Legislation compliance requires privileged access management

Legislation compliance requires privileged access management

Article by Delinea Chief Security Scientist Joseph Carson.

Australia’s Security (Critical Infrastructure) Legislation Amendment Act 2021, passed in December, expands the sectors subject to cybersecurity provisions to include communications, data, finance, water, energy, healthcare, higher education, food, transportation, space technology and defense.

The government can now compel organizations in these sectors to provide information about the systems needed to operate critical infrastructure. It can also intervene directly, under “government assistance measures”, in the handling of cybersecurity incidents. A second round of legislation covering risk management programs and reporting obligations is also before parliament.

The full scope of compliance obligations is not yet set in stone. But many organizations, many that previously faced minimal cybersecurity compliance obligations, are on notice. With new government assistance measures, they could face potentially costly interventions during serious cyber incidents.

Critical infrastructure, such as power, water, and transportation, has long been a cyberattack target for threat actors and nation-states. Research from the Ponemon Institute revealed that nine out of ten critical infrastructure providers in the US, UK, Germany, Australia, Mexico, and Japan suffered damage from a cyberattack over a two-year period.

Critical infrastructure organizations around the world are facing increasing regulatory pressure to raise their levels of overall network security and resiliency. Implementing preventative measures and having the ability to report incidents quickly is key to this.

While the detail of compliance obligations varies from country to country, there is one common element. Organizations must have centralized control and oversight of who can access which systems. This is most easily and effectively achieved by implementing Privileged Access Management (PAM).

Prevention of disruptive cyberattacks on nation-states

Modern society relies on critical infrastructure to meet people’s primary needs, such as clean water, food, energy, transportation, and emergency care. Not surprisingly, hostile nation-states are increasingly considering the use of cyberattacks on this infrastructure to cause widespread disruption.

According to research from the Ponemon Institute, nearly a quarter of all critical infrastructure organizations experienced a nation-state attack over two years. Many of these were reconnaissance or readiness missions to get a foot in the door should a future attack be needed.

Perhaps the most notorious example was very early in the war between the Ukraine and Russia. In 2015, the information systems of three energy companies were shut down by threat actors using multiple attack vectors, including BlackEnergy malware.

The attack, believed to have been carried out by the Russian-sponsored advanced persistent threat (APT) group called Sandworm, left some 225,000 Ukrainians without power for several hours. Attribution in these scenarios can be extremely difficult without the cooperation of the nation-state.

While the full set of legislative measures has yet to be enacted in Australia, many organizations will need to make urgent cybersecurity investments to comply. At a minimum, they will need appropriate structures, policies, and processes to understand, assess, and manage security risks to the network and information systems that support essential services.

They will also need to take security measures to protect essential services and systems from cyber attacks, along with the capabilities to detect and report any incidents. In the event of a cybersecurity incident, organizations must be able to minimize its impact on essential services.

Risk of non-compliance with legislation

Without significant investments, many critical infrastructure organizations are in danger of not being able to meet their compliance obligations. A key reason for this in many industries is that information security personnel have limited visibility into operational technology (OT) environments. These include hardware, software, and network systems that monitor and control industrial equipment, assets, and processes.

According to Fortinet, 78 percent of chief information security officers (CISOs) have limited centralized visibility into their operational technology. Previously isolated from IT systems, industrial equipment is now mostly connected to the Internet and vulnerable to cyber attacks.

The difficulty of achieving a single view of the diverse and disparate OT systems on which critical infrastructure relies contributes to limited visibility. Having so many different systems makes implementing role-based access control (RBAC) and multi-factor authentication (MFA) difficult, if not impossible, without a purpose-built tool.

There are also risks associated with remote third parties, contractors, vendors or employees connected to critical infrastructure organizations. Fortinet research underscored this, with 65 percent of CISOs saying this was a serious concern and increased risks.

Central role of privileged access management

As with IT, OT environments use credentials like passwords to access privileged systems. The main goal of many threat actors will be to get their hands on this information to more easily carry out their attacks. Therefore, having full control and supervision of access to these privileged systems is key to legislative compliance.

Effective privileged access management should enable an organization to implement and control a strong authentication strategy across all IT, Internet of Things, and OT systems such as ICS and SCADA. This includes ensuring a strong password policy, password rotation, RBAC, and MFA.

You should also be able to use threat analysis to detect suspicious activity and automatically force suspicious users through authentication and verification workflows. This should also be extended to remote third parties, contractors, vendors and employees to limit the risk of threats entering the system.

Additionally, being able to view all of this information, as well as audits, alerts, and analytics, through a single pane of glass dramatically reduces the risks and complexity of monitoring activity across systems. It also makes it easy to prove compliance and provide information to authorities during a cyber attack. This could be critical to avoiding costly government interventions.

Regardless of the details of the final Australian legislation, all critical infrastructure organizations will need to manage privileged access effectively to comply. The fastest, easiest, and least disruptive way is with a PAM solution that makes security perfect for modern hybrid environments used by critical infrastructure organizations.

Leave a Comment