Future-Proof Authentication: The Impact of the Colonial Pipeline Attack
Our top 5 takeaways on the security vulnerabilities in the manufacturing, energy, government, and transportation industries
by Nicolas Malbranche
When discussing cyberattacks, we often focus on the issues they cause within your organization – the disastrously high costs, the privacy loss for employees, or the amount of time and resources it requires of your IT team. However, last month we saw that cyberattacks have impacts far beyond your network. The Colonial Pipeline attack shows that when cybercriminals focus on critical infrastructure, they have a widespread impact. This is because of the physical assets that are put at risk, and the large populations that rely on energy, manufacturing, government, and transportation industries.
While information on the pipeline attack is still emerging, the US government has taken swift action to issue a cybersecurity-focused executive order and multiple legislative bills relating to the incident. As IT leaders consider what this could mean for their cybersecurity infrastructure, it’s time to take a step back. How do vulnerabilities in critical infrastructure leave organizations open to attacks like this? How can organizations improve and modernize their systems? Should they be planning for increased regulation in the future?
The maintenance struggles of legacy systems
Cyberattacks often occur through legacy systems the company has been using for years. Although these systems offer essential technology that is widely used across the organization, they also rely on sometimes outdated, out of support technologies, and/or require knowledge and skills that are increasingly harder to maintain. As a result, they are prime targets for anyone looking for a way in.
With the executive order and cybersecurity bills encouraging the modernization of cybersecurity infrastructure, companies have an opportunity to improve the security standing of those legacy systems. Enabling multi factor authentication is often the obvious first step. Companies that don’t have the time, resources or expertise to handle this can rely on a cloud provider like Axiad to effectively implement a solution that offers the flexibility of multiple methods, managed though a unified user experience, centrally managed and audited.
The problem with passwords
Many past attacks have highlighted not only issues with legacy infrastructure, but also out-of-date authentications methods like passwords. We discussed the issues surrounding passwords previously and why companies need to move to passwordless authentication sooner rather than later. Because passwords are easy to intercept, guess, or steal, hackers can gain access to numerous systems from just one account login.
Although passwords might seem simpler because they’re the old status quo, the cost of cyberattacks show that they are not worth it. By implementing stronger authentication solutions, businesses can prevent hacks from starting and spreading through their organization. If businesses haven’t already invested in multi-factor authentication, the time is now. MFA ensures you go beyond password authentication with biometrics, facial recognition, hardware tokens, and smart cards. Advanced MFA tools that meet security standards such as FIDO and PKI authentication enable even stronger assurance against threats.
Don’t forget machines and IoT devices
A key consideration for any operations-based industry such as manufacturing, energy, or transportation is machine identity management. An increasing range and number of devices are connecting to your ecosystem and expanding your security perimeter. Gaining access to one security camera, robot, etc. can put your whole network is put in danger.
PKI technology can authenticate these machines as well as your users by issuing devices certificates. This gives you a higher level of confidence that your data is flowing to a trusted endpoint, and associated transactions are legitimate. Although PKI is sometimes viewed as complex to deploy and maintain, we offer it as one component of our turn-key cloud-based solution. This allows your team to rest assured their machines are verified and secure, without the day-to-day maintenance required for a traditional PKI.
Time to prepare for stricter compliance
Many regulated industries already must meet high standards of cybersecurity in order to operate – for instance, government contractors need to comply with NIST SP800-171 and soon CMMC to bid on. These standards require businesses to implement strong authentication technology to prove that they are not vulnerable to cyberattacks. But as made clear by what we see in the news almost daily, attacks are not limited to those industries, and new legislation will require all organizations to enforce a security baseline.
New security requirements can be overwhelming for many organizations to navigate and often require multiple new authentication technologies for the IT team to manage. For this you want a knowledgeable security partner that has a solution that can be scaled as you deploy new technologies. At Axiad we encourage customers to implement authentication technology that goes above and beyond the current standards, so they can easily meet any new requirements that are introduced in the future.
Know who to trust
Cloud-based services are a great way to quickly achieve and maintain goals that would have required a much larger investment in-house. But when selecting a provider for any online services, you must keep in mind that you’re effectively passing on to those providers your key security requirements. For this reason, you should make sure they have solid security controls which are documented, tested, and effectively audited. At Axiad for instance, we have a corporate information security program based on the NIST Cybersecurity Framework and ISO 27001. On top of this, for Axiad Cloud we chose to implement NIST SP 800-53 security controls mapped to the Moderate controls which are audited regularly, and certified SOC2 Type II annually.
Final Thoughts
As cyberattacks on critical infrastructure like the Colonial Pipeline become increasingly frequent, IT leaders need to consider the long-term impact of their cybersecurity investments. No industry can afford to leave legacy solutions unprotected, or rely on dated password-based technologies for their critical infrastructure.
About the Author
Nicolas Malbranche is a Senior Technical Consultant at Axiad.