Securing Critical Infrastructure with XDR

In January, CISA, the FBI and the NSA released a joint Cybersecurity Advisory (CSA), titled Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, that provided an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques and procedures (TTPs), as well as detection actions, incident response guidance, and recommended mitigations.

"Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors," the advisory states. 

"Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware... CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting."

While critical infrastructure defense has always been high priority objective, there’s still some disconnect in the world of critical infrastructure security around preparedness. According to a report covered by PRNewswire, a majority (84%) of critical infrastructure organizations indicated they had suffered at least one security breach involving their Operational Technology (OT) between 2018 and 2021; yet, 56% of respondents to the same study said they were “highly confident” that they wouldn’t experience an OT breach in 2022.

What makes this contradiction particularly fascinating is that it varies depending on who you ask. For example, three-quarters of CIOs and CISOs who participated in the report said they were confident that their OT security system wouldn’t suffer a breach over the course of the next year. By contrast, only 37% of plant managers and others with direct experience on those systems shared the same confidence.

What Do We Mean by Critical Infrastructure?

To unpack these findings, let’s begin with a definition of critical infrastructure. The National Institute of Standards and Technology (NIST) defines critical infrastructure as:

Systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

In total, there are 16 sectors that fit this classification. They include transportation, commerce, energy, healthcare and more per the Cybersecurity and Infrastructure Security Agency (CISA).

Why are Attacks Against Critical Infrastructure so Concerning?

Simply put, there is the potential for the impact of these attacks to cross the cyber-physical divide, meaning that malicious actors could inadvertently or purposefully disrupt crucial systems that operate, control or govern assets that are vital to the economy, national security, or even individual lives. 

This also means that the disruptions and impacts could reach beyond the systems themselves and cause “real world” damage (think Stuxnet - a cyberattack with physical damage to OT equipment), injury or even deaths (think attacks against healthcare orgs that prevent delivery of lifesaving care).

While there is no “clear-cut case” where a cyberattack was directly linked to a death (yet), the potential is certainly there. Some recent attacks where attackers targeted critical infrastructure highlight the severity of the threat:

  • In early 2021, the DarkSide ransomware gang struck Colonial Pipeline. The ransomware incident disrupted the transportation of 100 million gallons of fuel to customers spread across the eastern seaboard for several days, causing gas shortages and panic buying in the process.
  • In summer of 2021, CNN reported that the meat supplier JBS USA suffered an attack at the hands of REvil/Sodinokibi. The ransomware gang affected servers supporting the company’s IT systems in North America and Australia, disrupting its operations. Ultimately, the company paid an $11 million ransom in response to the attack.
  • In 2020, Cybereason published the findings of a honeypot exercise to observe attack attempts against a faux critical infrastructure provider network. We found that malicious actors used a brute forcing attack to compromise the network within a period of three days. During that period, they stole data, propagated across the network, and then detonated a ransomware payload across every compromised machine.
  • In June 2019, Cybereason disclosed the discovery of Operation Soft Cell targeting multiple telecommunications providers. The attackers exfiltrated Active Directory databases, call detail records and personally identifiable information (PII) in the process. The attacks were likely to further Chinese geopolitical interests in the region.

XDR for Defending Critical Infrastructure

Critical infrastructure organizations can defend themselves against an attack by working to remove complexity from their environments. Complexity makes security more difficult. Indeed, 78% of respondents to the report covered by PRNewswire said that complexity resulting from multi-vendor technologies made it difficult for them to secure their OT environments. Hence the importance of having the right security solutions in place. 

Specifically, critical infrastructure organizations can benefit from deploying an XDR (Extended Detection and Response) solution. It’s a security approach that extends the priorities of Endpoint Detection and Response (EDR) across endpoints, applications, cloud workloads, and other resources. 

Some XDR platforms leverage threat intelligence to provide security teams with insight into what’s occurring across all those environments, but the tools are ineffectual as they are pseudo-XDR solutions that are basically nothing more than an EDR tool with some kind of cloud integration. 

In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated. 

Those vendors simply cannot ingest all available telemetry for their EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.

Where securing critical infrastructure is concerned–or securing any network, actually– filtering out threat telemetry is not an optimal play. With some things, more is better, and XDR is one of those things.

Leveraging AI/ML for Predictive Response

Leveraging artificial intelligence (AI) and machine learning (ML) to correlate the vast amount of telemetry required to secure critical infrastructure is also a key aspect of a mature XDR solution. Leveraging AI/ML allows Defenders to move from a perpetual detect and respond mode to a more proactive “predictive response” posture where the likely next steps an attacker can take are anticipated and blocked by the XDR solution, eliminating the opportunity to progress the attack to the next stage.

Only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes. 

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages. 

This approach also provides critical infrastructure Defenders the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces and more.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed