Up to now in this series of blog posts on cybersecurity for industrial companies across the Middle East, I’ve been looking at the evolving challenges confronting Chief Information Security Officers (CISOs) in these organizations—and suggesting how they may overcome these challenges.
Now, in this fourth blog, I want to focus on why zero-trust architectures (ZTAs) may have a vital role to play in the operational technology (OT) world. I’ll also be looking at how to manage the challenges that can arise when CISOs seek to translate ZTAs from an IT to an OT world.
First of all, let me explain what we mean by zero-trust architectures. At their heart, these are cybersecurity models that diverge from classical perimeter-based approaches that try to separate an organization from the outside world.
Instead of being grounded in the presumption that internal networks (within the perimeter, protected by firewalls and barriers) are secure, while those outside the perimeter are not, ZTAs describe secure architectures where no resource—inside or outside the perimeter—is trusted.
This means every device, user, service and application, regardless of its location, is considered non-trustworthy, until proven otherwise. Communications between them are tightly controlled, and every session must be mutually authenticated between endpoints.
Users only get access to resources with the minimum privileges required, with additional factors such as software versions, time of request, installed credentials, and so on, all taken into account.
ZTAs recognize that we’ve moved on from the days when the “crown jewels”—servers and databases—were physically located within the enterprise. Nowadays, boundaries aren't as clear-cut as they used to be. Networks are more interconnected, more complex and more dynamic. And of course, we have the cloud. So organizations don’t necessarily always know (or need to know) where their data and assets are located.
ZTAs bundle together a lot of well-established security principles and practices. But they do it for the really complex IT environments that most large organizations operate with. And there are plenty of vendors out in the market who can help put together holistic packages of solutions that make zero-trust in the IT environment a reality. But for OT it’s a more complex proposition.
Most large, complex industrial environments combine a wide range of technologies that are critical to help ensure physical processes operate as smoothly and efficiently as possible. So even a small delay created by an authentication requirement can disrupt a process and have a negative impact on production. What’s more, many legacy industrial technologies won’t be able to support the capabilities for authentication and secure communications that ZTA demands.
Many vendors claim to have zero-trust solutions for OT. But usually these only address a single aspect of the ZTA: for example, securing remote access to the upper layers of the control networks. But if cryptography and multi-factor authentication (MFA) aren’t already in place, you probably have a problem to deal with.
Also, most ZTA solutions are heavily reliant on endpoint agents, which it’s not possible to deploy in the majority of OT environments. Finally, some of these solutions provide monitoring capabilities that, while very important in supporting a ZTA, cannot themselves be considered to be ZT solutions.
In other words, despite the claims of some vendors out in the market, in practice you can forget about applying zero-trust wholesale to legacy/brownfield OT environments. That said, you can still implement some of the concepts which may improve the overall security of your environment.
Recognize the stability of most OT environments
It’s important to recognize that OT environments are much more stable than those in IT when it comes to the number and type of devices they contain. Also, that traffic flows within them are very deterministic and easy to know in advance. Because this makes it easier to create baselines for the secure state of an OT, detecting any deviations and acting to remedy them should be relatively straightforward.
In brownfields, it is extremely important to have proper asset management and inventory. This may be achieved by using specialized monitoring solutions which, in cases where ZTA cannot be deployed, can help to identify deviations from the ZTA principles that would trigger investigations to detect potential compromises.
In greenfields, the introduction of ZT principles during the design phase may facilitate the selection and installation of OT devices that can comply with these principles.
Figure 1 - Steps to achieve ZT in OT
“Never trust, always verify”
The message is clear: trust nothing. If a vendor claims to have the perfect zero-trust solution for you, don’t take that at face-value. Reliance on a vendor’s sales proposition may introduce a false sense of security. And that could be a threat. Be diligent, understand your needs, and ask for trusted help. As always, if you’d like to know more, or discuss anything I’ve said, please drop me a line. I’d be delighted to hear from you!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Managing Director – Technology, Cybersecurity Energy Lead, Middle East