How to face the security challenge as a ‘vital infrastructure’ organization?

IT in organizations that are part of the vital infrastructure of a country – for example, banking – revolves around safe and secure practices. No longer is it enough to be able to show regulatory authorities that you can pass their audits, it is about taking responsibility for the financial ecosystem. It is about security in depth and being ‘secure by design’.

For many IT professionals security is a theme that is always top of mind. And even outside this audience, it is not hard to notice the uptake of news related to cybersecurity. The electronics retail store MediaMarkt for example experienced a large cyberattack that got the attention of national newspapers. Automotive company VDL Group was also in the crosshairs of attackers last year. Even more worrisome was that utility company Waternet experienced security problems, that were reported by Follow the Money.

Utility companies are part of the vital infrastructure of The Netherlands. Governmental organizations such as the AIVD, NCTV and the Scientific Council for Government Policy (Dutch: De Wetenschappelijke Raad voor het Regeringsbeleid (WRR)) have been warning for years about the disruptive fallout when security practices are not up to par. Digital payments are also part of this vital infrastructure. How should banks approach this? For de Volksbank, like other banks, there has been a trend from ‘tell me / show me’ towards regulatory authorities, to an approach based on actively taking responsibility.

Proven measures.

One of the first things that come to mind when talking about security in vital infrastructure is the need to ensure key processes. For that matter, a measure that has been coming up a lot in conversations about security lately is the ‘air gapped backup’. However, the concept behind this is anything but new and this approach has been used for decades: a backup copy stored on a medium that is not accessible via the internet or any other external connection. Air gapping has an important role in the 3–2–1 backup strategy that is generally regarded as a best practice: three copies of your data, on two different types of media, with one copy kept safely off-site.

Though it might not be new or especially exciting, air gapping is a weapon when it comes to cyber resilience. Organizations can choose between various approaches to shape their backup strategy. Take for example tape storage, which is the traditional form of air gapping. Be that as it may, with the emergence of modern storage media, organizations are increasingly opting for the concept of ‘logical air gapping’, using network measures and user access controls to isolate backups from the production and primary backup environments. Especially when applying automation in processes, this is more efficient. No more cumbersome logistics around the rotation of tapes, for example. Nonetheless, admins must take the right measures to encrypt data (both in rest and in transit) and provide network safety.

Strong governance matters.

Unsurprisingly, a focus on just one part of the security chain is not nearly enough. Security should be paramount, everywhere. Security should also be an integral part of DevOps. In the big overarching trend of rapid delivery of IT functionalities, there is always a danger of a reduced focus on security. An approach with SecDevOps has several advantages in an agile environment, such as better integration between development, testing and operation. Next to this, you reduce risks through monitoring and early reporting of potential problems. Finally, a combination of security and automation further reduces risk and enables DevOps teams to make an even bigger impact on the business.

Above all, strong governance matters when tasked with taking full responsibility for security in vital infrastructure organizations. At the end of the day, risks can never be fully eliminated. Even if your internal processes are ‘safe’, recent cases show that attackers can still enter through third parties or exploit weak points in libraries. In the Netherlands, the municipality of Buren recently made headlines. Data was stolen here after attackers misused login details of a supplier. A more high-profile case was the hack on identification and authentication solution provider ID-ware, a company that manages access passes for Dutch members of parliament. And on an international level, the Okta hack was controversial; attackers used a VPN exploit to attack networks through a vendor-supplied legacy system.

The right mindset.

Good governance entails the use of the right controls about what is allowed within an organization (e.g., within DevOps) and what is not. For example, the re-use of unapproved libraries to prevent third-party hacks. However, in the end your security chain is always as strong as the weakest link. Often not that weakest link is a human. Promoting and fostering good security practices is an ongoing task that a company should never slack on. That aside, in the end, it is always a combination of measures that ‘do the trick’. So, think about security in depth, SecDevOps and Security by Design, have strong governance and use automation. If possible, to test measures and monitor suspicious network activity. Having the right tooling (e.g. Microsoft Azure Sentinel) can help, but it always comes down the right security mindset. Be aware of everything you are doing right now and make sure that is the best you can do to keep your organization safe – and more.