The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released comprehensive, user-friendly guidance for communities to understand the risks associated with interconnected systems and how zero trust principles can help mitigate these risks effectively. The document seeks to explain the concept of zero trust as an effective approach to protect interconnected critical infrastructure systems within connected communities. It also provides connected communities with a framework of essential activities to achieve greater visibility into network activity, trend identification through analytics, issue resolution through automation and orchestration, and more efficient network security governance.
“The process of securing critical infrastructure in connected communities requires addressing more technology types across sectors, ranging from energy to clean water and even emergency services,” CISA wrote in its latest document titled ‘Connected Communities Guidance: Zero Trust to Protect Interconnected Systems.’ “As a result of the increased interconnectedness within connected communities, traditional perimeter-based security measures are no longer sufficient to protect networks from intrusion and secure critical infrastructure data.”
CISA detailed that connected communities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks. Successful cyberattacks against smart cities could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves, and physical impacts to infrastructure that could cause physical harm or loss of life.
The document added that multiple U.S. government agencies have developed frameworks and strategies to apply zero trust principles across federal networks. However, there is a lack of guidance for state, local, tribal, and territorial (SLTT) governments, specifically within connected communities.
“Connected communities may create safer, more efficient, resilient communities through technological innovation and data-driven decision-making; however, the integration of smart technologies also introduces potential vulnerabilities that, if exploited, could impact economic security, public health and safety, and critical infrastructure operations,” CISA detailed. “Cyber threat activity against operational technology (OT) systems is increasing globally, and the interconnection between OT systems and smart city infrastructure increases the attack surface and heightens the potential consequences of compromise across these environments.”
Additionally, as connected communities continue integrating more systems and increasing network connectivity, network administrators and security personnel may lose visibility into collective system risks.
With the emergence of hybrid workforces and accelerating cloud migration, applications and users are becoming decentralized with users expecting access from any location on any device. This potential loss of visibility also includes components owned and operated by vendors providing their infrastructure as a service to support integration. The implied trust of years past, in which being physically present in an office provided some measure of user authentication, can no longer be sustained. Interconnected systems bring to bear a level of complexity that requires a higher level of security that is applied consistently across all network environments and user interactions.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 outlines seven basic tenets of zero trust and ZTA, where data sources and computing services are considered resources; communication is secured regardless of network location; access to individual enterprise resources is granted on a per-session basis; and access to resources is determined by dynamic policy, including the observable state of client identity, application/services, and the requested asset, and may include other behavioral and environmental attributes.
The agency also listed that the enterprise monitors and measures the integrity and security posture of all owned and associated assets. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. The enterprise collects information about the current state of assets, network infrastructure, and communications, and uses it to improve its security posture.
The National Security Telecommunications Advisory Committee (NSTAC) describes zero trust as, ‘a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified.’
CISA’s Zero Trust Maturity Model (ZTMM), which serves as an industry-backed approach for zero trust implementation, provides additional context to NIST’s zero trust tenets. CISA describes five pillars that entities should account for when adopting zero trust principles: devices, networks, applications, workloads, and data. The model also introduces the following cross-cutting capabilities that support the interoperability of the pillars, namely visibility and analytics; automation and orchestration; and governance.
Zero trust design principles create a more secure network environment that requires authentication and authorization for each new connection with a layered, defense-in-depth approach to security. However, the path to zero trust is an incremental process that may take years to fully implement. It is important to understand that zero trust is no singular product or application; rather, zero trust is a journey that connected communities need to take and maintain.
Going from traditional network architecture to zero trust, especially those with interconnected critical infrastructure systems, is not going to be a ‘one-and-done’ effort. The zero trust principles detailed below can provide connected communities with a framework of essential activities to achieve greater visibility into network activity, trend identification through analytics, issue resolution through automation and orchestration, and more efficient network security governance.
Connected communities should consider creating an asset inventory that establishes a visibility baseline for all assets on a given network. When developing the inventory, connected communities should prioritize high-risk and high-exposure assets, particularly new devices, including but not limited to, ‘bring your own devices’ (BYODs). BYODs include personal smartphones, laptops, MiFi devices, and tablets employees use to access an organization’s network.
They must also ensure multi-factor authentication (MFA) policies are up-to-date, apply MFA multiple times during any single session, and add access controls around the most sensitive data. With zero trust, users should only access what they are supposed to access and nothing more.
Connected communities must enforce the zero trust principle of least privilege and deploy authentication mechanisms to consider identity and context. Additionally, they should create and implement policies governing who has access to what data, when, and clearly define the processes to ensure compliance. Zero trust principles reinforce the practice of integrating security through the entire cybersecurity lifecycle process.
Zero trust encourages the practice of micro-segmentation. Connected communities should segment networks into subnetworks to create smaller, more manageable surfaces to protect. This way, should a malicious actor gain access, micro-segmentation helps to minimize lateral movement, contains the threat, and restricts malware from spreading across the entire environment.
Connected communities should establish consistent budget line items for long-term refreshes of hardware and software and replace legacy systems. It is important to consider technical debt, or reliance on legacy technology, and develop ZTA from the ground up. Layering security on top will likely do more harm, introduce additional security misconfigurations or vulnerabilities, and create greater complexities for effectively managing security.
The CISA document identified that disrupting users’ day-to -day experience is the fastest way to nullify a zero trust transition. Thus, connected communities should prioritize efforts that benefit the workforce and can be accomplished to maximize buy-in and commitment for a comprehensive ZTA. When ZTA is deployed properly, authentication and access will be seamless, and users will be more likely to embrace zero trust. They must also implement security orchestration to connect different technologies, bridge visibility gaps, and automate repetitive tasks required for authenticating users at multiple access levels.
Last week, the CISA announced that its Services Portal and Voluntary Cyber Incident Reporting webpage, with resources and frequently asked questions, is now live. The initiative comes as nation state-backed cyber actors, cybercriminals, and other threat actors have much wider opportunities to sneak into networks and steal or ransom sensitive information and critical data, position themselves to disrupt service at a time of their choosing, and otherwise wreak havoc.
link