, healthcare, and other make-or-break organizations could be included in this category.

As you can imagine, if a security event happens to these types of organizations that we depend on for our safety and basic human needs, the impact is catastrophic—leading to a series of consequences to the business and society as a whole.

As a result, many security organizations within this category have opted for a zero-trust philosophy that defines all downstream security policies and practices.

The next generation of critical infrastructure relies on digital transformation

While there are new risks introduced in going digital, there are huge benefits that offer these organizations more efficiency, productivity, and a competitive edge:

• Digital interface = improved digital customer experience
• Digitalization of operations = better reliability
• AI and Big Data analytics = more informed decision making
• Aggregated data = opportunity for automation
• IoT and smart devices = ease of communication
• Drones, sensors, and cameras = more information gathering

As a result, organizations see an increase in the software-as-a-service (SaaS) applications necessary for fulfilling core business functions. Which means more sensitive data being moved and accessed is happening in the cloud, leaving you vulnerable to cloud-based threats which ultimately drives up costs.

• Critical infrastructure organizations use 90 SaaS applications on average
• 60% of the data stored in cloud by CI organizations is sensitive
• 93% of critical infrastructure organizations experienced an increase in attacks in 2023
• In 2023, the average cost of a cyber attack was $4.78M in the energy sector alone

What’s really causing these breaches?

According to our own research, 34% of these attacks were due to human error. Not paying close enough attention to an unusual-looking email you got, accidentally visiting a malicious web domain, buying that $100 iTunes that your CEO asked for…it’s increasingly easy to do.

31% of these attacks were due to known vulnerabilities. Don’t believe me?

A good real-world example of known vulnerabilities being exploited is a 2021 attack led by the hacker group known as HAFNIUM. In this attack, threat actors impersonated admins by crafting server-side request forgery (SSRF) to bypass authentication. Once initial access was obtained, the attackers read and exfiltrated sensitive emails from various inboxes—including those of defense, legal, healthcare, and financial institutions.

The organization was first alerted in late 2020 by security researchers of this potential vulnerability. After addressing the incident in March 2021, the threat actors still had access for at least two months before patches were released to resolve the issue.

And lastly, the third most common cause of these attacks making up 20% were due to lack of MFA for privileged users. In this day and age, having wide adoption of MFA should be a non-negotiable, but due to the extra layer of friction, we still see it happening all the time.

Regulators are cracking-down

As a result of these increased attacks on critical infrastructure organizations, new laws and regulations have been introduced around the globe to provide guidance and avoid security malpractice.

• The Executive Order to Improve the Nation’s Cybersecurity signed in 2021 helps to move critical infrastructure organizations to secure cloud services and a zero-trust architecture and mandates deployment of multi-factor authentication and encryption.
• The European Union’s NIS 2 requires operators of critical infrastructure and essential services in the EU to implement appropriate security measures and report any incident to the relevant authorities.
• Existing privacy, sovereignty, and data protection regulations, federal and global standards, and operational best practices creates a comprehensive set of rules that make compliance complex and challenging.

4 Key Considerations for Adopting Zero Trust in Critical Infrastructure

Due to the increased regulatory scrutiny being placed on organizations within critical infrastructure, they have little choice but to go zero-trust, but also little guidance on how to move forward. While there’s a lot to consider, here’s where we recommend starting:

1. Where is your data and where are your apps

Since we talked about digital transformation, and most of us are relying on at least 90 SaaS apps, it’s safe to say that much of our data and applications are living in the cloud. In addition to SaaS, most critical infrastructure organizations are using at least 2 identity-as-a-service (IaaS) cloud platforms as a form of security and authentication. These are all factors that are important to consider as you move forward in adjusting your security strategy.

2. Where is your user?

Now that you’ve considered where your data and apps are being accessed, the next step is understanding who is accessing these things and from where. Since the pandemic, remote and hybrid work has become the norm—making it possible for your employees to access their work materials from anywhere in the world, and even sometimes, from any device.

3. What role or function does your user have? What environment do they operate in?

Knowing about the intricacies of your individual users is essential when considering implementing various security parameters. Is your user an application developer, corporate executive, healthcare worker, first responder? All the roles you have across your business will help inform you of the access requirements necessary to fulfill daily responsibilities, and help you develop an idea of the potential vulnerabilities that might be easily exploitable.

4. What data and resources are they accessing?

Speaking of access to data, it’s also important to consider how your different users are accessing various forms of data. Whether from a productivity application like G-suite, M365, or others, database servers, or even factory floor terminals, these intricacies are all essential for building access policies appropriate for these contexts.

How to apply these considerations to authentication management

By now you’ve probably realized that there are tons of different variables to think about and a potentially infinite number of unique situations to consider when securing all these different authentication journeys.

And you’re right.

This is why it’s become exceedingly difficult for security teams because they either find themselves either:

A) Falling into the trap of applying a handful of blanket access policies which ultimately cause high end-user friction, leading to tool abandonment or risky workarounds

OR

B) Not considering all these nuances and unfortunately paying the price when these vulnerabilities are ultimately discovered by threat actors

With how complex this issue has become, it might seem like there’s no right answer, which is what we thought, too.

Taking a context-rich approach to improve security without compromising user experience

Thales has taken these two conundrums and created a solution that offers the best of both worlds: a broad range of modern authentication methods that leverage deep contextual insights to apply the right amount of friction for the right users at the right time.

Not only can you go this route, but you can even go completely passwordless while maintaining the level of security your organization is obligated and committed to upholding. To understand how, download the product brief.

But don’t just take my word for it. You can also see it for yourself by requesting your no-cost 30-day free trial.