How To Interpret and Act on the Government’s ‘Shields Up’ Advisory

As tensions with Russia mounted in the early weeks of the war in Ukraine, the FBI and the Department of Homeland Security issued a strong advisory to Critical Infrastructure owners.

James Thew Stock adobe com
James Thew/

As tensions with Russia mounted in the early weeks of the war in Ukraine, the FBI and the Department of Homeland Security issued a strong advisory to Critical Infrastructure owners, urging them to adopt a “shields up” strategy, hardening their systems against possible Russia-sponsored cyberattacks against U.S. electricity, gas and other systems.

The “who” and the “what” were easy to grasp. But the “how” wasn’t so clear. The advisory didn’t include additional guidance to help industrial leaders better understand what goes into a “shields up” posture.

The announcement mentioned some basic security steps companies could take right away, such as enabling multifactor authentication, conducting regular antivirus and antimalware scans, and strengthening spam filters. A subsequent Shields Up page from the Cybersecurity & Infrastructure Security Agency (CISA) offered more detailed advice. But neither mentioned what should be at the core of a truly effective shields up strategy: zero trust.

Industrial leaders are familiar with the idea of zero trust, and many companies have started working toward adopting the strategy. But there are some unique challenges in implementing zero trust, which organizations can address by answering several questions. What are the key elements for zero trust in an industrial setting? How best can organizations go about implementing it? And how can they anticipate and deal with the complications that may arise?

Where zero trust can go wrong

For companies in the industrial sector implementing a zero-trust solution to secure critical systems, it’s helpful to begin by recognizing where things can go wrong.

In identifying critical systems—the most important ones to protect—it can be a mistake to classify them solely on the tasks they perform. You need to consider the vulnerabilities they present in a connected, automated environment involving the Internet of Things and the cloud. For example, an IT billing system might not seem as critical as a manufacturing system, but it becomes critical when connected to operational technology (OT).

To put that another way, company executives need to have a thorough understanding of how all of the “things” in their enterprise communicate with each other and the risk each one poses if it’s compromised.

Another mistake would be to apply the same approach to OT and IT systems. It’s a common misconception that because they’re connected, they operate in the same way. OT operates differently from IT, and often includes old, unpatched software and operating systems like Windows XP – a persistent vulnerability for operational technology. Outdated VPNs that were not made to provide access to critical systems and applications are a common threat too. When a VPN is compromised or credentials are stolen, it can allow for lateral movement across the network, because VPNs don’t isolate systems or protocols. This is a tactic where unfortunately, we’ve seen attackers have success before. The Crash Override attack that took down the Ukrainian power grid in 2016 started with compromised VPN credentials. And more recently, Russian hackers used a variation of that exploit last year in an attempt to create a blackout in eastern Ukraine.

OT systems, including Supervisory Control and Data Acquisition (SCADA) and other Industrial Control Systems (ICS), require their own logical access and security layer. Both OT and IT need comprehensive security via a zero-trust strategy because their interconnectedness via networking, IP and ICS protocols makes them critical to each other. But many OT systems need a simpler, more flexible and still secure access solution.

The technologies and techniques of Zero Trust

First and foremost, zero trust and a shields-up posture represent a cultural change for organizations, but that mindset has to be supported by an effective use of technology. Multi-factor Authentication (MFA) is an essential step. It’s proven to significantly reduce credential compromises—Microsoft says it blocks 99.9% of them—yet only 22% of enterprises have deployed it. Companies need to require MFA (such as a combination of passwords, tokens or biometric features) for access, including access to sessions involving data in transit. End-to-end encryption for any communications involving IT, OT and the internet should also be standard, all the way to browser-based thin clients at the endpoints.

Among the most important elements of zero trust is its granularity of authentication controls, which need to be extended to all OT network assets, including programmable logic controllers (PLCs). Organizations should also apply flexible role and time-based access controls for users and vendors, including all remote access connections. Full-session logging, monitoring and recording—with automated video recording when applicable—is another step to take. And when all that is in place, applying analytics to user sessions, to help detect any unusual user behavior, provides another level of security.

Lastly, network segmentation and isolating protocols are also essential to preventing movement within a network once an attacker has gained entry. No matter how secure the environment, someone’s credential will at some point be compromised. Isolating both IT and ICS protocols will limit any damage.

Shields up should be standard procedure

Cyberattacks have become too sophisticated and persistent for the security controls at many industrial companies to handle. And the potential consequences of a breach can be extremely damaging, not just to the company but to partners, other stakeholders and, in some cases, entire regions if not the entire country.

The “shields up” advisory from the FBI and DHS may have been prompted by the war in Ukraine, but the threat isn’t limited to one event, one country or any malicious group. The need to secure industrial systems is urgent because this critical infrastructure has become a target for attackers, particularly those allied with nation-states. In April, the cybersecurity agencies of the United States, Britain, Australia, Canada and New Zealand followed up the FBI/DHS announcement with a joint advisory warning of Russian cyberattacks against critical infrastructure internationally.

Attacks have been traced to quite a few countries, from China and Iran to India and Turkey, among others. Industrial companies have become a major target in a growing threat landscape. A shields-up posture should be standard procedure for industrial companies, and the way to achieve that is with a zero trust strategy.