Cloud infrastructure has exposed industrial organizations to a new level of cyber risk. In 2020, cybersecurity company Fortinet released a report looking at cyber threat predictions for 2021. The report indicated that threat actors are shifting significant resources to target and exploit emerging network edge environments like the cloud.
Shortly after that report was released, Fortinet’s prediction became a reality. In the December 2020 Solarwinds cyber attack, hackers targeted cloud-based services. The incident indicates that attackers have adapted their attack methodology to match the hybrid on-premises/cloud environments found in many of today’s industrial operations.
“Until recently, OT systems stayed on-premises, locked behind corporate networks,” says Rick Peters, CISO, Operational Technology, North America, Fortinet. “Today, relatively insecure OT devices can introduce weaknesses in the organization’s cloud IT infrastructure.”
Industrial Cyber talked to Peters about what makes cloud technology vulnerable to cyber attack, the challenges of cloud security in operational technology environments, and how industrial organizations can secure their cloud infrastructure.
“Traditional infrastructure security solutions have a well-defined network perimeter, but the cloud does away with this by stretching security to the edges of the network – with IoT devices, for example,” Peters says. “In addition, stewardship and controls change with the cloud. Encryption of data in transit and at rest, and what cloud providers can see and cannot see, now become more important.”
Fortinet’s 2021 Cloud Security Report looks at how organizations respond to security threats in the cloud and which tools and best practices IT cybersecurity leaders prioritize in their move to the cloud. It indicates that cloud security concerns remain high as the adoption of public cloud computing continues to surge in the wake of the pandemic and the resulting shift to remote work.
“The shift to remote for work resulted in a massive shift to cloud-based resources, which means individuals are accessing corporate assets from outside the company’s primary network,” Peters says.
The Fortinet report was based on a global survey of 572 cybersecurity professionals. The survey found that most organizations are pursuing a hybrid or multi-cloud strategy for integration of multiple services, scalability, or business continuity reasons. Survey respondents indicated that the barriers to faster cloud adoption include lack of visibility, lack of control, and lack of staff resources or expertise.
According to the report, 76 percent of organizations are using two or more cloud providers and only 27 percent rely on a single cloud deployment for their business needs. Peters says this can present security challenges for OT environments.
“Another challenge is that adoption of cloud services is heterogeneous; that is, employees are often using different cloud services from different providers, each with different security tools and different native security controls. There’s also typically a level of uncertainty in terms of the extent to which organizations are responsible for securing their own cloud environment,” Peters says. “Cloud providers secure the infrastructure, such as storage and compute resources shared by everyone, but securing data, content, and applications are all the responsibility of the cloud customer. And those security controls need to be built separately inside each cloud environment that has been adopted. If those security solutions aren’t fully integrated and interoperable across multiple environments, then the number and variety of security tools that need to be implemented can compound, quickly overwhelming the resources available to manage them.”
According to the Fortinet report, 67 percent of cybersecurity professionals said misconfiguration of cloud security remains the biggest cloud security risk. This was followed by the exfiltration of sensitive data, unauthorized access, and insecure interfaces/APIs.
“[M]isconfigured cloud-based resources…leave critical OT environments at risk,” Peters says. “Taking advantage of a broadened attack surface, cyber adversaries can target a misconfiguration as they move laterally within the OT infrastructure can cause significant harm.”
According to Peters, shadow IT services are another significant risk to cloud infrastructure.
“Security leaders have no idea which users and business units are using which cloud services or the risk of each of the services,” Peters says. “As for data— both in transit and at rest—there are unknowns involving cloud services such as their security protections and policies concerning industry regulations. There is also a risk of security misconfigurations when transitioning to the cloud.”
The Fortinet report indicates that multi-cloud environments add another layer of complexity and security challenges. According to the report, organizations are most concerned with data protection, followed by a lack of security skills, and understanding how different solutions fit together.
To better secure cloud infrastructure, Peters recommends an adaptive approach to cloud security that extends across on-premises, multi-cloud and hybrid infrastructures.
“Organizations can opt to employ a four-pillar approach to achieve this security objective,” Peters says. “This amounts to implementing a zero-trust framework, along with employing AI and machine learning (ML) coupled with automated processes to detect and neutralize threats quickly. A third pillar is adaptive cloud security, which connects resources to protect from multiple threat vectors while leveraging consistent models and integrating with third-party applications. The fourth pillar is the integration of network infrastructure with security architecture using an integrated security platform to enable access control and segmentation.”