Applying a Zero Trust Mindset to Securing Industrial Control Systems

Applying a Zero Trust Mindset to Securing Industrial Control Systems
Applying a Zero Trust Mindset to Securing Industrial Control Systems

There’s historically been a presumption of trust for many industrial control systems (ICS). Given that these assets would be used over an extended period, it was assumed that the asset owner and makers would be aware of which components could be trusted as essential to their systems.
However, many OT devices, which include the hardware and software used to monitor and manage physical equipment, are seen as being insecure by design. That means it is expected that most OT devices operate on secure or private networks with default trusted access enabled (air-gapped). Because their objective is to improve the system’s efficiency, designers frequently make this assumption when launching new hardware or software. But the design process frequently lacks security and is focused on function instead.
OT infrastructures now face a new threat vector for cyberattacks as a result of the convergence of IT and OT. In reality, as network settings continue to shift away from closed to open systems, industrial facility and other OT leaders reported in a global survey that they saw a 20% increase in system incursions from the previous year.
As we transition into the “zero trust” era, where nothing is trusted without verification and only limited access is permitted, we go from a state of presumed trust to one of assumed breach. Yet zero trust adds complications that affect how legacy equipment, automation controls equipment warranties, and remote access for OEMs and integrators are used. It also may add process disruption.
But these challenges don’t mean zero trust can be ignored. In today’s landscape, a zero trust mindset is key.

Understanding zero trust

In the "zero trust access" (ZTA) network security model, no one inside or outside the network should be trusted until their identify has been verified. Zero trust functions under the presumption that threats, both inside and external to the network, are ever-present realities. Additionally, zero trust presupposes that any attempt to access a network or application poses a threat. Network administrators’ thinking is influenced by these presumptions, which leads them to develop strict, trustless security mechanisms.
Controlling access to apps is the primary goal of zero trust network access (ZTNA), a component of the zero trust model. To ensure that users and devices comply with the organization’s policy for accessing an application, ZTNA extends ZTA principles to validate users and devices before to each application session. For the greatest levels of verification to be maintained, ZTNA supports multi-factor authentication.

Three best practices for success

The first best practice to observe on your zero trust journey is to remove some of the complexity from this complex topic. Organizations tend to overcomplicate zero trust, but it really comes down to understanding what assets you have, knowing where they “live” and who is using them. You also need to know how to authenticate that traffic and those applications across your network. So, it starts with asset management, access controls and role-based access.
The next best practice is to start small. Many companies make the mistake of trying to solve all zero trust issues at once. They come up with a huge plan whereas, in reality, you need to take a smaller, piecemeal approach. Determine where your foundation is, what you most need zero trust for. Start there and then build on that foundation, one building block at a time.
The third best practice is to understand that zero trust is a mindset and not a solution.

There isn’t one solution that’s going to help you solve the zero trust challenge. It’s a set of solutions; it’s a set of techniques you can use. And depending on the very diverse set of assets that your organization has and places where you’re connecting to and from, you’re going to have to tackle each problem individually, depending on what’s best for that specific environment.

Zero trust: A piece of the whole

A zero trust mindset is necessary across OT and IT to secure modern and legacy solutions while supporting remote access and protecting resources (assets, processes, services etc.) within a network boundary. ZTA and ZTNA are important pieces of the puzzle, but it’s important to remember that they aren’t silver bullets, either.
Though it’s true that ZTA significantly improves your cybersecurity posture, you still need to build a holistic security strategy that uses a wide range of defensive tactics. For instance, ZTA can’t offer protection against distributed denial of service (DDoS) attacks. And due to the complexity and latency, it is impractical for inspecting encrypted payloads like virtual private networks (VPNs).
As you work to secure your OT environment, you must do so in a way that minimizes latency of event or anomaly detection. An OT security strategy’s components should always be seen in the context of the wider ecosystem. ZTA and ZTNA give OT systems better situational awareness and a more proactive security posture. Be sure to incorporate the zero trust mindset into your overall cybersecurity planning and strategy.

About The Author

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life Sciences.

Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker and veteran.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..