Desperate Times; Disparate Measures :: Embracing Zero Trust to Protect Critical Infrastructure - National Information Solutions Cooperative (NISC)

Desperate Times; Disparate Measures :: Embracing Zero Trust to Protect Critical Infrastructure

You know what they say about desperate times? They call for desperate measures. In the world of cybersecurity, we like to think disparate measures are the best defense. Now is the time to rethink entirely how you are protecting your business-critical data – and the very access to it.

Electric utility infrastructure is part of national critical infrastructure – attractive targets for cyberattacks, ransomware and nation-state actors. According to Check Point Research, U.S. utilities saw nearly a 70% increase in cyberattacks in 2024. This increasing threat to critical infrastructure is not just another business concern, it is truly THE business concern.

The time is now to fundamentally change the way you approach securing your networks and your critical operational and customer data. It is imperative to shift strategies to assuming everything is a threat – and working from that assumption to secure all elements of your organization.

“Never Trust, Always Verify”

“Never Trust, Always Verify” is the principle all should embrace, especially as organizations move to the cloud, and that means it is time to embrace Zero Trust Architecture (ZTA). In the simplest terms, Zero Trust assumes that threats can come from anywhere at any time – so nothing is trusted by default.

This security mentality should start at the granular level, assuming at the user, device and even application level that everything is a threat – and this approach is very necessary with today’s threat landscape.

The Traditional Network Perimeter No Longer Exists

Most electric utilities now manage hybrid environments with business tools such as devices, substations, customer portals, smart meters, cloud services and remote employees. With these environments come increased risks as the traditional approach to security is no longer applicable.

Field crews, contractors and third-party vendors and partners require access from varied locations and devices to ensure operations are running smoothly. The control you once had with physical security of the networks and in-house labor oversight has vanished.

Your electric utility is the steward of sensitive customer information, and with that comes great responsibility far beyond regulation and compliance. Ensuring this data is secure and customer data is private is the expectation – and the result of a breach will negatively affect your reputation for years to come.

Zero Trust in Action

While it is impossible to be completely impervious to cyberattacks, one of the tenets of Zero Trust is to contain and isolate potential breaches before they impact operations, service delivery or business-critical data.

At the user level, Zero Trust requires the enablement of secure, identity-based access while preventing over-permissioned accounts. The focus is to restrict data access based on need-to-know status and effectively reduce lateral movement.

At the system level, Zero Trust applies consistent security principles across all systems, ensuring only authorized users and devices access sensitive assets. The Zero Trust approach also highly encourages strong auditing and logging to improve network visibility. This also expands to ensuring new assets are integrated securely while providing a flexible framework that grows with your digital transformation strategy. Overall, Zero Trust provides layered, automated defenses that reduce manual workload and improve detection and response capabilities efficiently and effectively.

A Multifaceted Approach to Security

Interested in what a true ZTA implementation would entail? Here are the key layers to a typical implementation:

Identity Layer

Verifies who the user is using strong authentication methods such as multi-factor authentication or biometrics, while implementing least privilege access via identity and access management (IAM).

Device Layer

Verifies what device is being used, its posture such as operating system version or security status, and whether it should be trusted. Non-compliant devices may be blocked or have access limited.

Network Layer

Microsegments the network to limit lateral movement and applies policies based on identity and device, not location.

Application Layer

Restricts access to specific applications rather than the broader network and uses context-aware policies to enforce access controls.

Data Layer

Classifies and protects data with encryption, data loss prevention and access controls. This layer enforces the least amount of privilege to sensitive information.

Monitoring & Analytics Layer

Continuously monitors user behavior and network traffic for anomalies, and most critically, enables fast detection and response to potential threats.

Always Assume a Breach

One of the greatest challenges all organizations, from healthcare to the electric utility industry and all in between, have had to overcome was the hesitancy to declare a breach. Of course, the hesitancy was more wishful thinking than initial denial of a potentially catastrophic event, but the delays in response as staff scrambled to confirm a breach left seconds, minutes or even hours in which the incident could have been remediated or at least interrupted. Seconds are critical during an attack, and the effects of a delay awaiting confirmation can cause irreversible damage.

With Zero Trust, you assume a breach the instant anything out of the norm occurs. In all reality, Zero Trust encourages you to not only prepare for, but to expect a breach. It isn’t negative headspace, it’s being realistic. With the ever-evolving cybercrime and tactics, the threat is more real than ever before. It is absolutely imperative that your organization has a cybersecurity response plan in place…And staff trained and ready to deploy at quite literally a second’s notice. With Zero Trust, the focus is to act, contain and recover first and foremost. And with your staff? It is critical that they not only know the security plan but also practice it. Host a surprise drill. See how everyone performs. And then afterward? Discuss. Critique. Learn. Everyone plays a role in security at your electric utility – and practice makes perfect.

The Power of Zero Trust

The greatest strength of Zero Trust is its layered approach to security. Your organization is no longer relying on a single product or control but rather a foundational, strategic security model that builds defenses across multiple layers of your digital environment. It is an incredibly impactful approach to security – and one that will evolve with your organization as your risk evolves.

[ Jeremy Schoneberg is the Information Security Team Lead at National Information Solutions Cooperative (NISC). Schoneberg can be contacted at jeremy.schoneberg@nisc.coop. ]