Video: 10 Minute IT Jams - BeyondTrust on securing critical infrastructure

Cybersecurity has never been more critical. This is the clear message from Scott Hesford, Sales Engineer at BeyondTrust, who joined 10 Minute IT Jones for a conversation about protecting vital assets in a rapidly evolving threat landscape.

BeyondTrust positions itself as a global leader in privileged access management, also known in the industry as PAM. "We offer a wide variety of integrated products within that space. So it's all about really controlling who has access to what, from where and when - that's across both on-premise, cloud and in hybrid environments, including IT and OT environments," Hesford explained.

The technology, coined 'universal privilege management' by the company, is designed to secure everything from passwords and endpoints to workstations and servers. "It also gives organisations visibility and control across those environments as well," said Hesford. "Ultimately the idea is to secure the environment and also boost operational efficiencies."

BeyondTrust's product suite covers endpoint privilege management, privileged password management, and secure remote access. According to Hesford, these capabilities have become particularly important as organisations grapple with complex, distributed IT environments and increasingly sophisticated cyber attacks.

Recent times have seen a growing focus on the need for robust cybersecurity controls, underscored by both government mandates and high-profile breaches. "We've started to see a lot more compliance mandates," noted Hesford. "There's always been a lot of compliance but there's been even more focus recently in light of some attacks on critical infrastructure."

The global trend, Hesford pointed out, accelerated in May when US President Joe Biden issued an executive order aimed at improving the nation's cybersecurity posture, with a focus on threat intelligence and critical infrastructure. Simultaneously in the Asia Pacific region, he said, "we are starting to see a little bit more legislation around the Critical Infrastructure Bill 2020, which really kind of takes the previous one a little bit further in terms of what we need to do there."

In Australia specifically, the government recently updated the 'Essential Eight' cybersecurity framework, changing some wording and broadening the number of agencies that must report to it. "Previously they only had to report on the top four, and instead now they need to report on all eight in the near future," said Hesford, highlighting the increased regulatory scrutiny.

Asked about critical infrastructure that has become a target, Hesford said the range of affected sectors is growing. "All types, actually. It really has expanded in recent months," he said. "There's been a lot of really high profile attacks, and it's not just covering any particular industries."

Hesford referenced the ransomware attack on JBS earlier this year, which aimed to extort money - a goal that was ultimately achieved. The Colonial Pipeline attack in the US, also ransomware, became notorious for its impact on fuel supplies, with long queues at petrol stations across the eastern United States. "We're also seeing attacks on water treatment, in particular," Hesford added, recalling recent incidents in Florida and California where attackers attempted to take control of systems or shut them down.

Closer to home, Australian hospitals have not been spared, with the Eastern Health group of four hospitals in Victoria suffering delays in surgery and disruptions to staff and patient care. "In May the FBI and the Australian Cyber Security Centre issued warnings to airlines, construction, energy, freight, government, health, law enforcement and other organisations regarding a global ransomware campaign," Hesford said, pointing out that this campaign included Australia, China and Indonesia.

He pressed the point that operational technology (OT) systems are especially vulnerable. "Often these kinds of systems in an OT environment are not necessarily designed for remote access, so they don't have the same levels of security controls in place. That's because they're just old in a lot of cases," said Hesford. "They've been around a long time and they're just not designed for it."

Visibility and control are among the biggest ongoing challenges, he argued. "Organisations in a lot of cases are struggling to gain visibility into what employee access policies are going on and what systems are vulnerable to those attacks. Being able to control who has access to what is a particular challenge in a lot of these spaces," Hesford said. Another risk, he noted, is "governing accounts - previous accounts, so older accounts that aren't being de-provisioned or shut down."

Some attacks, he recounted, succeeded by using accounts that were still active, though they should have been closed. "This is a common occurrence. It's not unique to these attacks - it does happen quite a bit out there," he said.

Turning to the role BeyondTrust plays in shoring up defences, Hesford underlined the breadth of the company's solutions. "If we take the Colonial Pipeline attack for instance, that came across a VPN with a set of credentials which should have been deactivated and it appears that the passwords were reused." He revealed that password reuse and weak credential management are a common entry point for attackers.

"A common entry platform into organisations is over virtual private networks," said Hesford. "We often see organisations struggle to really lock down a VPN, meaning that as soon as a person or an attacker gets on the network, they can shift laterally between systems."

BeyondTrust's privileged remote access solution seeks to counteract this by enforcing strict controls over who can access what, and when, replacing or supplementing VPNs with systems that prevent unauthorised lateral movement. "You can store credentials within [a vault], you don't need to ever allow people to see credentials to systems, and that really does expand on the security there," said Hesford. The company also enforces least privilege on Windows, Mac, Unix and Linux systems, tightly governing user activity to further limit risk.

Many customers, he said, choose to use BeyondTrust's Password Safe alongside these measures. This tool automates password rotation and controls, providing alerts on suspicious activity and keeping credentials in constant flux. The cumulative effect is a stronger, more responsive security posture. "Anything going on in an environment, you can get alerted on those kinds of things and that's also an important thing that organisations need to start looking at," Hesford said.

Asked about how enterprises looking to engage with BeyondTrust should do so, Hesford mentioned online resources, including regularly updated blog posts, research and case studies. "There's a lot of really good information... definitely worth checking out," he said.

Throughout the interview, Hesford's message was consistent: the threat landscape is changing, and with that, so too must organisational approaches to security and access control. "Being able to actually have specific sets of access for those users is something that BeyondTrust can do," he said, closing out the interview with a clear call to action for businesses to tighten up privileged access governance before the next attack strikes.