Here's why critical infrastructure keeps getting hacked

Every organization will be quick to say that their systems are secure, and a breach won’t happen. In fact, according to a recent report by Skybox Security, 73% of CIOs and CISOs are "highly confident" they will not suffer an operational technology breach in the next 12 months. But, in just the past year, 83% of critical infrastructure organizations suffered a cyber attack that affected operational technology.  If history is any indicator, it doesn’t look like those systems are as secure as CISOs would like the public to believe. A few other alarming stats:

  •  78% of respondents are challenged by multivendor complexity
  • 57% of respondents state that supply chain and third-party access is not one of their top three security risks.
  • 54% of respondents stated they do not have a third-party access policy.

Suddenly, that 83% isn’t as shocking. If an organization isn’t protecting their critical access points and assets properly, there will be a hack. It’s just a matter of when, and based on this report alone, that “when” could be any day now. Hackers count on an organization’s apathy, overconfidence, and lack of proper procedures to get in, exploit avenues, and steal valuable information. The practices and techniques that will stop them in their tracks? Critical access management.

How critical access management mitigates cyber threats on infrastructure

Critical access management involves building policy and implementing industry-proven best practices and techniques to help an organization stay safe. It goes beyond VPNs and old-fashioned perimeter security and applies safeguards throughout a system. Through three main pillars—access governance, access controls, and access monitoring— this overarching policy will help an organization keep critical assets safe by protecting the access points. A safety deposit isn’t safe without the key, the security camera, and other measures. It’s the same for an organization’s operational technology.  The threats will always be there, but building defenses is easier than organizations realize. It starts with false confidence and trust. The false confidence that “it won’t happen to us” and the trust in internal and external users is like opening the vault door for a bank robber. Building an access governance policy where no one is trusted, applying granular access controls on top of that policy, and monitoring the most important and high-risk access points is the only way to keep cyber attackers from strolling in and taking what they want. 

Best practices for keeping third-party remote access to critical infrastructure secure

One of the reasons that the findings about critical infrastructure hacks sounds alarms is because one organization could contain thousands of third-party connections. Those connections are highly vulnerable, as there’s no internal HR system to automatically track, provision, and de-provision users. In addition, many organizations lack proper visibility and access controls for those points of access—63% of organizations state they don’t have visibility into the level of access and permissions their users have to critical systems. Here’s how critical access management can mitigate that major risk point:

  • Develop a robust access policy that only allows temporary, specific user access for third parties. One built on zero trust network access (ZTNA), where no one, especially external users, have more access than is needed to do their job duties.
  • Conduct regular user access reviews to mitigate the risk of access creep. The Colonial Pipeline hack was caused by exactly that. A lack of access reviews missed that a third-party user’s VPN was still active. 
  • Apply fine-grained access controls and access monitoring procedures into those access points to better prevent unnecessary access and better understand how users are accessing those points and what happens during an access session.

Software solutions for preventing critical infrastructure hacks

Many organizations rely on reputation and trust because they believe not only that a hack won’t happen to them, but that implementing access management is too costly, too complicated, and won’t pay off. That couldn’t be farther from the truth. For critical infrastructure organizations, Imprivata Vendor Privileged Access Management (formerly SecureLink Enterprise Access) supports access governance efforts specifically for third-party users and their remote access connectivity into an organization’s network. The solution provides access governance capabilities that are specifically tailored to the unique needs of third parties. Enterprise Access manages all third-party user identities, defines access policy as it applies to each user, and applies that access policy during each remote access session. All of that is done with efficiency and ease. Just one solution can completely transform an organization’s access management and security. Trust is the past and Critical Access Management is the future of critical infrastructure cybersecurity.