Critical Infrastructure Is Critically Blind — and Under Attack
Article was written by Darshan Shah, Director of Product Marketing at GIgamon
To successfully defend against attacks, these agencies need to understand what's happening across their entire infrastructure, including enterprise, IoT (and unmanaged devices), and operational technology (OT) networks. The latter are essential to critical infrastructure of utilities, transportation, energy, and more; these networks are traditionally designed for an air-gap environment, which makes them difficult to defend while maintaining the necessary segregation.
Gigamon experts Adam Bouse, Jon Maiman, Taylor Murphy, Michael Musick, and Steve Rich all have extensive experience working with these types of customers. We spoke with them about how agencies that handle critical infrastructure networks can get the visibility they need to thwart bad actors.
GIGAMON: What are the big problems facing agencies today as they defend their critical infrastructure?
MICHAEL: They're affected by things like ransomware and cyberattacks as much as every other organization — and they're also being specifically targeted by nation states. Some agencies also need to defend networks connected to work-from-home environments that emerged the pandemic. They're facing big vulnerabilities with endpoints that may not be properly secured.
STEVE: The first-order problem is malware and ransomware, of course. On top of this, adversaries are in agencies' environments, stealing relevant information that affects mission-critical infrastructure, holding the IT ecosystem hostage. But the underlying issue is that all of that arises due to a lack of visibility and detection capabilities.
TAYLOR: And the truth is that adversaries aren't kicking in doors or scoping out new methods of entry. They are walking through open doors via mass scans for vulnerabilities they can exploit, spray and pray phishing, or landing encrypted payloads through edge defenses. It's about a 9-to-1 split between opportunistic and targeted attacks.
GIGAMON: What can these agencies do to face these threats?
TAYLOR: Network visibility is the foundation of security. Without proper and complete visibility, your security is a guessing game at best. You can't defend or respond to what you can't see, which is a big reason why the average dwell time for adversaries is still more than 100 days.
GIGAMON: How do you define network visibility? Does it go beyond having firewalls and endpoint detection and response (EDR) systems?
JON: Let me offer a metaphor. Think about your home security system. You've got sensors on all the windows and alarm system and sensors on the front door. But why do you also have motion detectors? It's because they capture everything else you missed.
A lot of cybersecurity solutions rely on agents — programs installed on your computers, servers, and other infrastructure that monitor for malware and other adverse events. But those agents can't necessarily see what's happening on the network. Additionally — and this is a big deal for certain agencies — there are some kinds of OT systems, the sort that utilities and transportation agencies rely on, that simply can't have agents installed on them.
There are also legacy hosts that are crucial to some agencies' infrastructure but can't be patched, often because they're so old that the host operating system is no longer supported by the vendor. Security falls back on the network in these cases.
In addition, consider that the U.S. Federal government is shifting to a Zero Trust Architecture (ZTA) mindset, and state and local governments are likely to follow suit. The topic of agents should be considered in this context: Even in environments that do have agent-based defenses, those agents can be evaded or turned off.
The agencies we talk to, including those with OT infrastructure in the utility, energy, and transportation sectors, recognize this challenge, and increasingly realize that network visibility is foundational to ZTA.
STEVE: And a lot of people think of that network activity mostly in terms of North-South traffic coming into and going out of their infrastructure. But that neglects East-West traffic across your internal network, where a lot of agencies lack visibility. Adversaries move East-West across your environment as well as OT systems — in places like dams and power plants, for instance.
In addition, 80 percent of network traffic is encrypted and that's where malware likes to hide. The ultimate objective is to eliminate all of these and other blind spots.
JON: And don't forget about virtual environments — lots of places have virtual networks that run within a virtual server, and that traffic needs to be monitored too. One of our largest customers mentioned they probably have more virtualized equipment in their critical infrastructure environment than they do in their corporate environment.
Another common blind spot is unmanaged devices, such as some printers, mobile devices, and thermostats. Like some OT systems, many of these devices don't support agents, so network visibility is critical for monitoring their activity.
GIGAMON: So how does Gigamon help agencies get visibility into their networks?
STEVE: We don't supply the security stack — most agencies already have that in place. We make that stack more effective and provide the tools with visibility into all the data-in-motion, regardless of medium. This is critical because you can't expect your tools to protect your environment if they can only look at the 20 percent of your network traffic that's unencrypted.
ADAM: For example, Gigamon can aggregate all network traffic (from physical, virtual, and cloud networks), decrypt it, and push it through the intrusion detection system and other security tools so they have full visibility into their environment.
STEVE: It's also critical to take special precautions when monitoring traffic in an OT environment, because availability is the #1 priority; you have to ensure you're not negatively impacting production traffic when monitoring it. We are seeing widescale, global use of unidirectional tapping as the method of choice to achieve this.
JON: Another problem with any agent-based endpoint system is that when you go to do remediation after a breach, you may find that your adversary has actually disabled the endpoint agent and reporting capabilities altogether. But they can't disable a physical TAP in your environment, which is what we offer.
GIGAMON: Any final bits of advice?
TAYLOR: Cybersecurity strategies need to shift from a mindset where organizations spend all their efforts trying to keep the bad guys out. Experience has shown that adversaries will almost always find a foothold somewhere as a method of entry. We need to educate partners and clients to anticipate these compromises and focus on reducing mean time to detection (MTTD) and mean time to respond (MTTR). There is no such thing as 100 percent protection, but what we can do is detect and respond to threats faster with proper visibility.
Without visibility, an adversary can easily make your intranet into their playground. It's time to shift from a tactical mindset that relies on point products to a strategic view that builds on a foundation of full visibility everywhere. The actual battlefield is where threats are operating, whether it be in the IT on-prem network, an OT or ICS network, virtual, cloud, or somewhere else. Having complete network visibility is ultimately the key enabler to fortifying defenses and responding fast.
Deep Observability 101: What Gigamon offers
How can the Gigamon HAWK Deep Observability Pipeline help you? We craft customized solutions to address our clients' needs, including:
- Network TAPs enable access and visibility to all of your data-in-motion. This includes unidirectional taps that are commonly used in OT environments.
- Aggregation Flow Mapping enables the right traffic to go the right tools.
- Traffic intelligence, including capabilities like de-duplication, advanced flow slicing, Layer 7 and OT protocol filtering, metadata generation, and more. These capabilities have been used by government agencies, including those that operate critical infrastructure to reduce irrelevant traffic to tools and significantly cut back on unnecessary tool spend.
- Inline bypass removes single points of failure from your network, with advanced network bypass switch solutions.
- Centralized SSL/TLS decryption frees up decryption from your firewalls and other security tools and offloads them to a central fabric.
- Gigamon ThreatINSIGHT™ Guided-SaaS NDR allows you to stay a step ahead by giving your security teams more time, data, and insight into attacker behavior.