Professional Documents
Culture Documents
Strengthening Critical Infrastructure Security
Strengthening Critical Infrastructure Security
Strengthening Critical
Infrastructure Security
Mitigate Risk with Privileged Access Management
Table of Contents
Introduction 3
Keeping Pace with the Evolving Threat Landscape 4
What is Critical Infrastructure? 5
IT/OT Network Convergence Creates a Pathway for Threat Actors 6
Standards-Based OT Introduces Supply Chain Vulnerabilities 7
Digital Transformation Expands the Attack Surface 8
Zero Trust Architectures Protect Against Modern Cyber Threats 9
Privileged Access Management is Fundamental to Cybersecurity 10
Critical Infrastructure Cybersecurity Regulations 11
Conclusion 12
The same month, Conti, another Russian ransomware group, waged an attack against the Irish Health
Service that impacted patient care for months, forcing healthcare providers to cancel appointments,
postpone elective surgeries and delay treatments. A couple weeks later, REvil, yet another Russian
ransomware group, attacked a large meat producer, forcing the company to shut down plants in the
U.S., Canada and Australia, impacting national food supplies and meat prices.
Clearly, cyber attacks can have catastrophic consequences. And yet while most critical infrastructure
operators have extensive physical security plans, many lack comprehensive cybersecurity strategies.
Governments and industry regulators around the world are taking notice, issuing guidelines to defend
critical infrastructure against devastating cyber attacks. Privileged access management plays a central
role in these guidelines. It helps prevent attackers from gaining access to critical resources and helps
contain threats.
This eBook describes how advances in critical infrastructure technology are opening the door for threat
actors and explains how privileged access management solutions can help critical infrastructure
owners and operators strengthen cybersecurity, reduce risk and comply with regulatory requirements.
While none of these attacks resulted in loss of life, they all demonstrate just how vulnerable critical infrastructure is in today’s digital world. Threat
actors are continuously honing their skills, finding new ways to penetrate critical systems and disrupt essential services. Critical infrastructure owners
and operators must take proactive measures to improve cyber readiness and defend against increasingly sophisticated threats.
Advances in technology have expanded the threat landscape and opened up new
avenues for bad actors to penetrate industrial control systems and other critical
systems. The integration of information technology (IT) and operational technology
(OT), the adoption of Software as a Service (SaaS), Infrastructure as a Service (IaaS)
and Platform as a Service (PaaS) solutions, and the advent of the Internet of Things
(IoT) all create new opportunities for adversaries. Implementing consistent security
systems and processes across diverse and dispersed environments can be a real
challenge for critical infrastructure operators.
Information Technology
IT Network OT Network
ERP, CRM, Helpdesk, Business Apps, etc.
Common IP Network
The infamous 2020 SolarWinds supply chain attack serves as a perfect example. Early
reports indicated that 15 electric, oil, gas and manufacturing entities were caught up in
the SolarWinds incident. But a 2021 North American Electric Reliability Corporation
(NERC) report revealed about 25% of utilities were ultimately affected.
Software supply chain attacks are particularly difficult to detect. Threat actors can fly
under the radar for weeks or months probing for vulnerabilities and plotting their moves.
The SolarWinds attack went unnoticed for nine months, eventually impacting more than
18,000 organizations around the world.
Historically, critical infrastructure operators deployed OT and IT solutions on-site in control centers,
manufacturing floors, data centers, etc. Most deployed firewalls and other security solutions at the perimeter
of the enterprise network to protect OT and IT systems against malicious attacks originating from the
internet. Many used virtual private network (VPN) technology and multi-factor authentication (MFA) solutions
to provide secure access for the occasional remote user.
The cloud has fundamentally changed the way critical infrastructure operators build and deploy applications.
And to complicate things even further, COVID-19 has permanently changed the way many people work.
Traditional perimeter-based security models, conceived to control access to trusted enterprise networks,
aren’t well suited for the digital era. In today’s world, applications are often deployed in the cloud beyond the
secure confines of the trusted enterprise network border. IoT endpoints are often connected over the public
internet. Users (help desk staff, customer service reps, business professionals, etc.) often work from home,
bypassing the enterprise network altogether. And system administrators —employees, contractors and
outside vendors — routinely manage critical infrastructure remotely.
Privileged access management solutions help critical infrastructure operators strengthen security by improving visibility and control over privileged account
credentials, isolating privileged sessions and auditing privileged activities.
• Includes a digital vault to securely store passwords, secrets, SSH keys • Uses threat analytics to intelligently identify anomalous
and other credentials used by people, applications and machines privileged activity
• Automatically updates and rotates credentials based on an • Provides secure access to privileged accounts in air-gapped
organization’s defined policy to mitigate risk in the event credentials environments or remote settings without connectivity, allowing
are compromised administration of critical infrastructure
• Isolates privileged sessions to contain threats and prevent malware • Consistently protects on-premises, cloud and hybrid environments
spread and audits sessions to provide evidence of compliance
10
13 Strengthening Critical Infrastructure Security
Critical Infrastructure Cybersecurity Regulations
Government and industry regulators around the world have enacted To fulfil these requirements, critical infrastructure operators might need to:
cybersecurity mandates and guidelines to protect critical infrastructure
against cyber attacks. Privileged access management is a basic • Implement foundational controls to safeguard privileged access
requirement for most of these regulations. • Monitor privileged access activity and promptly notify authorities of a
security breach
• Demonstrate evidence of compliance to auditors on a regular basis
EU Directive on Security of
NERC Critical Infrastructure Australian Critical
Network and Information Systems
Protection (CIP) Infrastructure Security Act
(NIS Directive)
French Military
Programming Law
11
13 Strengthening Critical Infrastructure Security
Conclusion Learn More
CyberArk Privileged Access Manager, part of the CyberArk
Cyber attacks against critical infrastructure are growing in frequency, scope and scale, threatening
public safety, security and well-being. Today’s threat actors are highly experienced, sophisticated Identity Security Platform, provides foundational controls for
and organized. Many are well funded, backed by criminal syndicates or adversarial governments protecting, managing and monitoring privileged access
with deep pockets. across on-premises, cloud and hybrid infrastructure. The
solution helps organizations efficiently manage privileged
Critical infrastructure owners and operators must take a fresh look at cybersecurity systems and
practices to improve readiness and address evolving regulatory requirements.
credentials, tightly control privileged access with strong
authentication methods, closely track privileged account
Formulating a comprehensive cybersecurity strategy is no easy matter. It requires careful thought activity with comprehensive audit logs, intelligently identify
and thorough planning. The U.S. National Institute of Standards and Technology (NIST) and
suspicious activity and quickly respond to threats. The
Cybersecurity and Infrastructure Security Agency (CISA) and other international authorities provide
solution can be self-hosted or deployed as a service.
a variety of resources to help you get started, including:
Privileged Access Manager can help critical infrastructure
• NIST Cybersecurity Framework • CISA Pipeline Cybersecurity Library operators defend against cyber attacks, drive operational
efficiencies, satisfy regulatory requirements and provide
• NIST Special Publication 800-27 on Zero • CISA Cybersecurity and Physical Security
Trust Architecture Convergence Guide evidence of compliance. Learn how CyberArk Privileged
Access Manager can help your organization strengthen
• NIST Special Publication 800-82 Guide to • ENISA Reports on Critical Infrastructure
security and mitigate risk.
Industrial Control Systems (ICS) Security
• Australian Cyber Security Center Guidance
• NIST Internal Report 8183 Cybersecurity for Critical Infrastructure
Framework Manufacturing Profile REQUEST A DEMO
• CISA Cybersecurity Best Practices for
Industrial Control Systems
12
13 Strengthening Critical Infrastructure Security
CyberArk is the global leader in Identity Security. Centered on privileged access management,
CyberArk provides the most comprehensive security offering for any identity — human or
machine — across business applications, distributed workforces, hybrid cloud workloads and
throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com,
read the CyberArk blogs or follow us on Twitter via @CyberArk, LinkedIn or Facebook.
©Copyright 2022 CyberArk Software. All rights reserved. No portion of this publication may be reproduced
in any form or by any means without the express written consent of CyberArk Software.
CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks
(or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names
are the property of their respective owners.
CyberArk believes the information in this document is accurate as of its publication date. The information is
provided without any express, statutory, or implied warranties and is subject to change without notice.
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO
WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY OF
MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE.
IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR
CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF
REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS
PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
U.S., 04.22 Doc: TSK-1211