As OT Threats Proliferate, Zero Trust Is the Foundation of a Cyber Resilient Organization

Summary

Unprecedented changes are occuring within industrial control systems and operational technology as IT, OT and AI converge. This is driving Industry 4.0 initiatives, but these changes come with increased cybersecurity risks and new operational challenges. 
 
This convergence leads to an expanded attack surface–that is, there are now more potential vectors for cyber criminals to exploit. An expanded threat landscape not only endangers individual lives and livelihoods, but entire nations and their economies too. Manufacturing and critical infrastructure sectors are facing three times more threats than other industries, according to research from Palo Alto Networks Unit 42, the world-renowned threat intelligence and security consulting team. The recent attacks on Slovenia's largest power utility and a Pennsylvania-based water utility highlight the serious nature and potential scope of the threat.
 
Industrial organizations need to continuously improve their ability to prepare for, respond to, and recover from cyber attacks while maintaining the continuity of their operations. They need to have an integrated and cyber resilient IT-OT organization to address this increasingly sophisticated threat landscape. A cyber resilient organization is tactically prepared to maintain business operations and minimize disruptions even in the event of a cybersecurity incident.

Three important OT threat insights

Recent research from Palo Alto Networks Unit 42 focused on the current threat status of OT organizations. Among the findings: 
  
Malware grew in OT environments. There was a 27.5% increase in the portion of malware that targeted OT organizations across all sessions, and the average number of attacks per customer increased by 238% in the past year. 
 
Exploit attacks against OT companies expanded. The average number of monthly attacks per OT customer increased from 22,000 to 72,000 in the last year. The average number of exploits targeting the OT sector exceeded the average for all other sectors in both growth rate and quantity. Compromised internet-connected office devices that enable remote access and lateral movements into OT systems remain the biggest threat in the industrial sector.
 
Compromised assets in OT systems can take more than 24 hours to recover. As attack surfaces expand, every second counts. A third of compromised OT assets still take over a day to restore. Additionally, just over 10% of compromised assets stay breached for over a month. The most exploited vulnerabilities and threats are supply chain, remote access and lateral movement. 

Getting control with cyber resilience 

As OT environments become more dynamic, the Zero Trust approach of “trust nothing, verify everything” offers an effective approach to security systems and processes. To benefit from Zero Trust and create cyber resilience, OT organizations need to develop a thorough method of asset inventory, risk assessment and risk management that keeps in mind the interdependencies and evolution of their converged IT-OT systems. 
 
That said, best practices for Zero Trust in OT include the following five steps: defining protect-surfaces, mapping transaction flows, architecting ZT OT networks, creating ZT policy, and continuous monitoring/maintenance.
 

Step 1: Define protect-surfaces

This step involves identifying the "crown jewels" which are critical to the operation of the business. IT and OT teams should work together to identify these surfaces and their risks which could include the holistic systems/networks, specific lines, or even specific PLCs. Protect services could also include IT systems that OT relies on to keep productions running, take for example billing and custody transfer systems. Resilient organizations should go through this step to ensure security planning, investments, and incident response are applied to the most impactful assets first versus treating all assets equally which may increase implementation and recovery times in the event of cyber attacks.

Step 2: Map the transaction flows

Understanding the transactions to and from the protect-surfaces is the next step. Here visibility to OT assets and their communications which include OT-specific industrial protocols and applications, is key. Tools such as Next-generation Firewalls (NGFW), with their deep packet inspection capabilities, can be used to gain visibility over OT/IIoT applications, protocols and devices, as well as users. Furthermore, application of newer machine learning capabilities allows organizations to understand baselines and more easily detect anomalies, thereby increasing an organization's ability to detect attacks and respond.
 

Step 3: Architect a zero trust network for OT

With the transaction flows well understood, OT security teams can now define the actual zoning scheme that allows for the proper inline controls and threat prevention. The segmentation gateway or conduit, which is used to create zones and the interzone policy, is again realized through the NGFW. It is important to find that balance between risk management and reducing operational complexity and risk-based approaches, such as Hazards and Operability studies (HAZOP) that could help to determine the level of segmentation required.
 

Step 4: Create the zero trust policy

This step is all about codifying the granular rules. It involves using the Kipling Method to establish the who, what, why, when, where and how of the policy. It also utilizes the NGFW’s policy engine to establish application controls, role-based access, device policy and threat prevention via App-ID, User-ID, Device-ID and Content-ID technologies. Furthermore, decryption and threat services could be coupled to the access control policy to identify and stop any malicious traffic that may have come in through this allowed traffic. The idea here is to reduce the likelihood of breach and malicious use in OT in the first place by hardening the system with OT-specific policies.
 

Step 5: Monitor and maintain the network

OT environments continue to evolve especially as transformation projects are retrofitted into existing OT assets. Hence it is important that the inventorying of protect-surfaces and transactions happen on a regular basis and that the associated zoning and policy schemes be adapted as needed. Perhaps more importantly from a risk standpoint, this transformation and blending of IT and OT often leads to unpatched/unpatchable legacy assets being exposed to riskier environments such as corporate and 3rd party networks. This scenario, while undesired, is often a decision made by the business to maximize productivity. In this case it is critical that organizations implement advanced threat monitoring and threat prevention capabilities which can detect and stop attempts to exploit such vulnerabilities. In addition end users should deploy compensating controls to manage/eliminate these threat vectors when possible. Again the NGFW with the granular visibility, granular policy support,ML features and array of threat services will be invaluable in this process of monitoring the network, maintaining zero trust, and protecting vulnerable OT environments from threats as IT and OT converge
 

Toward cyber resilience

Zero Trust Architecture (ZTA) significantly enhances the cyber resilience of Operational Technology (OT) organizations by adopting a holistic approach across preparation, response, recovery, and supporting uptime and safety. In preparation, ZTA ensures that trust is never assumed, requiring continuous secured access to assets, data, applications and services, thereby minimizing the attack surface. In response and recovery, ZTA's granular access controls and real-time monitoring enable swift detection and containment of threats, while its least privilege principle limits the potential damage. Especially in legacy OT environments where networks are typically loosely segmented, ZTA could help to reduce the “blast radius”. Ultimately, ZTA fosters uninterrupted uptime by maintaining a vigilant, proactive security stance, fortifying OT environments against evolving cyber threats.