Securing critical infrastructure from modern cyber threats with phishing-resistant authentication

Across the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life - from the energy and natural resources powering our hospitals and providing clean drinking water, telco services enabling critical business communication and connecting with loved ones, financial services managing money and assets, or government institutions protecting citizens. Understanding this, bad actors are increasingly targeting critical infrastructure including OT systems and IoT devices, leveraging ransomware and credential stealing campaigns.

Specifically, targeted phishing attacks lure individuals into providing their credentials to threat actors who then use these credentials to infiltrate corporate networks guised as a legitimate user, all while circumventing certain forms of mult-factor authentication (MFA). This demonstrates the need to strengthen security and resilience of these organizations by engaging international partners and allies.

Every November, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States leads the national recognition of Critical Infrastructure Security and Resilience (CISR) Month. The effort serves to focus on educating and engaging the American public about the vital role critical infrastructure plays in the nation's wellbeing and why it is important to strengthen critical infrastructure security and resilience. Outside the U.S., countries such as Australia also recognize the month of November in a similar way.

While the various sectors of critical infrastructure function and operate differently, they all face the same reality: perimeter-based security is no longer effective to thwart these modern cyber attacks. Further, critical infrastructure organizations are often uniquely vulnerable, with highly complex infrastructure, legacy systems and convergence of information technology (IT) and operational technology (OT) systems. As a result, critical infrastructure organizations face mounting pressure to reduce risk and to adopt a Zero Trust approach that sets identity as the new perimeter in order to combat the cascading and devastating impact that attacks can have on vital business operations.

"One of the greatest cybersecurity threats is the human factor, through phishing attacks when cybercriminals obtain passwords or credentials." Naftogaz-Bezreka Executive yubi.co/Naftogaz

"One of the greatest cybersecurity threats is the human factor, through phishing attacks when cybercriminals obtain passwords or credentials." Naftogaz-Bezreka Executive yubi.co/Naftogaz

The role of phishing-resistant MFA amid an evolving cyber threat landscape

In order to stay ahead of the evolving cyber attacks, critical infrastructure organizations need to evaluate which forms of MFA provide the greatest protection from attack. Not all forms of authentication are created equal, and the MFA strategy you choose can deliver a vastly different ROI in terms of cost, user experience and coverage. To be future-proofed, the MFA investment should reflect the growing regulatory requirement for phishing-resistant MFA, the need to implement Zero Trust, and modern login flows such as passwordless.

Currently, two forms of authentication meet the bar for phishing-resistant MFA: PIV/Smart Card and the modern FIDO2/WebAuthn authentication standard. Passkeys are a new name for FIDO2 passwordless-enabled credentials, a standard that is replacing passwords and phishable MFA logins with more secure passwordless experiences. It's also important to understand that there are different types of passkeys: synced and device-bound, which includes the highest assurance security in the form of hardware security keys like YubiKeys.

Given the vast array of legacy and modern technologies that likely exist within the sectors, organizations need to weigh the risk of what is technically feasible in certain environments combined with protecting critical systems and data with the strongest phishing-resistant technology.

Global regulations reinforcing the need for Zero Trust and phishing-resistant MFA to create phishing-resistant organizations

As the need for stronger cybersecurity continues to be prioritized globally, we're continuing to see the push for stronger cybersecurity best practices that align to Zero Trust and phishing-resistant authentication. Recent examples include the globally recognized Payment Card Industry Data Security Standard (PCI DSS v4.0.1), Network and Information Security (NIS) 2 Directive applicable to the EU, Essential Eight Maturity Model (E8MM) in Australia, and The Monetary Authority of Singapore's (MAS) Cyber Security Advisory Panel (CSAP) in Singapore.

Additionally, joint guidance on Identifying and Mitigating Living Off the Land Techniques was co-authored by CISA and many other global organizations as a collective defense to identify common gaps in cyber defense capabilities. One of the key recommendations is to enable phishing-resistant MFA by default to protect critical infrastructure and software manufacturers.

Within critical infrastructure organizations, every user across the business is a privileged user and should be protected as such. Deploying phishing-resistant authentication across the entire user lifecycle, including registration and recovery processes, is what creates a phishing-resistant user. An enterprise is truly a phishing-resistant enterprise if all users are considered "privileged users" and protected with phishing-resistant authentication. The YubiKey enables organizations to cultivate phishing-resistant users, providing authentication that moves effortlessly with users no matter how they work and across the entire authentication lifecycle.

Global critical infrastructure organizations have already taken strides in implementing this - in fact, a new report published by CISA and the U.S. Department of Agriculture (USDA) details how the USDA successfully implemented phishing-resistant authentication and key recommendations that can help other organizations do the same. Ultimately, creating a secure and resilient world for generations to come depends on what is enacted today both within our countries of residence and understanding how our actions are tied in an "inescapable network of mutuality." Making the business case for phishing-resistant technology has never been more important to secure critical infrastructure in this interconnected world.

Check out our white paper, Securing the world's critical infrastructure against modern cyber threats, to learn more.