RSAC 2023: Tackling the Myriad Challenges in Securing Critical Infrastructure

RSA CONFERENCE — In an RSAC 2023 forum Tuesday, panelists addressed the many challenges facing critical infrastructure in terms of cybersecurity, including reluctance to adopt automation.

The topic of the RSAC 2023 panel was the state of critical infrastructure security. (Channel Futures is on scene this week in San Francisco.) Panelists agreed some slight progress has been made, but organizations still have a long way to go.

Gartner predicts that by 2025, 30% of critical infrastructure organizations will experience a security breach resulting in the halting of operations, and/or mission-critical cyber-physical systems.

Panelists include:

Same Attack Patterns Over and Over

During the RSAC 2023 panel, Greatwood said there has been some progress in the last couple of years with some improved threat detection and some improved boundary protection as well.

Xage Security’s Duncan Greatwood

“But we’re still seeing the same patterns of attack over and over again: lost credentials, insecure protocols, stuff exposed on the internet, attacks spreading easily within the operation once it gets inside, as well as it being too easy to get in in the first place,” he said. “So I think the big shift that we’re seeing is much more aggressive adoption of preventative cyber in operations. And people have been using the word ‘protection’ for a few years, which kind of means absolutely everything. Every single thing you could possibly imagine doing in cyber is protective, but not everything is preventative.”

There are techniques that allow organizations to block most of the attacks that have taken place, Greatwood said. However, it hasn’t been easy for operations to adopt those techniques.

“They have tons of legacy equipment in the typical oil and gas operation,” he said. “Probably 80-95% of the equipment has no password. So that’s sort of the baseline that you’re starting from. There’s still quite a lot of opportunities within the operation to make attacks.”

RSAC 2023: DDoS Overtakes Ransomware as Greatest Concern

According to a new AT&T Cybersecurity report, organizations were most concerned about ransomware in 2022 with distributed denial of service (DDoS) coming in last. Now, DDoS is the No. 1 concern for organizations in energy and utilities, as well as manufacturing.

One of the reasons cybercriminals are gravitating to DDoS is it’s cheaper and easier than ransomware, Lanowitz said.

AT&T Cybersecurity’s Theresa Lanowitz

“If I am trying to execute something along the lines of ransomware, I have to rely on somebody doing something,” she said. “Now, with this proliferation of IoT devices, which edge computing is, they’re going to attack the device and then move laterally and work with the ransomware gang if that makes sense.”

There are legacy systems that are antiquated, air-gapped systems and networks that aren’t connected and don’t ever get updated or intercommunicate with each other, Mazal said.

“So being able to create a game plan to cycle through these environments and actually implement these controls at an asset or identity level is highly problematic,” he said. “But we’re seeing that’s what the White House is actually pushing for. They’re saying that whatever perimeter defense we’ve been doing up until now is not working and not successful. So we have to start inventing these unique controls across the board, whether that means implementing a tool that’s an aggregate of data that allows you to have insight and visibility into how you go ahead and secure these systems, and you create scheduling for interconnectivity.”

There are systems that can’t be patched and updated, Mazal said.

“These things are 25 years old,” he said. “They have systems that haven’t been touched or looked at since the 80s.”

Destruction as a Service Emerges

Part of the RSAC 2023 panel focused on destruction as a service. Along with ransomware as a service (RaaS), destruction as a service is on the rise, McElroy said.

VMware’s Rick McElroy

“It looks very similar to a ransomware service,” he said. “So I create payloads. You pay me for those commodity payloads; I change them based on your target list. And then of course, I have the infrastructure to go out and facilitate payments, a help desk if people have to call and get crypto and all of that good stuff, so there’s the destruction.”

There’s no strategy for defense-in-depth against outdated systems in critical infrastructure, Mazal said.

“You can access critical infrastructure, and our weakest link is our users of this critical infrastructure,” he said. “Same that happened with Colonial Pipeline. Easily provisioning an account and forgetting to decommission that account at offboarding. We have a ton of risk associated with that.”

Zero trust is a viable option for critical infrastructure and it should be working toward that, Mazal said.

“People have confused the general market about what zero trust is,” Lanowitz said. “It’s a business issue, not a tech issue. It’s a shift in the way business is thinking.”

In addition, automation could help better secure critical infrastructure, but there’s a lot of continuing mistrust and reluctance, Check said.

“It’s a generational problem,” he said. “We need a generational shift. We don’t have the people to do it, but we’re not embracing automation so we don’t need them.”

The panel did agree the Biden administration’s executive order aimed at defending critical infrastructure is a step in the right direction. McElroy said he hopes it prompts legislation to require changes. And Mazal said he wants to learn more about specific requirements and how it translates to all organizations.