Technology Record - Issue 25: Summer 2022

61 to gain full access to various types of ICS assets as well as supervisory control and data acquisition devices. With full access, attackers can then elevate their privileges, move laterally across the network, and disrupt assets in the OT environment. Attacks such as this highlight the need for critical infrastructure organisations to adopt appropriate safeguards for the cloud. To do this, they need to look to the shared responsibility model. They can begin by familiarising themselves with Microsoft Azure's shared responsibility model documentation to understand what parts of the cloud Microsoft is securing. Simultaneously, they can ensure security in the cloud by adopting initiatives such as zero trust. They can implement multi-factor authentication, segment the network, enforce the principle of least privilege, enact other complementary security best practices, and establish a secure baseline configuration for Microsoft Azure using standard guidelines from the Center for Internet Security (CIS). Security would be even easier if critical infrastructure organisations could deploy virtual machine images to the cloud that are already hardened to secure baselines. At the CIS, we agree. Therefore, we developed CIS Hardened Images for Azure and other cloud service providers. These virtual machine images are unique in that they are pre-hardened to the CIS Benchmarks, which are vendor-agnostic secure configuration guidelines developed through consensus by a global community of cybersecurity experts. The NIST, Federal Risk and Authorization Management Program, and other frameworks recognise the CIS Benchmarks and CIS Hardened Images as a secure configuration standard. To help organisations and industries that require compliance to Defence Information Systems Agency Security Technical Implementation Guide (DISA STIG) standards, CIS also offers select CIS Benchmarks and CIS Hardened Images that map to the STIG standards. CIS Hardened Images automate the deployment of the recommendations of the CIS Benchmarks. Critical infrastructure organisations that use them don't need to worry about manually hardening their virtual machine images. They can commit their time and resources elsewhere knowing that they are defended against insufficient authorisation, denial of service, and other threats. According to the Global State Industrial Cybersecurity Survey 2021 from industrial cybersecurity company Claroty, four in five critical infrastructure organisations suffered a ransomware attack over the course of 2021. Nearly half of victims reported that the attack had affected their ICS systems. To protect themselves against ransomware attacks and other cyberattacks going forward, critical infrastructure organisations need to make meaningful security improvements. This includes using best practices like the CIS Controls, CIS Benchmarks, and CIS Hardened Images as part of their efforts to secure their cloud environments and reduce their attack surface. Mia LaVada is product owner of CIS Benchmarks and Cloud

RkJQdWJsaXNoZXIy NzQ1NTk=