Today's Zero Trust is Not Enough - Our Framework to Secure America's Critical Infrastructure

Christian Wentz
May 12, 2021 11:45:00 PM
The ransomware attack against Colonial Pipeline, disclosed last Friday, has catalyzed an urgent call to action by the US government and actions from within the private sector to secure our critical infrastructure. Tonight, the Biden Administration released an Executive Order to this effect, urging that we “make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” This Order, following yesterday's CISA/FBI Joint Cybersecurity Advisory (CSA), demands that solutions be sourced within the next 30-90 days to “secure computer systems, whether they are cloud-based, on-premises, or hybrid”, including IT, operational technology (OT), and Industrial IoT (IIoT).  

 

While the emphasis on Zero Trust Architecture (ZTA) described in this Executive Order is a fantastic starting position, today's ZTAs are not enough to mitigate the ransomware and malware attacks we face today. Ransomware attacks are fundamentally about the theft of digital credentials used to authenticate users/machines to critical computing systems, and the subsequent interruption of core operations via encryption of the stored data or other digital blockades. Thus, we need to secure digital credentials on every connected device, to ensure they cannot be stolen by malicious actors. Unfortunately this is beyond the scope of existing Zero Trust Architecture philosophy. Likewise, malware attacks are the result of injecting malicious code into a system, often by legitimate means.  Preventing or mitigating malware attacks requires that we verify the integrity of every connected device from silicon to software. Again, this is outside scope of current ZTAs. CISA and FBI urge the use of multi-factor authentication (MFA), of keeping software up-to-date, and other best practices. Frankly, this “patch and pray” approach, while better than the status quo, is not enough. We are playing a game of whack-a-mole where the vital institutions that underpin the American way of life are at stake.

These problems cannot be solved with piecemeal, point solutions.  They must be met with a cohesive framework to ensure trust in our critical digital infrastructure - but, any solution must also be deployable on top of existing infrastructure to be practically implemented. The solution meeting the demands of Biden’s Executive Order already exists. This Order mirrors, quite literally, the user requirements spec that has driven development of  Gradient’s Trust Fabric over the last several years. In fact, I presented this framework to the CISA community just a few weeks ago during our Spring meeting.

This is more than talk. Gradient’s team of secure computing and cryptography experts has been porting our solution to provide continuous, full stack protection of infrastructure from IoT and OT edge to cloud, with support for the most common Industrial IoT/OT gateways and largest public clouds in the US, as well as on-premise server platforms and user-facing workstations. We are up to the task. Let's get together, and get to work.