No utility would have a single key that could be used to open every lock. If it did, all its assets – even the most critical ones – would be vulnerable should some bad actor steal or copy it. Yet many utilities do something very similar when it comes to their electronic environments: They have keys that hackers could swipe and then use to gain access to most, if not all, their systems.
What are those keys? They’re the identities that employees and devices use to connect with the computer applications, networks, and servers they need to do their jobs. That’s because hackers know how to use just a single compromised identity to unlock increasing levels of access within IT and OT environments as they work toward their intended targets. Given that, utilities must develop and implement a cybersecurity strategy that accounts for such a threat and evolve their defenses accordingly.
Utilities should start by understanding the threat, which exists even if they have both strong perimeter defenses (i.e. firewalls) and a segmented environment that segregates their industrial control systems and operational technology (ICS/OT) from their information technology (IT). We know hackers can – and do – breach firewalls and are adept at finding ways to lurk around IT environments as they seek high-value assets. This is where identity can become a risk.
Here’s how: a subject – that is, an individual or a device – uses its identity to access applications, networks and/or servers. Perhaps it’s an employee who signs into their desktop and then, in the course of doing their job, uses that same identity to access a database, a file server, the company’s intranet web server, a collaboration platform, a cloud-based app and next a website. That employee has now created an identity perimeter that encompasses all those components.
Meanwhile, a network or database administrator signs into the IT environment to do their work and accesses some of the same systems as the first employee. Then the administrator accesses a system within the OT environment – not an uncommon scenario in many utilities. All the components that the administrator is using is now within their identity perimeter, which also now extends into the OT environment.
Moreover, the first employee’s identity perimeter overlaps with the administrator’s identity perimeter.
In a perfect world, that’s no big deal. But in reality there’s a big risk because if hackers compromise that first employee’s identity, even if the employee has low-levels permissions, they can use that to start unlocking more and more access. Those hackers can use that single compromised identity to move laterally within the environment where they can intersect with the administrator’s identity perimeter.
If they can then compromise that administrator’s identity, they can then use it to access systems within the administrator’s reach. In many utilities, that could include the OT environment. And once in that OT environment, the hackers could continue their lateral moves and perhaps compromise another overlapping identity that they can use to access even more critical systems.
The risks that come with these overlapping identity perimeters is not theoretical. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) in 2018 released an alert about an advanced persistent threat (APT) that uses compromised identities to first gain access into IT environments and then harvest credentials to elevate their access. Believed to be Russian-based and known as Dragonfly 2.0, this APT has been targeting the utility and critical manufacturing sectors. Similarly, another entity, known as Xenotime, has been targeting utilities – and more specifically their industrial safety systems – using various attack tactics including credential harvesting. Such threats pose a significant risk to the typical organization, in which a subject (whether an individual or a device) uses the same single identity to access many components of the environment.
Think of it this way: That first compromised identity becomes a key that hackers could then use to gain access to any and all systems that the subject is authorized to access – and then exploit that access to compromise other identities whose access overlaps with it.
Security leaders need to evolve their strategies to account for the risks we’re seeing around overlapping identity perimeters and implement measures to limit those risks. They should first ensure that subjects (whether individual users or devices) only have access to the systems they require to do their jobs and nothing more than that. This is the principle of least privilege, and it keeps a subject’s identity perimeter as small as possible.
That, however, is only the start. Security executives should implement another layer of barriers around assets, particularly critical applications, networks and servers; they can create those barriers by requiring subjects to have a different identity (preferably with multifactor authentication) to access each individual critical asset. This approach limits the size of identity perimeters and can limit overlaps that facilitate the lateral moves that hackers seek to make. In other words, this approach can significantly limit a hacker’s ability to use a single compromised identity to move through the IT environment to escalate permissions and gain access to critical systems and possibly the OT environment itself.
An identity and access management (IAM) strategy that encompasses this approach ultimately helps utilities strengthen their security posture. Of course, this approach should not replace other, existing security measures. Firewalls and segmented networks are still essential elements of a strong security program, as are basic cybersecurity hygiene and a robust employee cybersecurity awareness program.
Still, an identity perimeter security strategy should become one more layer that’s required for a mature defensive position so we’re not leaving any keys that hackers can use to unlock our technology environments.
Photo credit: Canva
by Dominick Birolin, CISSP, CISA, NSE3. Vice President of Cybersecurity at Rokster