Skip to main content

Zero Trust in Critical Infrastructure

Dec

23

2024

Time to read

Read so far

Written by: 

Iain Beveridge
  &  
Dave Butcher

Time to read

Written by: 

 & 
time lapse of light

“75% of its computer servers were vulnerable to cyberattacks.”

Not the type of news headline you want to read. Especially considering it’s referring to the UK's Sellafield nuclear reprocessing facility – home to the largest storage site for plutonium in the world. Yikes!

The Office for Nuclear Regulation (ONR) announced earlier this year that they were taking steps to prosecute the site for cybersecurity failings over the past 10 years. While Sellafield has asserted that no cyberattacks took place, there’s clearly still a concern about past failings with a string of allegations, including:

  • State actors deploying malware on dated computer infrastructure
  • Hardware running unpatched on old Windows 7 OS
  • Contractors being able to freely carry USB thumb drives on site and connect to hardware inside the facility

The plant recently pleaded guilty to the charges, and they were ordered to pay a fine of nearly £400,000 by the English courts.

We were discussing this case and wondered how a nuclear facility with critical national security concerns at stake could have such a poor security posture. We brought up NIS2, the second iteration of the Network and Information Security Directive. This landmark legislation focuses on awareness, resilience/recovery, risk management, and incident reporting for organizations in essential and important industry sectors in the European Union (EU). Nuclear energy falls into the Essential Sectors category, although clearly caveats do apply where national security considerations will inform the level of reporting of cyber incidents.

But then we realized … Sellafield is not actually in scope for NIS2 for a couple of reasons. Firstly, the UK is no longer part of the EU, although they are developing their own critical infrastructure cybersecurity legislation. Secondly, Sellafield is no longer producing electricity for the UK. It’s now a long-term decommissioning site.

NIS2 Industries/Sectors graphic

Transposition into national law

All EU member states were required to transpose the NIS2 Directive into their national laws by October 17, 2024. This involves updating existing cybersecurity laws or creating new ones to meet the directive’s requirements. Each EU member state is progressing with this task at their own pace. Italy, Belgium, Croatia, Hungary, Lithuania, and Latvia have fully transposed, while other countries are not yet compliant.

Country-specific competent bodies

Each country in the EU has an assigned competent body. These are national authorities designated by each EU member state to oversee the implementation and enforcement of the directive. For example, Germany’s competent body is the Bundesamt für Sicherheit in der Informationstechnik (BSI), in France it’s the National Cybersecurity Agency (ANSSI), in Belgium it’s the Centre for Cybersecurity Belgium (CCB). Essential and Important entities must consult their own country's legislation for the specific details. In some cases, they reference existing legislation, frameworks (e.g., NIST Cybersecurity Framework), and certifications (e.g., ISO 27001/2).

Identity-centric Zero Trust

NIS2 certainly aims to cover the broad spectrum of cybersecurity with its “all-hazards approach.” One of the critical areas that’s called out by NIS2 is authentication and the use of continuous authentication solutions. Continuous authentication is a concept that is very familiar to those of us championing the virtues of Zero Trust.

Any organization – from those like Sellafield where grave impacts on human life are at stake, to less impactful like the entertainment industry – needs to take a serious approach to cybersecurity. Many of the frameworks for cybersecurity that have been developed, such as the Cybersecurity Framework or Zero Trust Architecture, are provided to help organizations of all sizes and criticality be cyber secure and compliant with new security regulations and industry requirements.

Zero Trust is one of the frameworks that has gained widespread acceptance. Two of the key pillars of Zero Trust are user and device identity. In the past, simple mechanisms were used to establish user and device identity. For users, this typically meant a username and password. For devices, if you were on the network, you were good. As time has marched forward, these are no longer secure because, as we know, stolen passwords are commonplace. We don’t know all the details of how cyberattacks might have unfolded at Sellafield, but a spoofed user identity with a stolen password could have been one way to access their network.

A better approach to securely establishing user identity is to use a phishing-resistant multi-factor authentication solution. Multi-factor authentication is specifically called out as a minimum in NIS2. Strengthening that with phishing-resistant authenticators and backing it with digital certificates further strengthens defenses to keep cyber attackers out of systems.

Whether your organization is actively embracing a Zero Trust philosophy or following your own industry’s cybersecurity framework such as NIS2, cyber threats are not going away anytime soon. No organization is immune, and we all must have strategies in place to mitigate cyber threats and continue to raise our security posture.

Learn more about Entrust solutions for secure data, strong identities, and secure payments.

Facebook