A 3-step path to securing critical infrastructure

Securing critical infrastructure is essential to the health of our global economy and society. Events that may undermine the confidentiality, integrity or availability of the services delivered by critical infrastructure providers and their networks could have significant and even potentially devastating consequences. Naturally, governments are increasingly focused on this problem and are calling for critical infrastructure providers and their IT vendors to implement technical and organizational security measures, and to prepare for the potential impacts of security incidents that do occur.

Given the dynamic nature of the threat environment, no single organization can effectively manage the breadth of risks alone. The only sensible path forward is for vendors, regulators and critical infrastructure providers to work together on creating new ways to instil trust. That requires thoroughly qualifying three key elements of any critical infrastructure environment: trustworthy IT vendors, secure solutions and responsible operations.

Evaluating the overall practices of a vendor’s organization should be the starting point. That includes assessing the robustness, repeatability and consistency of their secure development practices along with their transparency about vulnerabilities identified in their products, which is essential for resilience.

While assessing a point solution is a step in the right direction, a holistic approach that considers the role of people, processes and technology in protecting global critical infrastructure will yield a far better result. Point-product security is fleeting and unreliable if the organization producing the solution lacks the process maturity to consistently demonstrate its trustworthiness.

Practically speaking, security does not end at the point where a vendor places a solution on the market. How a critical infrastructure operator architects, deploys, monitors and maintains its networks and information systems on an ongoing basis is crucial to secure operations. A well-functioning security architecture that is resilient and trustworthy will help prevent, detect and react to cyberthreats.

Trustworthy solutions are products or services that do what is expected (and nothing more) and in a verifiable way. Vendors can (and should) build security capabilities into technologies at the design phase. These include validation of crypto modules; image signing to create unique digital signatures that can be checked at runtime; hardware-anchored secure boot to automatically verify software integrity at boot-up; technologies and processes to verify that the hardware is genuine; and runtime defenses that help provide protections against injection attacks of malicious code into running software. Additionally, vendors must know what is in their code and why it’s there; doing so is foundational to a mature and secure engineering process.

Vendors can also help network operators verify the integrity of their technology once it’s deployed in a network operation. Corroborating that the infrastructure hardware and software are working as expected is the key to maintaining the right security posture and integrity of the architectural components.

Revising procurement regulations to mandate better assessment of vendor solutions is now overdue. Government regulations should require that any technology deployed in critical infrastructure be procured only from provably trustworthy vendors.

Derive that proof from mandatory security assessments. Start by leveraging baseline measures of adherence to simple security measures that are already captured in internationally recognized standards such as Common Criteria. These are useful as a starting point and can serve as appropriate yardsticks for technology deployed broadly in less critical networks.

For mission-critical networks, comprehensive security assessments should be conducted by recognized, trusted experts. This may necessitate government agencies performing the testing themselves, both to ensure the quality of the results and due to the shortage of skilled experts. Testing might also be performed with the assistance of select, highly qualified testing labs.

Whichever method, this can’t be approached as a mere compliance exercise, as has become commonplace when assessing basic security standards. Robust security assessments conducted for critical networks should employ vigorous and dynamic vetting of numerous critical vendor capabilities: verification of source code, design documentation, actual penetration-style solution testing, and the testing of artefacts and other relevant materials. Conduct the assessment in an agreed-upon, secure location where the vendor’s intellectual property will be protected.

Be sure the testing procedure keeps pace with market innovations and incorporates a rigorous, risk-based approach. To enable efficiency, scale and expediency:

i) Manage product iterations by limiting testing to the updated part of a build. This will overcome cost and time-to-market implications of testing every version.

ii) Build on proven assessment examples, rather than starting from scratch. Update only when meaningful and collective value can be added.

iii) Collaborate with other like-minded governments to build toward mutual recognition of testing, focusing on mitigating cyber-risk rather than adhering to local business customs. This will reduce fragmentation across borders and enhance each country’s ability to effectively scale their efforts.

Migrating to digital capabilities requires critical infrastructure providers to keep pace with the latest threat monitoring and detection technologies. For instance, machine-learning algorithms can help detect anomalies from normal network and user behaviour. That data can then be used for informing control-based policies to mitigate attacks.

The vendor has the role of helping the infrastructure provider deploy and operate their technology in the most effective and secure way. As operators need tools for onboarding and managing devices, vendors should work with them to ensure that devices can be tested, provisioned and updated securely. Providing unique device identities, validated at set-up, is just one step in how this could be approached.

Asset, patch and vulnerability management are integral to total lifecycle management of the security architecture and its components. IT vendors must follow a strict process for managing security vulnerability information related to any of their solutions and networks, and infrastructure providers will benefit greatly from requiring transparent and predictable approaches to vendors' vulnerability management and disclosures. That includes published guidelines for timely vendor action to provide necessary patches.

Because they can no longer be upgraded to mitigate new threats, dated or end-of-life software and hardware constitute two of the major risks to architectural security and resilience. It’s important to patch and upgrade proactively and not wait until something bad happens. Remember WannaCry, the ransomware that spread via unpatched software? Governments and operators can collaborate with IT vendors to properly patch or decommission outdated technology that wasn’t built to withstand today’s threats and bad actors.

The path to earning and maintaining the position of trusted partner is full of qualifying check points. The digital world, with its highly complex, interwoven systems and ballooning volumes of data, requires a new level of trust. Words of assurance are not enough; vendors must demonstrate a range of behaviours that prove they are a trusted partner, and then integrate those behaviours consistently throughout their operations.

With verification check points in place, by working with rightly trusted vendors, and armed with the power of digital capabilities, our global critical infrastructure will be ready for the risks of tomorrow.