2. 13
Table of Contents
Introduction 3
Keeping Pace with the Evolving Threat Landscape 4
What is Critical Infrastructure? 5
IT/OT Network Convergence Creates a Pathway for Threat Actors 6
Standards-Based OT Introduces Supply Chain Vulnerabilities 7
Digital Transformation Expands the Attack Surface 8
Zero Trust Architectures Protect Against Modern Cyber Threats 9
Privileged Access Management is Fundamental to Cybersecurity 10
Critical Infrastructure Cybersecurity Regulations 11
Conclusion 12
Strengthening Critical Infrastructure Security
2
3. 13
Introduction
Cybercriminals and rogue nation states are increasingly setting their sights on critical infrastructure.
The results can be damaging, far-reaching and long-lasting. In May 2021, DarkSide, a Russian cyber
criminal syndicate, carried out a ransomware attack against a large oil pipeline operator that disrupted
fuel supplies and triggered panic buying and widespread gasoline shortages across the southeastern
United States.
The same month, Conti, another Russian ransomware group, waged an attack against the Irish Health
Service that impacted patient care for months, forcing healthcare providers to cancel appointments,
postpone elective surgeries and delay treatments. A couple weeks later, REvil, yet another Russian
ransomware group, attacked a large meat producer, forcing the company to shut down plants in the
U.S., Canada and Australia, impacting national food supplies and meat prices.
Clearly, cyber attacks can have catastrophic consequences. And yet while most critical infrastructure
operators have extensive physical security plans, many lack comprehensive cybersecurity strategies.
Governments and industry regulators around the world are taking notice, issuing guidelines to defend
critical infrastructure against devastating cyber attacks. Privileged access management plays a central
role in these guidelines. It helps prevent attackers from gaining access to critical resources and helps
contain threats.
This eBook describes how advances in critical infrastructure technology are opening the door for threat
actors and explains how privileged access management solutions can help critical infrastructure
owners and operators strengthen cybersecurity, reduce risk and comply with regulatory requirements.
Strengthening Critical Infrastructure Security
3
4. 13
Keeping Pace with the Evolving Threat Landscape
Attacks on critical infrastructure are nothing new. Bad actors have targeted industrial control systems and other essential infrastructure for years.
While none of these attacks resulted in loss of life, they all demonstrate just how vulnerable critical infrastructure is in today’s digital world. Threat
actors are continuously honing their skills, finding new ways to penetrate critical systems and disrupt essential services. Critical infrastructure owners
and operators must take proactive measures to improve cyber readiness and defend against increasingly sophisticated threats.
2013 2015 2017 2021
Adversaries linked to the
government of Iran gained access
to the flood control system for a
dam in New York State and could
have literally opened the floodgates.
In a harbinger of future events,
Russian-backed cyber attackers
knocked out power to over a quarter
million people in Ukraine in the
midst of a military incursion.
Nation-state actors gained access
to an industrial control system for a
Saudi petrochemical plant and
could have triggered an explosion or
released toxic gases into the air had
they chosen.
Bad actor compromised a US Water
treatment facility to increase
sodium hydroxide content in water
supply by 100x - potentially
poisoning 15,000 citizens. Attack
shut down by on-site staff.
Strengthening Critical Infrastructure Security
4
5. 13
What is Critical
Infrastructure?
Critical infrastructure refers to the assets, systems and networks that power the
basic services required to keep society functioning. They include systems that are
essential for public health and safety; for food, water and energy supplies; and for
fundamental transportation, communications and financial services. An attack on
critical infrastructure has the potential to threaten a nation’s security; impact the
economy; and cause injury, illness, death and destruction.
Advances in technology have expanded the threat landscape and opened up new
avenues for bad actors to penetrate industrial control systems and other critical
systems. The integration of information technology (IT) and operational technology
(OT), the adoption of Software as a Service (SaaS), Infrastructure as a Service (IaaS)
and Platform as a Service (PaaS) solutions, and the advent of the Internet of Things
(IoT) all create new opportunities for adversaries. Implementing consistent security
systems and processes across diverse and dispersed environments can be a real
challenge for critical infrastructure operators.
Critical
Infrastructure
Strengthening Critical Infrastructure Security
5
6. 13
IT/OT Network Convergence Creates
a Pathway for Threat Actors
Independent “Air-Gapped” Networks Converged IT/OT Network
Information Technology
ERP, CRM, Helpdesk, Business Apps, etc.
Common IP Network
IT Network
ERP, CRM, Helpdesk,
Business Apps, etc.
Operational Technology
Control Systems, Sensors, Actuators, Machines, etc.
OT Network
Control Systems, Sensors,
Actuators, Machines, etc.
Utilities and manufacturers are converging OT networks and IT networks to
reduce expenses, simplify operations and support industrial IoT (IIoT) initiatives.
Historically, utilities and manufacturers operated independent OT and IT
networks. Industrial control traffic flowed over a dedicated OT network using
industry-specific Supervisory Control and Data Acquisition (SCADA), energy
management system (EMS) and manufacturing execution system (MES)
protocols. Business application traffic flowed over a separate enterprise IP network,
which connected to the public internet. If an external threat actor managed to breach
the enterprise network, they had no way to access the OT network.
The convergence of IT and OT networks eliminates the “air gap” between the two
environments, providing a pathway for external threat actors to gain access to
industrial control systems and wreak havoc.
Strengthening Critical Infrastructure Security
6
7. 13
Standards-Based OT
Introduces Supply Chain
Vulnerabilities
A shift toward standards-based operational technology also introduces new opportunities
for bad actors. Historically, industrial control systems were based on proprietary hardware
and special-purpose software. Today, they run on Linux-based commodity servers and
leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software
supply chain attacks.
The infamous 2020 SolarWinds supply chain attack serves as a perfect example. Early
reports indicated that 15 electric, oil, gas and manufacturing entities were caught up in
the SolarWinds incident. But a 2021 North American Electric Reliability Corporation
(NERC) report revealed about 25% of utilities were ultimately affected.
Software supply chain attacks are particularly difficult to detect. Threat actors can fly
under the radar for weeks or months probing for vulnerabilities and plotting their moves.
The SolarWinds attack went unnoticed for nine months, eventually impacting more than
18,000 organizations around the world.
Strengthening Critical Infrastructure Security
7
8. 13
Digital Transformation
Expands the Attack Surface
Critical infrastructure operators are adopting cloud-based services to accelerate the pace of innovation,
streamline operations and support IoT programs like Smart Grid, Smart City and Smart Transportation
systems. Cloud-based services and the Internet of Things expand the attack surface and provide new ways
for adversaries to penetrate systems and launch attacks.
Historically, critical infrastructure operators deployed OT and IT solutions on-site in control centers,
manufacturing floors, data centers, etc. Most deployed firewalls and other security solutions at the perimeter
of the enterprise network to protect OT and IT systems against malicious attacks originating from the
internet. Many used virtual private network (VPN) technology and multi-factor authentication (MFA) solutions
to provide secure access for the occasional remote user.
The cloud has fundamentally changed the way critical infrastructure operators build and deploy applications.
And to complicate things even further, COVID-19 has permanently changed the way many people work.
Traditional perimeter-based security models, conceived to control access to trusted enterprise networks,
aren’t well suited for the digital era. In today’s world, applications are often deployed in the cloud beyond the
secure confines of the trusted enterprise network border. IoT endpoints are often connected over the public
internet. Users (help desk staff, customer service reps, business professionals, etc.) often work from home,
bypassing the enterprise network altogether. And system administrators —employees, contractors and
outside vendors — routinely manage critical infrastructure remotely.
Strengthening Critical Infrastructure Security
8
9. 13
Zero Trust Architectures
Protect Against Modern
Cyber Threats
Many organizations are adopting Zero Trust security models for the digital era. Zero
Trust security architectures like NIST SP 800-207 are specifically designed for today’s
hybrid IT environments and hybrid work models. In March 2021, in response to several
prominent critical infrastructure attacks, the Biden administration issued an executive
order requiring that U.S. Federal Agencies adopt NIST SP 800-207 to strengthen IT and
OT security and recommending private-sector organizations follow suit.
A Zero Trust approach protects modern operating environments by assuming all
identities are implicitly untrusted and must be authenticated and authorized regardless
of their network or location.
Unlike a traditional perimeter-based security model, a Zero Trust architecture:
• Protects cloud-based IT and OT systems as well as on-premises IT and OT systems
• Defends against inside threats as well as external threats
• Provides inherent security for remote workers and mobile users
A Zero Trust approach requires a comprehensive Identity Security solution, including
robust privileged access management functionality.
Strengthening Critical Infrastructure Security
9
10. 13
Privileged Access Management is
Fundamental to Cybersecurity
Privileged accounts like Linux root accounts, Windows administrator accounts, and cloud and application admin accounts are favorite targets for threat
actors. They provide unrestricted access to system commands, files and resources, and are used to configure system settings, install and remove software,
manage user accounts and perform other routine maintenance functions. Adversaries can exploit privileged accounts to orchestrate attacks, take down
critical infrastructure and disrupt essential services.
Privileged access management solutions help critical infrastructure operators strengthen security by improving visibility and control over privileged account
credentials, isolating privileged sessions and auditing privileged activities.
A typical privileged access management solution:
• Includes a digital vault to securely store passwords, secrets, SSH keys
and other credentials used by people, applications and machines
• Automatically updates and rotates credentials based on an
organization’s defined policy to mitigate risk in the event credentials
are compromised
• Isolates privileged sessions to contain threats and prevent malware
spread and audits sessions to provide evidence of compliance
• Supports multi-factor authentication to positively identify privileged
users, mitigate the risks of credential theft and prevent unauthorized
access to privileged accounts
• Uses threat analytics to intelligently identify anomalous
privileged activity
• Provides secure access to privileged accounts in air-gapped
environments or remote settings without connectivity, allowing
administration of critical infrastructure
• Consistently protects on-premises, cloud and hybrid environments
Strengthening Critical Infrastructure Security
10
11. 13
Critical Infrastructure Cybersecurity Regulations
To fulfil these requirements, critical infrastructure operators might need to:
• Implement foundational controls to safeguard privileged access
• Monitor privileged access activity and promptly notify authorities of a
security breach
• Demonstrate evidence of compliance to auditors on a regular basis
North America Asia Pacific Europe
NERC Critical Infrastructure
Protection (CIP)
EU Directive on Security of
Network and Information Systems
(NIS Directive)
German Critical Infrastructure
(Kritis) Regulation
French Military
Programming Law
Australian Critical
Infrastructure Security Act
Singapore
Cybersecurity Act
Government and industry regulators around the world have enacted
cybersecurity mandates and guidelines to protect critical infrastructure
against cyber attacks. Privileged access management is a basic
requirement for most of these regulations.
Strengthening Critical Infrastructure Security
11
12. 13
Conclusion
Cyber attacks against critical infrastructure are growing in frequency, scope and scale, threatening
public safety, security and well-being. Today’s threat actors are highly experienced, sophisticated
and organized. Many are well funded, backed by criminal syndicates or adversarial governments
with deep pockets.
Critical infrastructure owners and operators must take a fresh look at cybersecurity systems and
practices to improve readiness and address evolving regulatory requirements.
Formulating a comprehensive cybersecurity strategy is no easy matter. It requires careful thought
and thorough planning. The U.S. National Institute of Standards and Technology (NIST) and
Cybersecurity and Infrastructure Security Agency (CISA) and other international authorities provide
a variety of resources to help you get started, including:
• NIST Cybersecurity Framework
• NIST Special Publication 800-27 on Zero
Trust Architecture
• NIST Special Publication 800-82 Guide to
Industrial Control Systems (ICS) Security
• NIST Internal Report 8183 Cybersecurity
Framework Manufacturing Profile
• CISA Cybersecurity Best Practices for
Industrial Control Systems
• CISA Pipeline Cybersecurity Library
• CISA Cybersecurity and Physical Security
Convergence Guide
• ENISA Reports on Critical Infrastructure
• Australian Cyber Security Center Guidance
for Critical Infrastructure
Learn More
CyberArk Privileged Access Manager, part of the CyberArk
Identity Security Platform, provides foundational controls for
protecting, managing and monitoring privileged access
across on-premises, cloud and hybrid infrastructure. The
solution helps organizations efficiently manage privileged
credentials, tightly control privileged access with strong
authentication methods, closely track privileged account
activity with comprehensive audit logs, intelligently identify
suspicious activity and quickly respond to threats. The
solution can be self-hosted or deployed as a service.
Privileged Access Manager can help critical infrastructure
operators defend against cyber attacks, drive operational
efficiencies, satisfy regulatory requirements and provide
evidence of compliance. Learn how CyberArk Privileged
Access Manager can help your organization strengthen
security and mitigate risk.
REQUEST A DEMO
Strengthening Critical Infrastructure Security
12