Why Zero Trust Access is Critical to OT Security

Summary

Operational technology (OT) networks are a growing target of primary interest for cybercriminals, who are devising increasingly more sophisticated attacks to disrupt and profit from OT exploitation. In fact, Fortinet found in its 2020 State of Operational Technology Cybersecurity Report  that nine out of 10 OT leaders they surveyed acknowledged at least one intrusion in the past year. 72% experienced three or more. Cybersecurity is still a challenge to many OT infrastructures that are unaccustomed to the decreased dependence on an air gap as a primary defense mechanism. This security shift has forced attention to the concept of zero trust as an essential best cybersecurity strategy.
 
The premise behind zero trust access (ZTA) is that it’s not safe to trust anything inside or outside the network without first identifying and classifying all users and devices seeking access. The goal of ZTA is to eliminate all threats, whether they come from outside or within the network. This adoption of this strategy is vital in protecting OT systems, which often must interrogate both network users and a rapidly growing array of enabled Industrial Internet of Things (IIoT) devices.
 

The critical nature of OT system cybersecurity

OT systems are typically associated with domains comprised of the cyber physical, such as manufacturing, energy and utilities, transportation and building automation. Historically, OT systems weren’t thought of as requiring advanced levels of cybersecurity since they were typically isolated via air-gaps. The advent of IT/OT convergence and digital connectivity have raised the table stakes critical to ensuring safe and continuous operations.
 
Addressing the security challenges presented by converging OT and IT networks often results in fielding an array of point solutions. This approach isn’t sustainable to achieve true visibility and threat mitigation as the lack of communication and solution continuity leads to latency in response. Rapid recognition and response to neutralize OT security threats are essential to address and neutralize a breach that could otherwise cause critical service outages with severe business consequence and significant risk. It could even include possible loss of life as the result of industrial sabotage. 

 
Initiating the ZTA process for OT

The first step in adopting zero-trust access is a proportional security investment that invokes a consistent  policy practice of “never trust, always verify.” This means protecting every wired and wireless network node to ensure that all users, applications, and endpoint devices are validated. Arguably, the landscape is complex, but there are consistent security practices that yield protection across all OT systems, whether you’re talking about energy and utilities, manufacturing or transportation. One example is practicing the principle of least privilege across internal and external network communications by providing only the minimally required access and nothing more. 
 
OT system owners can achieve enterprise protection from an array of attack vectors by integrating an internal segmentation firewall at multiple points within the network. In this manner, they achieve both network visibility and least privilege enforcement.  Achieving a containment strategy prevents vertical or horizontal movement within the target environment.

 
The need for next-generation firewalls

Converged IT/OT enterprises can foundationally build on the ZTA strategy by integrating Next Generation Firewall (NGFW) technology that employs an internal segmentation configuration combined with intelligent switching. If the NGFW is configured with secure and scalable Ethernet switches, micro-segmentation and policy enforcement prohibits any east-west or north-south network movement that’s not pre-approved. That makes network security more granular while achieving greater attack resistance. 

 
The need for multi-factor authentication

Multi-factor authentication (MFA) is another essential cybersecurity practice for OT leaders to enforce role based access. With MFA, access is only granted after successfully presenting two or more pieces of evidence, or factors, to an authentication mechanism. These factors may include the following:

• Possessions: Things that only the user has, such as a badge or a smartphone 

• Unique identifiers: A fingerprint, voice recognition or other inherent trait specific to the user

• Knowledge: Something that only the user knows, such as a password or a PIN

 
By requiring several of these pieces of evidence, MFA makes theft and masquerade very difficult to accomplish.

 
Perfection is not the goal

The proportional cybersecurity investment to counter digital transformation and IT/OT convergence risks are hardly about achieving perfect cybersecurity protection. Instead, it is about raising the stakes to the extent that the most important assets are protected. Typically sustaining a safe and continuous operation is top priority along with deflecting attempts to access intellectual property.  For OT, speed, scale and solution longevity are high value solution attributes. Despite the best of intentions, it’s important to recognize that there are cybersecurity attacks that fall beyond the detection and scope of ZTA strategy.  A distributed denial of service (DDoS) attack, for example, won’t show up on that radar. Likewise, inspection of encrypted payloads, such as VPNs, isn’t a practical application due to the characteristic overhead and delays. 
 
A final thought to consider relative to OT business is that latency introduced as a result of cybersecurity best practices is untenable.  It’s therefore important to consider how the elements of your OT security strategy work as a cohesive ecosystem. Augmenting the ecosystem with internal behavioral analysis ensures a greater situational awareness and achieves a more proactive security posture. The bottom line is achieving a continuous trust assessment and a return on investment that is proportionally valued and measured by safe, trusted and sustained operations.