Last week, the US government delivered the 2024 Report on the Cybersecurity Posture of the United States. As is often the case when I read industry reports, a bit of buried gold in the report caught my eye and resonated with me.
“Disruption alone cannot defeat ransomware or other forms of malicious cyber activity, but it can have a meaningful impact on the problem.“
“Protection is Possible” is BlastWave’s foundational concept. Seeing this in a US Government report gives me hope that not everyone has given up on trying to protect networks. In an unrelated interview about zero trust in the US Military that I listened to while cooking for Mother's Day, Randy Resnick talked about stopping the adversary “in their tracks.” With all the talk about AI and cybersecurity, it occurred to me that it would be helpful to look at some of the tactics employed in ancient warfare and see if they apply to critical infrastructure protection in the same way they protected a town in the old days.
Today, the people running critical infrastructure face more adversaries than ever, including state-affiliated, criminal, and ideologically-motivated actors, all seeking to launch cyber operations against their networks. This is equivalent to kings and lords of the past who had rich lands and wealth that other leaders coveted, so those kings had to figure out how to protect their people and their way of life.
The problem for kings is that you can’t protect your entire domain. So they would put a loose border around their outer perimeter and fortify their central stronghold, often with massive walls, single (or multiple) gates, and possibly a moat, around that castle or town around their most valuable resources and people. They would then post guards to both man the towers to keep a lookout for invaders, as well as man the gates to make sure only authorized people could come into the town, and when they did come in, they were not armed or in enough quantity that they could take over the city.
Aligning with a fortress mentality was how security products were initially visualized and created: build a fortress around your network and let in only the good guys. The problem is that security products today need help to keep that comparison relevant, as they have lost sight of this tactic, which is still applicable.
First, there are so many gates available (the modern equivalent is open ports and protocols) that the quality of the guards at each gate is … inconsistent. By the time you realize one of your gates has been penetrated or is being exploited, it is too late, and you are reacting and trying to clean up the penetration. In this case, scale is terrible when you have too much surface area to guard.
Second, the guards at the gate screened people by recognizing them, asking for a password, or asking why they were visiting and deciding whether to believe them. Today, it is easy to pretend to be someone online, steal that password, or social engineer your way into many networks. To stretch the analogy, since most traffic is encrypted with SSL, all the people entering the gate look the same, and if you can steal that password, you are in. If you can’t steal the password, find another gate (maybe that guard isn’t doing as good of a job) or even hide in someone’s cart when they enter to sneak through that gate (the modern equivalent is session or MFA hijacking).
So, how did medieval lords REALLY protect their castles? Build a wall, surround it with a moat, and only let people in who could be vouched for by someone else and had a verified appointment, ensuring:
We can replicate that today for critical infrastructure networks. Build the loose protection using the existing security solutions (aka the IT world) and minimize your risk as best possible. Building a moat around the entire network could be too complicated. But for the critical part of your network, build that moat and only leave a single entrance that isn’t vulnerable to impersonation or stealing credentials. Rely on verified identities for access, not traffic identification. Minimize your guards' work by forcing attacks down that single path and reducing the attack and reconnaissance noise. Rely on biometrics, not usernames and passwords. Avoid browser-based authentication that is vulnerable to session hijacking.
The old ways aren’t invalid—they worked in the past and can be useful again. Just because the glass moats (firewalls) built around most castles today are see-through doesn’t mean they have to be. Expecting 100% protection may not be possible, but minimizing the attack surface and drastically reducing the signal-to-noise ratio of attacks makes detection more effective as well.
Build a BlastShield around your critical infrastructure network. Schedule a demo here.
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.