CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?

Conventional wisdom suggests the keys to protect critical infrastructure against cyberattacks are network segmentation and OT security. But continued breaches imply those methods alone fall short. In fact, a CISA probe of 121 critical infrastructure networks found that their weakest link is identity compromise. Learn how to leverage an attacker’s perspective to better secure critical infrastructure.

The threat landscape for critical infrastructure has become increasingly perilous, fueled by nation-state attackers and other well-organized threat actors. Spanning 16 sectors vital to U.S. national security, including manufacturing, financial services and government, critical infrastructure organizations face relentless cyberattacks designed to disrupt services, exfiltrate sensitive information or hold entire operations for ransom. 

Because compromising operational technology (OT) is frequently a key objective, security teams understandably focus heavily on OT security and network segmentation. But this strategy has proven too narrow, leaving out critical considerations, such as the role of identity in breaches. In fact, identity compromise offers attackers the most significant exposure gap to gain initial access to critical infrastructure networks and to move laterally.

In this blog, we explore high-profile breaches involving OT and critical infrastructure; look at the role that identity and other MITRE ATT&CK techniques played in those attacks; and provide practical recommendations to improve the security of critical infrastructure by integrating security insights from multiple security domains. 

Identity compromise – a security weak link in critical infrastructure 

The Cybersecurity and Infrastructure Security Agency (CISA), along with the U.S. Coast Guard (USCG), probed the networks of 121 critical infrastructure organizations. Formally called Risk and Vulnerability Assessments (RVAs), these probes were intended to assess an organization’s network capabilities and network defenses against potential threats. The probes map the results to the MITRE ATT&CK framework.

A mid-2023 CISA report and accompanying charts detailed the findings of these RVAs, including that 90% of the time, initial access was gained via identity compromise. The report also said that when combined with other techniques, identity also represents the primary means of privilege escalation, and in turn, an enabler of lateral movement between IT and OT environments. 

This finding is eye-opening, given the widespread use of air gapping, network segmentation and substantial investments in IT and OT security.

MITRE ATT&CK techniques used to gain initial access to critical infrastructure networks

^{(Source: “CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments” report, June 2023)}

The window for disclosing breaches is now 72 hours

Compounding the urgency of the elevated threat landscape, security teams face heightened pressure for transparency and accountability from new legislation aimed at critical infrastructure industries across many countries. The U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the Network and Information Systems (NIS2) Directive in the European Union, for example, mandate that cyber incidents having material impact on critical infrastructure must be disclosed within 72 hours. Beyond increased visibility and accountability, these mandates dramatically shrink the window from the time a suspected breach is identified to when it must be disclosed, driving the need for more effective, preventative security. 

Worth noting, similar mandates have also been enacted for other industries beyond the scope of critical infrastructure.

Network segmentation and OT security alone are insufficient

When it comes to attack execution, the reality is there is much overlap between how attackers gain an initial foothold, escalate privileges and move laterally. This is because fundamentally, all actions that an attacker executes leverage the privileges of either a human or a machine identity. What differs is which MITRE ATT&CK techniques are used to gain those privileges. 

Let’s look at three examples that are highly representative of critical infrastructure breaches:

Colonial Pipeline: The largest publicly disclosed cyberattack against critical infrastructure in the U.S. began when attackers gained initial access to the IT network through a compromised user password and VPN account. Remote desktop protocol was then used to deploy ransomware which exploited unpatched vulnerabilities and escalated privileges. The ransomware then encrypted critical systems. Although OT systems were not directly compromised by the attack, security teams were forced to shut down the oil pipeline to prevent the ransomware from spreading to the OT network. 

Techniques used in the Colonial Pipeline breach

Oldsmar: When attackers targeted the water treatment facility for the town of Oldsmar, Florida, it is believed that they gained an initial foothold using compromised user credentials. Once inside, they took control over an operator’s desktop using existing remote desktop software to access plant control systems, and executed commands which changed sodium hydroxide levels in the water supply to dangerously high levels. Luckily, the operator witnessed the breach and was able to intervene in time.

Techniques used in the Oldsmar breach

NotPetya: One of the most significant and destructive cyberattacks in recent history, NotPetya began with compromised credentials which allowed attackers to gain access to popular accounting software and modify its code. The software provided attackers a backdoor to distribute malware into target organizations. Once deployed, the malware spread quickly using EternalBlue, an exploit which targets a known SMP vulnerability. The Mimikatz post-exploitation tool was used to harvest credentials and propagate laterally often using legitimate Windows administrative and network sharing tools. The breach disrupted critical infrastructure across the globe, from ports run by shipping giant Maersk to radiation-monitoring systems in Chernobyl’s nuclear power plant. 

Techniques used in the NotPetya breach

In none of these cases were OT assets the initial target. But they all involved some form of human- or machine-identity compromise, and spread using a combination of existing vulnerabilities and legitimate remote-management vehicles to escalate privileges, move laterally and achieve a desired goal. 

MITRE ATT&CK techniques used to move laterally in critical infrastructure networks

^{(Source: “CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments” report, June 2023)}

You can’t secure critical infrastructure without complete context

The challenge with virtually every point security tool is that they lack a comprehensive and integrated view of asset, identity and risk relationships across the attack surface. For example, OT security tools frequently lack visibility into IT assets and identities within the OT environment, including weaknesses that can be exploited to ultimately compromise critical infrastructure systems. It is these cross-domain relationships that enable initial access, lateral movement and privilege escalation. Without them, there is no way to effectively distinguish a sea of siloed alerts from true exposures which can disrupt the integrity and continuity of critical infrastructure. 

The Tenable One Exposure Management Platform is uniquely able to address these challenges. It provides complete visibility across the modern attack surface, bridging security silos and prioritizing the detection and closure of exposures that can have a material impact on critical infrastructure. Tenable One integrates rich configuration data and risk data on OT and IT assets from Tenable OT Security, with privilege and risk data on human and machine identities from Tenable Identity Exposure. With it, security staff can visualize and remediate attack paths that traverse converged IT and OT environments. 

This short video demonstrates how Tenable One solves the critical infrastructure exposure problem – disrupting attack paths before attackers can exploit them.

By adopting a horizontal approach to security that emphasizes comprehensive visibility, contextual risk assessment and prioritization of true exposure, organizations can enhance their security posture, drive efficiencies and better protect critical infrastructure from evolving threats. 

To learn more about exposure management, download the whitepaper “Hackers Don’t Honor Security Silos: 5 Steps To Prioritize True Business Exposure.”