EBOOK

Strengthening Critical
Infrastructure Security
Mitigate Risk with Privileged Access Management
 Table of Contents
Introduction  3
Keeping Pace with the Evolving Threat Landscape  4
What is Critical Infrastructure?  5
IT/OT Network Convergence Creates a Pathway for Threat Actors  6
Standards-Based OT Introduces Supply Chain Vulnerabilities  7
Digital Transformation Expands the Attack Surface  8
Zero Trust Architectures Protect Against Modern Cyber Threats  9
Privileged Access Management is Fundamental to Cybersecurity 10
Critical Infrastructure Cybersecurity Regulations  11
Conclusion  12

213 Strengthening Critical Infrastructure Security

Introduction
Cybercriminals and rogue nation states are increasingly setting their sights on critical infrastructure.
The results can be damaging, far-reaching and long-lasting. In May 2021, DarkSide, a Russian cyber
criminal syndicate, carried out a ransomware attack against a large oil pipeline operator that disrupted
fuel supplies and triggered panic buying and widespread gasoline shortages across the southeastern
United States.

The same month, Conti, another Russian ransomware group, waged an attack against the Irish Health
Service that impacted patient care for months, forcing healthcare providers to cancel appointments,
postpone elective surgeries and delay treatments. A couple weeks later, REvil, yet another Russian
ransomware group, attacked a large meat producer, forcing the company to shut down plants in the
U.S., Canada and Australia, impacting national food supplies and meat prices.

Clearly, cyber attacks can have catastrophic consequences. And yet while most critical infrastructure
operators have extensive physical security plans, many lack comprehensive cybersecurity strategies.
Governments and industry regulators around the world are taking notice, issuing guidelines to defend
critical infrastructure against devastating cyber attacks. Privileged access management plays a central
role in these guidelines. It helps prevent attackers from gaining access to critical resources and helps
contain threats.

This eBook describes how advances in critical infrastructure technology are opening the door for threat
actors and explains how privileged access management solutions can help critical infrastructure
owners and operators strengthen cybersecurity, reduce risk and comply with regulatory requirements.

313 Strengthening Critical Infrastructure Security

Keeping Pace with the Evolving Threat Landscape
Attacks on critical infrastructure are nothing new. Bad actors have targeted industrial control systems and other essential infrastructure for years.

2013 2015 2017 2021

Adversaries linked to the
government of Iran gained access
to the flood control system for a
dam in New York State and could
have literally opened the floodgates.
In a harbinger of future events,
Russian-backed cyber attackers
knocked out power to over a quarter
million people in Ukraine in the
midst of a military incursion.
Nation-state actors gained access
to an industrial control system for a
Saudi petrochemical plant and
could have triggered an explosion or
released toxic gases into the air had
they chosen.
Bad actor compromised a US Water
treatment facility to increase
sodium hydroxide content in water
supply by 100x - potentially
poisoning 15,000 citizens. Attack
shut down by on-site staff.

While none of these attacks resulted in loss of life, they all demonstrate just how vulnerable critical infrastructure is in today’s digital world. Threat
actors are continuously honing their skills, finding new ways to penetrate critical systems and disrupt essential services. Critical infrastructure owners
and operators must take proactive measures to improve cyber readiness and defend against increasingly sophisticated threats.

413 Strengthening Critical Infrastructure Security

What is Critical
Infrastructure?
Critical
Critical infrastructure refers to the assets, systems and networks that power the
basic services required to keep society functioning. They include systems that are
Infrastructure
essential for public health and safety; for food, water and energy supplies; and for
fundamental transportation, communications and financial services. An attack on
critical infrastructure has the potential to threaten a nation’s security; impact the
economy; and cause injury, illness, death and destruction.

Advances in technology have expanded the threat landscape and opened up new
avenues for bad actors to penetrate industrial control systems and other critical
systems. The integration of information technology (IT) and operational technology
(OT), the adoption of Software as a Service (SaaS), Infrastructure as a Service (IaaS)
and Platform as a Service (PaaS) solutions, and the advent of the Internet of Things
(IoT) all create new opportunities for adversaries. Implementing consistent security
systems and processes across diverse and dispersed environments can be a real
challenge for critical infrastructure operators.

513 Strengthening Critical Infrastructure Security

 IT/OT Network Convergence Creates
a Pathway for Threat Actors
Utilities and manufacturers are converging OT networks and IT networks to
reduce expenses, simplify operations and support industrial IoT (IIoT) initiatives.
Historically, utilities and manufacturers operated independent OT and IT
networks. Industrial control traffic flowed over a dedicated OT network using
industry-specific Supervisory Control and Data Acquisition (SCADA), energy
management system (EMS) and manufacturing execution system (MES)
protocols. Business application traffic flowed over a separate enterprise IP network,
which connected to the public internet. If an external threat actor managed to breach
the enterprise network, they had no way to access the OT network.
The convergence of IT and OT networks eliminates the “air gap” between the two
environments, providing a pathway for external threat actors to gain access to
industrial control systems and wreak havoc.

Independent “Air-Gapped” Networks Converged IT/OT Network

Information Technology
IT Network OT Network
ERP, CRM, Helpdesk, Business Apps, etc.

Common IP Network

ERP, CRM, Helpdesk, Control Systems, Sensors,

Business Apps, etc. Actuators, Machines, etc.
Operational Technology
Control Systems, Sensors, Actuators, Machines, etc.

613 Strengthening Critical Infrastructure Security

Standards-Based OT
Introduces Supply Chain
Vulnerabilities
A shift toward standards-based operational technology also introduces new opportunities
for bad actors. Historically, industrial control systems were based on proprietary hardware
and special-purpose software. Today, they run on Linux-based commodity servers and
leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software
supply chain attacks.

The infamous 2020 SolarWinds supply chain attack serves as a perfect example. Early
reports indicated that 15 electric, oil, gas and manufacturing entities were caught up in
the SolarWinds incident. But a 2021 North American Electric Reliability Corporation
(NERC) report revealed about 25% of utilities were ultimately affected.

Software supply chain attacks are particularly difficult to detect. Threat actors can fly
under the radar for weeks or months probing for vulnerabilities and plotting their moves.
The SolarWinds attack went unnoticed for nine months, eventually impacting more than
18,000 organizations around the world.

713 Strengthening Critical Infrastructure Security

 Digital Transformation
Expands the Attack Surface
Critical infrastructure operators are adopting cloud-based services to accelerate the pace of innovation,
streamline operations and support IoT programs like Smart Grid, Smart City and Smart Transportation
systems. Cloud-based services and the Internet of Things expand the attack surface and provide new ways
for adversaries to penetrate systems and launch attacks.

Historically, critical infrastructure operators deployed OT and IT solutions on-site in control centers,
manufacturing floors, data centers, etc. Most deployed firewalls and other security solutions at the perimeter
of the enterprise network to protect OT and IT systems against malicious attacks originating from the
internet. Many used virtual private network (VPN) technology and multi-factor authentication (MFA) solutions
to provide secure access for the occasional remote user.

The cloud has fundamentally changed the way critical infrastructure operators build and deploy applications.
And to complicate things even further, COVID-19 has permanently changed the way many people work.

Traditional perimeter-based security models, conceived to control access to trusted enterprise networks,
aren’t well suited for the digital era. In today’s world, applications are often deployed in the cloud beyond the
secure confines of the trusted enterprise network border. IoT endpoints are often connected over the public
internet. Users (help desk staff, customer service reps, business professionals, etc.) often work from home,
bypassing the enterprise network altogether. And system administrators —employees, contractors and
outside vendors — routinely manage critical infrastructure remotely.

813 Strengthening Critical Infrastructure Security

Zero Trust Architectures
Protect Against Modern
Cyber Threats
Many organizations are adopting Zero Trust security models for the digital era. Zero
Trust security architectures like NIST SP 800-207 are specifically designed for today’s
hybrid IT environments and hybrid work models. In March 2021, in response to several
prominent critical infrastructure attacks, the Biden administration issued an executive
order requiring that U.S. Federal Agencies adopt NIST SP 800-207 to strengthen IT and
OT security and recommending private-sector organizations follow suit.

A Zero Trust approach protects modern operating environments by assuming all

identities are implicitly untrusted and must be authenticated and authorized regardless
of their network or location.

Unlike a traditional perimeter-based security model, a Zero Trust architecture:

• Protects cloud-based IT and OT systems as well as on-premises IT and OT systems

• Defends against inside threats as well as external threats
• Provides inherent security for remote workers and mobile users

A Zero Trust approach requires a comprehensive Identity Security solution, including

robust privileged access management functionality.

913 Strengthening Critical Infrastructure Security

 Privileged Access Management is
Fundamental to Cybersecurity
Privileged accounts like Linux root accounts, Windows administrator accounts, and cloud and application admin accounts are favorite targets for threat
actors. They provide unrestricted access to system commands, files and resources, and are used to configure system settings, install and remove software,
manage user accounts and perform other routine maintenance functions. Adversaries can exploit privileged accounts to orchestrate attacks, take down
critical infrastructure and disrupt essential services.

Privileged access management solutions help critical infrastructure operators strengthen security by improving visibility and control over privileged account
credentials, isolating privileged sessions and auditing privileged activities.

A typical privileged access management solution:

• Includes a digital vault to securely store passwords, secrets, SSH keys • Uses threat analytics to intelligently identify anomalous
and other credentials used by people, applications and machines privileged activity

• Automatically updates and rotates credentials based on an • Provides secure access to privileged accounts in air-gapped
organization’s defined policy to mitigate risk in the event credentials environments or remote settings without connectivity, allowing
are compromised administration of critical infrastructure

• Isolates privileged sessions to contain threats and prevent malware • Consistently protects on-premises, cloud and hybrid environments
spread and audits sessions to provide evidence of compliance

• Supports multi-factor authentication to positively identify privileged

users, mitigate the risks of credential theft and prevent unauthorized
access to privileged accounts

10
13 Strengthening Critical Infrastructure Security
Critical Infrastructure Cybersecurity Regulations
Government and industry regulators around the world have enacted
cybersecurity mandates and guidelines to protect critical infrastructure
against cyber attacks. Privileged access management is a basic
requirement for most of these regulations.
To fulfil these requirements, critical infrastructure operators might need to:
• Implement foundational controls to safeguard privileged access
• Monitor privileged access activity and promptly notify authorities of a
security breach
• Demonstrate evidence of compliance to auditors on a regular basis

North America Asia Pacific Europe

EU Directive on Security of
NERC Critical Infrastructure Australian Critical
Network and Information Systems
Protection (CIP) Infrastructure Security Act
(NIS Directive)

Singapore German Critical Infrastructure

Cybersecurity Act (Kritis) Regulation

French Military
Programming Law

11
13 Strengthening Critical Infrastructure Security
Conclusion Learn More
CyberArk Privileged Access Manager, part of the CyberArk
Cyber attacks against critical infrastructure are growing in frequency, scope and scale, threatening
public safety, security and well-being. Today’s threat actors are highly experienced, sophisticated Identity Security Platform, provides foundational controls for
and organized. Many are well funded, backed by criminal syndicates or adversarial governments protecting, managing and monitoring privileged access
with deep pockets. across on-premises, cloud and hybrid infrastructure. The
solution helps organizations efficiently manage privileged
Critical infrastructure owners and operators must take a fresh look at cybersecurity systems and
practices to improve readiness and address evolving regulatory requirements.
credentials, tightly control privileged access with strong
authentication methods, closely track privileged account
Formulating a comprehensive cybersecurity strategy is no easy matter. It requires careful thought activity with comprehensive audit logs, intelligently identify
and thorough planning. The U.S. National Institute of Standards and Technology (NIST) and
suspicious activity and quickly respond to threats. The
Cybersecurity and Infrastructure Security Agency (CISA) and other international authorities provide
solution can be self-hosted or deployed as a service.
a variety of resources to help you get started, including:
Privileged Access Manager can help critical infrastructure
• NIST Cybersecurity Framework • CISA Pipeline Cybersecurity Library operators defend against cyber attacks, drive operational
efficiencies, satisfy regulatory requirements and provide
• NIST Special Publication 800-27 on Zero • CISA Cybersecurity and Physical Security
Trust Architecture Convergence Guide evidence of compliance. Learn how CyberArk Privileged
Access Manager can help your organization strengthen
• NIST Special Publication 800-82 Guide to • ENISA Reports on Critical Infrastructure
security and mitigate risk.
Industrial Control Systems (ICS) Security
• Australian Cyber Security Center Guidance
• NIST Internal Report 8183 Cybersecurity for Critical Infrastructure
Framework Manufacturing Profile REQUEST A DEMO
• CISA Cybersecurity Best Practices for
Industrial Control Systems

12
13 Strengthening Critical Infrastructure Security
CyberArk is the global leader in Identity Security. Centered on privileged access management,
CyberArk provides the most comprehensive security offering for any identity — human or
machine — across business applications, distributed workforces, hybrid cloud workloads and
throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com,
read the CyberArk blogs or follow us on Twitter via @CyberArk, LinkedIn or Facebook.

©Copyright 2022 CyberArk Software. All rights reserved. No portion of this publication may be reproduced
in any form or by any means without the express written consent of CyberArk Software.
CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks
(or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names
are the property of their respective owners.

CyberArk believes the information in this document is accurate as of its publication date. The information is
provided without any express, statutory, or implied warranties and is subject to change without notice.
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO
WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY OF
MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE.
IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR
CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF
REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS
PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
U.S., 04.22 Doc: TSK-1211