The concept of “zero trust” has been a framework in the information technology (IT) sector for many years, and now cybersecurity leaders in the operational technology (OT) realm are adapting it for their environments. What does a practical implementation of zero trust look like in a climate in which human resources are limited and the availability of assets is of utmost importance? And how can system integrators best support their customers in manufacturing, energy and other critical industries to adopt the proven, device-centric approach for protecting OT networks and averting revenue disruptions? Let’s delve into the answers.
Adapting Zero Trust for OT’s Unique Requirements
The major goal of zero trust in IT is to ensure access to any connected services comes from the right identity, at the proper time, from the expected location, through the expected registered devices, etc. This is a contextual-verification process, and it is very human-centric. Employees are highly interconnected with each other through various services, and any compromised personnel pose threats to the entire organization. It makes sense that IT prioritizes confidentiality, then integrity, and finally availability in a zero-trust approach to protection.
But OT is different. System availability is king, ranking higher in importance than integrity and confidentiality. The OT environment is complex and characterized by highly specialized systems — some leading-edge, some legacy — on which the corporate lifeblood of revenue depends. In the case of OT, it’s imperative to keep operations running.
Also, in the OT world, devices and equipment are seldom bound to specific personnel. Indeed, the number one hurdle for OT security managers is often a lack of human resources. It’s not budget limitations that prevent them from pursuing higher levels of security, nor their professional knowledge of cybersecurity. It’s more about people — a factory with thousands of devices scattered across a vast shop floor that might be managed by only a couple of professional OT security managers.
“OT Zero Trust” is a device-centric approach of continuous verification that accounts for the unique characteristics of its environment. Ensuring availability and averting revenue disruptions are highly prioritized, and all stages in the device lifecycle are covered, helping ensure asset protection despite the shortage of human resources. Every piece of equipment is inspected before adding to the production line, as well as continuously monitored and protected while providing manufacturing services.
It’s commonly believed that a brand-new piece of equipment is at its best security level, but usually that’s not the case in OT. Industrial PCs do not always adopt the latest operating system (OS) updates, and they often contain legacy components in specific application fields that were designed to ensure functionality instead of security. Devices are fully tested for functionality before shipping but normally not from a security perspective. This makes pre-service inspection a crucial piece of OT Zero Trust.
Another essential but often ignored part of the inspection is a security inventory. Without such visibility, administrators will have difficulty when a critical OS update is released. They will often leave affected equipment as is, especially in a closed network where they believe the equipment is safe. This is the main reason old attacks such as WannaCry or Conficker often repeat themselves in modern factories.
With the OT Zero Trust methodology, no device is trusted as clean — now or in the future. Equipment is always inspected again.
Almost every computer in IT has antivirus software installed, but OT managers are prevented from adopting the same solutions for multiple reasons.
Technical reasons include unsupported legacy OS and emerging Industrial Internet of Things (IIoT) devices or controller units without proper OS for the security software to land on. Furthermore, because most endpoint-protection software is designed to deal with more and more advanced attacks, increasingly sophisticated approaches are introduced. Modern techniques such as machine learning or endpoint detection and response (EDR) are added, but, at the same time, these capabilities generate more overhead, such as heavy Internet bandwidth demands, system footprint, and increased false alarms. Such side effects discourage OT managers from applying endpoint protection.
OT-optimized endpoint protection is appearing in the marketplace. On-premises implementation and support to legacy OS are key to effective OT-native endpoint protection in the OT Zero Trust methodology.
Network defense is not only the complementary security countermeasure to endpoint protection, but it is also the second layer for mitigating uncovered security loopholes. In the shop-floor environment, even when endpoint protection is technically feasible, warranty terms might prohibit OT managers from installing anything that was not included on the equipment originally.
Network security appliances can deliver most security functionality such as firewall and intrusion prevention systems (IPS), and, in most cases, they work as adequately in OT as in IT. However, as modern attackers gradually shift focus to the industrial space, the capability to analyze packets sent in industrial protocols such as Modbus or other proprietary protocols is highly desired. Network segmentation is another common practice to control and limit the scope of damage when cybersecurity incidents occur.