Networks today are under increased stress as government workers, technicians and military personnel are accessing critical data from connected mobile phones, custom handheld devices, personal devices and computers that run on different operating systems. The traditional edge point of security has become extended as the network infrastructure and the solutions that support it have developed into a complicated and ever-changing ecosystem.

With the ever-increasing number of devices and operating systems on networks today, patching and virus protection alone are unreliable. To protect against rapidly evolving threats, organizations must establish advanced technologies and comprehensive processes with multiple, flexible layers of defense to identify, prevent and manage attacks. Administrators are beginning to proactively embed network security directly into the network fabric.

Along with the challenges posed by security limitations at the network’s edge, workers are collaborating and sharing important information outside the workplace. In order to secure critical infrastructure in a mobile age, the public sector needs to identify and implement network security solutions that incorporate trust, visibility and resiliency.

Risk Assessment in Today’s Critical Infrastructure

The increasingly global society we live in is moving so quickly that proprietary systems are no longer a reliable option. A world filled with multiple complex networking protocols favors criminals by fragmenting local suppliers, lowering the number of security providers, and decelerating innovation and threat response. Consider the threat imposed by a hacker with months to exploit a bug in a proprietary system versus the days it takes to fix a vulnerability in open source environments.

Global networks are facing new threats daily. Prior to 2001, attacks on these systems were primarily a result of internal sources, for example, dissatisfied employees, misconfiguration or poor operational procedures. The focus has recently shifted towards external attacks. Hackers today are often highly paid mercenaries that are financially motivated or following personal nationalistic reasons, targeting critical infrastructures, government and military networks.

IT administrators in the public sector are considering a variety of issues to help prevent these assaults. For example, some IT administrators are questioning the reliance on open standards-based networking as opposed to traditional proprietary systems. As Internet Protocol (IP)-based technologies and the Internet continue to grow exponentially, even the most closely guarded systems are beginning to take advantage of open-standards capabilities. Commercial Off-the-Shelf (COTS) technologies offer the benefits of low cost, fast implementation, interoperability and agility, allowing them to penetrate up to the highest levels of government and military command.

Critical infrastructure systems are also at a high risk, for example, power grid operations. Energy providers today are skeptical of open standards, and assume that closed industrial systems are safer if not invulnerable. However, this is a false assumption; in 2010, the Stuxnet worm attacked industrial controllers with a removable drive.

A New Approach to Network Security

A new approach is required to support the critical role cybersecurity plays in today’s national security today. Historically, government organizations have faced unique challenges to prevent cyber attacks, often dealing with extended deployment and certification cycles that guarantee technologies will be outdated by the time they are put into use.

To simplify this process, organizations are adopting an integrated architectural approach to the network that addresses evolving security challenges, permitting the protection of assets, detection of security breaches and appropriate remediation once a breach has been identified. This “trust” model has three-layers, which incorporates trusted processes, trusted systems and trusted services.

To reduce risk while strengthening security for the complete lifecycle of an intelligent network, trusted processes are a collection of processes for vulnerable organizations to help securely plan, design, develop, implement and operate systems. Such processes include all operational disciplines relevant to assuring network policy compliance and management, including training, acquisition and monitoring.

The middle layer of the three-layer “trust” model is trusted systems. This includes networking, computing and storage infrastructure, along with input from security intelligence operations (such as incident response teams), advanced research and global cryptography. Here, the integrity and interactions of  hardware and software elements are compliant with global standards, emphasizing security through product assurance, supply chain integrity and global certifications.

•    Product assurance – This includes elements of design and product development, guaranteeing the integrity of hardware or software products. For example, best software development practices, strong processes for managing third-party code security and so on.
 
•    Supply chain integrity – This is the process by which hardware is manufactured and software developed that conforms to appropriate security standards. As a result, studies have proven that procurement from unauthorized suppliers is the weakest link in security governance. Safeguards built into each link of the supply chain, manufacturing, assembly and distribution, secure against tampering or insertion of hardware or software with malicious content. To bridge the gap to security, it is recommended for organizations to purchase solutions from trusted vendors that have robust supply chain standards and strict Common Criteria certification requirements.

•    Common Criteria certification – As an international standard (ISO/IEC 15408), Common Criteria certification is currently recognized across 26 countries as the most reliable evaluation and certification for product security. Performed by independent commercial labs, the evaluations are certified by the certificate-issuing country. These countries require Common Criteria for purchasing network security solutions or in general, products that have security functionalities.

The final layer is trusted services, end-user services and capabilities enabled by the IT system. These services can be hosted inside the network, in the cloud, by discrete devices or by industry providers. Network Access Control (NAC), Intrusion Detection and Prevention (IDP) and Identity-Based Networking Services (IBNS), as well as instrumentation, diagnostics and sensing are all examples of these services. To extend these security capabilities into the cloud, organizations should consider Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).