Why Critical Infrastructure Environments Need Passwordless Authentication
Attacks on critical infrastructure organizations – water, natural gas, power, transportation, and more – remain a top target for cybercriminals in the United States today. The highly publicized Colonial Pipeline incident back in 2021 put critical infrastructure attacks in the spotlight, and we’ve seen continued attempts ever since. In the case of Colonial, threat actors got into the organization’s network through an exposed password for a VPN account and the resulting damage left half of the East Coast without refined oil.
Fast forward to present day, and Microsoft reported that critical infrastructure cyberattacks doubled in 2022 from 20% to 40% of nation-state-sponsored attacks. It’s clear that these types of cyberattacks are only continuing to increase at an alarming rate and that critical infrastructure organizations – as well as government and defense contractors who often are closely linked to them – need to reevaluate what tools and technologies will have the most impact to defend against these targeted threats.
Government Intervention Mandating and Recommending Passwordless MFA
Because of the increasing threat to critical infrastructure organizations, the U.S. government has stepped in via a White House Executive Order and Fact Sheet on improving the nation’s cybersecurity, which mandates security measures, including strong passwordless multi-factor authentication (MFA), for government agencies. In addition, the executive order is also strongly recommending the use of this technology for critical infrastructure organizations.
The order also states: “The Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
Security Challenges of Critical Environments and Implementing Passwordless Authentication
Passwordless MFA is a major step in the right direction when it comes to shoring up critical infrastructure security. But, we would be remiss if we didn’t acknowledge that critical infrastructure organizations, government agencies, and the defense industrial base have unique IT environments and with them come several distinct authentication management challenges:
- They often run on-premises, air gapped environments that are isolated from public networks and the internet. Air gapping is so common in critical infrastructure, government, and defense because of its security implications – if a network is not connected to the internet, it’s extremely difficult for cybercriminals to infiltrate it. From an authentication perspective, however, a lack of connection can be a problem because not many passwordless authentication solutions can operate without one.
- There is a lack of IT presence. Because many critical infrastructure environments are located in remote, harsh conditions (e.g., a ship or drilling platform), IT professionals simply can’t be onsite to fix an authentication issue. Complicating matters, without a public connection to the environment, they can’t even “remote in” to solve problems. Because IT help can be hard to come by, end users facing an authentication problem have nowhere to turn. Not only does this leave them frustrated, but also unproductive – because they can’t do their job if they’re locked out of their accounts.
- Rugged conditions demand durable authenticators. Demanding physical environments require multiple hardware authenticators that can stand up to them, such as PIV cards, smart cards, and USB keys.
Bringing Passwordless Authentication Capabilities to Critical Environments
Unique challenges require a unique solution, and Axiad has delivered with its new Unified Credential Management System (UCMS) package called Passwordless for Air Gapped and Critical Environments. This package brings passwordless authentication and end user self-service capabilities to air gapped and critical infrastructure environments that rely on Microsoft Security solutions. Overall, the package helps government agencies as well as critical infrastructure and defense industrial base (DIB) organizations maximize security and end-user acceptance and minimize security overhead. Specifically, it helps them overcome the challenges above by:
- Successfully running in air gapped environments: The package’s architecture is made to operate in air gapped environments and to seamlessly interoperate with existing authentication and infrastructure investments without requiring upgrades. The package fully leverages and extends the life of Microsoft authentication (e.g., Microsoft Active Directory Federation Services and infrastructure (e.g., Microsoft Windows Server) investments.
- Offering strong authentication: The package provides government-grade FIPS 140 validated passwordless authentication with the flexibility needed to accommodate the full range of needs of employees, contractors, vendors, and suppliers. For example, it offers a range of passwordless options, including both physical (YubiKeys, smart cards, PIV cards, USB keys, etc.) and platform (virtual smart cards) authenticators.
- Providing powerful self-service capabilities: Axiad AirLock, which provides help desk automation by eliminating temporary passwords, provides self-service credential enrollment and Axiad MyCircle provides self-service account recovery within a trusted circle of colleagues rather than waiting for the help desk to respond – both of which help to increase operational efficiencies for frontline workers and reduce IT costs.
With this new package, Axiad is easing the unique authentication management challenges associated with government agencies as well as critical infrastructure and DIB organizations. Additionally, the package provides seamless interoperation with the Microsoft Security solutions, making it easy for these three stakeholders to leverage their existing technology stacks.