Securing Critical Infrastructure

Securing critical infrastructure is essential for our global economy and society.

FREMONT, CA: Events that may weaken the confidentiality, integrity or availability of the services delivered by crucial infrastructure providers and their networks could have important and potentially devastating consequences. Certainly, governments are increasingly focused on this problem. As a result, they are calling for critical infrastructure providers and their IT vendors to implement technical and organizational security measures and prepare for the potential impacts of security incidents.

Qualifying trustworthy IT vendors

Evaluating the entire practices of a vendor's organization should be the initial point. That incorporates assessing the robustness, repeatability and consistency of their secure development practices and transparency about vulnerabilities detected in their products, which is vital for resilience.

While evaluating a point solution is a step in the correct direction, a holistic approach that considers the function of people, processes and technology in protecting critical global infrastructure will yield a far better result. Furthermore, point-product security is fleeting and unreliable if the organization producing the solution lacks the process maturity to consistently demonstrate its trustworthiness.

Security does not end when a vendor places a solution on the market. How a critical infrastructure worker architects, deploys, monitors and keeps its networks and information systems on an ongoing basis is important to secure operations. An active security architecture that is resilient and trustworthy will help prevent, detect and react to cyber threats.

Reliable solutions are products or services that do what is awaited in a verifiable way. Vendors can build security capabilities into technologies at the design phase. These incorporate validation of crypto modules; image signing to create special digital signatures that can be checked at runtime; hardware-anchored secure boot to spontaneously verify software integrity at boot-up; technologies and processes to confirm that the hardware is genuine; and runtime defenses that help protect against injection attacks of malicious code into running software. Moreover, vendors must know what is in their code and why it's there; doing so is fundamental to a mature and secure engineering process.

Vendors can also support network operators in verifying the integrity of their technology once it's deployed in a network operation. But, again, corroborating that the infrastructure hardware and software are working as expected is the key to maintaining the architectural components' good security posture and integrity.

Qualifying secure solutions

Revising procurement regulations to command better assessment of vendor solutions is now delayed. Government regulations should need that any technology deployed in critical infrastructure be procured only from provably trustworthy vendors.

Derive that proof from mandatory security assessments. Instead, start by leveraging baseline measures of adherence to simple security measures already captured in internationally recognized standards like Common Criteria. These are beneficial as a starting point and can serve as appropriate yardsticks for technology deployed broadly in less critical networks.

For mission-critical networks, extensive security assessments should be carried out by recognized, trusted experts. This may involve government agencies performing the testing themselves to ensure the results' quality and the shortage of skilled experts. Testing might also be performed with the support of select, highly qualified testing labs.

This can't be accosted as a mere compliance exercise, as it has become commonplace when assessing basic security standards. Robust security assessments directed at critical networks should employ vigorous and dynamic vetting of numerous critical vendor capabilities:

• Source code verification

• Design documentation

• Actual penetration-style solution testing

• The testing of artifacts and other relevant materials

Escort the assessment to an agreed-upon, secure location where the vendor's intellectual property will be protected.

Be certain the testing procedure keeps pace with market innovations and integrates a rigorous, risk-based approach. To allow efficiency, scale and expediency:

i) Manage product iterations by restricting testing to the updated part of a build. This will overcome the cost and time-to-market implications of testing every version.

ii) Build on proven assessment examples instead of beginning from scratch. Upgrade only when meaningful and collective value can be included.

iii) Collaborate with like-minded governments to build toward mutual recognition of testing, centering on mitigating cyber-risk rather than adhering to local business customs. This will decrease fragmentation across borders and enhance each country's ability to effectively scale its efforts.

Qualifying responsible operations

Emigrating to digital capabilities requires critical infrastructure providers to keep up with the latest threat monitoring and detection technologies. For example, machine-learning algorithms can help detect anomalies from the normal network and user behavior. That data can then be employed for informing control-based policies to mitigate attacks.

The vendor assists the infrastructure provider in deploying and operating their technology most effectively and securely. As operators require tools for onboarding and managing devices, vendors should work with them to guarantee that devices can be tested, provisioned and revised securely. Granting unique device identities, validated at set-up, is just one step in how this could be approached.

Asset, patch and vulnerability management are essential to the total lifecycle management of the security architecture and its elements. Therefore, IT vendors must track a strict process for managing security exposure information related to their solutions and networks.

Infrastructure providers will greatly advantage from requiring transparent and predictable approaches to vendors' vulnerability management and disclosures. That comprises published guidelines for timely vendor action to provide necessary patches.

It's important to patch and improve proactively and not wait until something bad happens.

Verify before trust

Words of confidence are not enough; vendors must demonstrate a range of behaviors that demonstrate they are a trusted partner and then incorporate those behaviors consistently throughout their operations.

With verification checkpoints in place, by working with rightly trusted vendors, and armed with the power of digital capabilities, our critical global infrastructure will be ready for the risks of tomorrow.