35 F
Washington D.C.
Tuesday, February 11, 2025

Prioritizing Critical Infrastructure to Ensure National Security and Citizen Safety

In a “major incident,” state-sponsored hackers recently breached the Department of Treasury’s computer security guardrails and gained access to unclassified documents. This follows a tumultuous year, where government officials have continuously sounded the alarm over the cyber dangers posed by adversaries against the government and most notably our critical infrastructure. Anne Neuberger, deputy national security adviser for cyber and emerging technology has urged the incoming administration to prioritize building a framework for minimum cybersecurity standards for critical infrastructure organizations and stated, “we must have minimum regulations across critical infrastructure, because if our pipelines and our ports leave their digital doors and windows open, then it’s too easy.”  

The latest breach, while alarming, is not an isolated incident. Government agencies and critical infrastructure organizations face cyber threats daily. To address this reality, agencies and organizations must draw lessons from such attacks, heed expert recommendations, such as Anne Neuberger’s, and develop a comprehensive plan to strengthen their security efforts and contain future attacks.  

If standards are not in place, an attack could have significant – and possibly life-threatening – impacts on citizens day-to-day lives. However, it’s important to acknowledge that securing critical infrastructure does not come without challenges. Critical infrastructure networks are filled with operational technology (OT) and Internet of Things (IoT) endpoints. Recent research revealed that as many as 50% of OT devices in multiple deployments use legacy, end-of-life operating systems that contain known vulnerabilities. The research also revealed that the U.S. is a primary destination for IoT device traffic, accounting for 81% of IoT cyberattacks, with IoT malware attacks growing 45% between June 2023 and May 2024. Threats are not isolated to initial breaches by threat actors, but rather to the threat actor’s ability to move laterally across OT and connected information technology (IT) networks before embedding ransomware that disrupts operations. 

To address these vulnerabilities and strengthen security systems, agencies and organizations must adopt a Zero Trust architecture, implement segmentation strategies, and apply cyber hygiene and collaboration practices. 

How Zero Trust Ensures Robust Security 

When OT and IoT systems first existed years ago, malware, ransomware, and malicious actors were not as prevalent as they are today, and as a result, the systems were not developed with security in mind. However, in today’s threat landscape, having a security framework in place is necessary. Adopting Zero Trust architectures is one of the most effective ways to ensure robust security for devices that rely on a mix of IoT and OT assets.  

Operating under the principle of “never trust, always verify,” Zero Trust is inherently designed to reduce network attack surface, prevent lateral movement of threats, and lower the risk of a data breach. The architecture promotes a proactive approach to cyber threats by treating every access attempt, whether from inside or outside the network, as potentially hostile. As a result, continuous verification of identities and devices, regardless of location, is required. 

By implementing Zero Trust, critical infrastructure organizations and agencies have more effective OT security, with adaptive, context-based application access that doesn’t depend on network access and users only having access to the applications and systems necessary for their job.   

Zero Trust is a simple and manageable process that leads to effective and secure results, even for agencies and organizations that may be resource-constrained with budgets and staff. Unlike other security measures, Zero Trust does not require refactoring applications or complex networks. Agencies and organizations can also adopt Zero Trust in a staggered approach by first setting objectives that prioritize security around their most critical assets and data. From there, they can target the pillars outlined in the Zero Trust Maturity Model. 

Segmentation Fosters Resilient Infrastructure 

Zero Trust also leverages granular segmentation principles without depending on traditional IP address-based access control lists (ACLs). Rather than solely preventing attacks, segmentation focuses on containing threat actors if they break into the network, preventing lateral movement inside the network, and minimizing operational downtime. Zero Trust Segmentation stitches users on a per user per application per device basis. It also isolates locations without relying on traditional firewalls or network access controls; instead it leverages security frameworks like Zero Trust.  

Segmentation then creates granular policies that permit network entities to only communicate through controlled, secure channels that enforce organization-specific policies. This approach not only enhances security but simplifies complexity, creating a more agile and resilient infrastructure across the organization landscape.  

Cyber is Everyone’s Responsibility 

Lastly, cybersecurity is a collective responsibility. Zero Trust architectures and segmentation policies reinforce some of the most basic cyber hygiene best practices – such as multi-factor authentication (MFA) and regular backups. 

However, agencies and organizations can take cybersecurity to the next level by embracing public-private collaboration efforts. Public-private collaboration encourages the two sectors to work together to establish minimum security requirements and build a cybersecurity framework. The private sector can ease the gaps in resources and expertise that many agencies and organizations face by providing threat intelligence and best practices to address such concerns – ultimately enabling agencies and organizations with faster decision-making processes. 

Collaboration is essential, especially when our national security is at risk. Sharing information and best practices facilitates open and transparent communications between public and private sectors, enabling quicker dissemination of threat intelligence, streamlined responses, reduced downtime, and more agile operations.  

Prepare Now and In the Future 

Securing critical infrastructure cannot wait — each day without robust cybersecurity measures rooted in Zero Trust principles puts vital public services and lives at risk. 

The journey to protecting critical infrastructure is long, but by embracing a Zero Trust architecture, segmentation policies and cyber hygiene and collaborative efforts, agencies and organizations will be more prepared against malicious threat actors and best equipped to mitigate the risk of disruptive cyberattacks. 

Hansang Bae
Hansang Bae
Hansang Bae is Public Sector Chief Technologist, assisting and educating the customers in their Digital Transformation journey as well as adopting Cloud-First security posture. Prior to joining Zscaler, Bae was a member of the Citi (Citigroup) Architecture and Technology Engineering leadership team. As one of the six global engineering leads, he was responsible for datacenter, branch and performance engineering, network management (NMS) tools, and capacity planning groups for all of Citi. He was also an executive member of Riverbed and Netskope prior to joining Zscaler. In addition, as an avid protocol analyst, he sits on the board of Wireshark Foundation to help steer the open-source project to ensure continued success.

Related Articles

Latest Articles