How Viable is Zero Trust for OT/IoT Networks? Is it a Journey or a Destination?

How Viable is Zero Trust for OT/IoT Networks? Is it a Journey or a Destination?
How Viable is Zero Trust for OT/IoT Networks? Is it a Journey or a Destination?

On Jan. 26, 2022, the Biden administration’s acting director of the Office of Management and Budget (OMB) issued a memorandum to Executive Branch department heads and agencies on moving the U.S. government toward Zero Trust cybersecurity principles. The memo laid out requirements for a Federal Zero Trust Architecture (ZTA) as a next-generation security framework to shore up America’s cyber defenses against increasingly sophisticated and persistent threat campaigns.
This pan-government guidance is further validation that ZTA needs to be considered as an important component of any cybersecurity and networking strategy and will require critical infrastructure organizations to reconsider key portions of their IT infrastructure and security processes going forward. Indeed, the January 26 OMB memo follows on guidance from the National Security Agency (NSA) in February 2021, in a document called “Embracing a Zero Trust Security Model,” which similarly outlines adopting a Zero Trust mindset and implementing a ZTA within government networks.
While ZTA is widely regarded as a significant security advancement over traditional security approaches and architectures, there are many unanswered questions, including varying definitions and requirements for ZTA by industries, experts and vendors. Zero Trust now currently appears to be a mindset or an approach rather than an explicit set of security features or capabilities. As a result, I advised caution to other governments in immediately following the U.S. government ZTA guidelines in earlier this month, as their objectives may be different.

In general, a Zero Trust mindset assumes that every device and user in the network is potentially compromised or a potential threat.

What do organizations need to consider when deploying a zero trust architecture?

Zero Trust represents a significant change to network and security architectures to implement the necessary policies and enforcement throughout the organization. In general, a Zero Trust mindset assumes that every device and user in the network is potentially compromised or a potential threat and, in general, only explicitly allowed users, devices, communication and traffic should be allowed. While this will serve to slow or block malware propagation, unauthorized access and a wide variety of cyber threats, implementing such a design requires fundamental infrastructure and policy changes that could prove costly and very likely disruptive to existing operations and applications.
And while Zero Trust is making great inroads across IT organizations for a wide variety of specific security use cases and environments, the unique requirements of OT and IoT, combined with industrial processes and critical infrastructure, can hamper ZTA deployments with general-purpose Zero Trust solutions. Many OT and IoT devices are not easily positioned in a ZTA with microsegmentation (a common Zero Trust goal). Where Zero Trust is adopted in current OT networks, it is often limited to secure remote access scenarios, replacing increasingly suspect VPN access solutions, but not throughout the entire internal network between all devices.
In general, organizations need to assume Zero Trust is not a turnkey solution, it’s a change of mindset. It will likely require significant upgrades or policy and application changes across the infrastructure. The many definitions and use case scenarios should cause organizations to prioritize how and why a ZTA should be deployed, depending on current access and application requirements, and not look to any specific guidance or mandates, such as the above memo from the U.S. government. By the way, that memo requires implementing encryption for HTTP and DNS traffic by 2024, but not other services like email. These specific details may be completely irrelevant to other industries and organizations with other application security needs.

Tools to support zero trust

With no “one-size-fits-all” approach to Zero Trust, but recognizing it is likely to evolve into a cornerstone of many organizations’ security objectives in the coming years, OT cybersecurity tools are well-positioned to assist customers in this journey. In fact, many Zero Trust principles fall completely in line with our traditional focus on endpoint vulnerability management and verification, attack surface reduction, and always-on monitoring and threat detection. 
First of all, leading OT solutions have always been non-intrusive and non-disruptive to existing networks, a key requirement for critical OT systems and processes. They extend this same approach to Zero Trust services by monitoring network traffic and comparing observed behavior to specific allowed policies. Rather than blocking legitimate traffic that was unanticipated, software can either alert on the identified ZTA policy violations for further review or integrate with partner technology that can quarantine or block suspicious endpoints and users, as needed. Zero Trust Monitoring, comparing traffic patterns to stated policies, is going to be a key initial step for most ZTA deployments to identify all the required network flows and application traffic so when Zero Trust policies are enforced, critical services are not disrupted. 
Gartner describes Zero Trust as an architecture that “never trusts, always verifies” connections and assumes a bad actor is active at all times, which leads to a highly resilient, highly flexible environment against modern attacks. Similarly, software with a focus on asset identification, continual verification of endpoint and user posture, vulnerability assessments of devices, and insight into legitimate established operational activity serves as an automated intelligent verification platform for every device in your organization 24×7. For example, deep asset intelligence that knows the expected and baseline behavior for a surveillance camera or a programmable logic controller can increase the accuracy of threat detection by eliminating false positives. Similarly, tools can identify even when trusted devices may be compromised and evaluated for quarantine or restricted access.

What’s next for zero trust?

ZTA doesn’t need to be disruptive, and there is no drop-in solution to convert every environment to Zero Trust overnight. In your organization, your approach to Zero Trust may be very different than any industry guideline or vendor solution. You need a platform that provides the foundational services for a Zero Trust mindset and can adapt to define and implement your required policies going forward. 
Zero Trust is clearly a journey and not a specific destination. Approaches are being employed to help organizations on a path that makes sense for their existing OT and IoT deployments without a rip and replace approach, installing agents on every endpoint, or suddenly encrypting and blocking most of your network traffic overnight.

About The Author

Gary Kinghorn is the senior director of product marketing at Nozomi Networks. Gary has more than 25 years’ experience in the networking and security industries, including various technical product marketing and business development roles. In addition to promoting product benefits, Gary is hoping to highlight many technologies in the OT cybersecurity ecosystem and the value-added solutions they bring to organizations through webinars, joint solution briefs and case studies.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..