Demystifying zero trust in OT

Implementing zero trust in OT environments requires a holistic approach that unites informed people, rigorous processes and the right technology.

Not long ago, the operational technology (OT) networks used in environments such as factories and critical infrastructure were air-gapped, meaning they were not connected to the internet. But today, the once-siloed worlds of OT and information technology (IT) are seeing greater interconnectivity due to digital transformation and support for scarce or remote workers. This connectivity can enhance production via data sharing and new cloud-based tools that allow organisations to tap into new business value. One of the main drawbacks of IT/OT convergence, however, is that ever-evolving cyberthreats now have easier access to previously air-gapped OT environments, jeopardising the benefits of this integration.

Operational technology systems are particularly vulnerable because they were designed to implicitly trust everything within their environments. Organisations should therefore be evolving towards a zero-trust cybersecurity model, one that continuously verifies the trustworthiness of users and devices while controlling access based on contextual information.

The evolution of trust in OT

Historically, industrial automation and control systems (IACS) designers, builders, manufacturers and operators knew what should and should not be trusted with regard to protecting their systems. They could assume that their systems would not execute something that was dangerous to the human operator or the production line. Most IACS technologies were designed around the hypothetical concept of implied trust. This meant that any connections made within the air-gapped OT perimeter were safe from any and all cyberthreats that proliferated in the outside world. This state of implied trust was mostly a successful security strategy for years because of OT’s isolation from the public internet.

Furthermore, industrial control system (ICS) assets are typically built for longevity. Deployed technologies may remain in working order for 20 years or more. There are often strong business justifications (as well as safety and reliability requirements) for continuing to operate older ICS equipment.¹ Also, a future where outside connections to OT systems would become a common necessity was never really a consideration.

Now, operational technology environments are increasingly being connected with IT networks (also known as IT/OT convergence or Industry 4.0), which can deliver new strategic benefits. These include utilising cloud-native capabilities and improving frontline decision-making by using data from both IT and OT systems.² This convergence can additionally reduce space requirements, eliminate physical hardware, shorten deployment times, improve cost savings, boost performance, and reduce siloed IT and OT department resources. But these connections also puncture the OT air-gap, thereby deflating the false notions of implied trust and ICS security by design.

IT environments are increasingly responsible for configuring and managing OT devices, as well as collecting and reporting on the critical data organisations need to effectively oversee their OT assets. This bridging of enterprise and industrial networks serves a clear business purpose, but as more IT assets shift to cloud-based environments, OT assets are becoming vulnerable to cybersecurity threats that were previously non-existent.

The emergence of zero trust in cybersecurity

At a conceptual level, the term ‘zero trust’ shifts the thinking around security from an ‘implied trusted’ attitude to an ‘assumed breached’ state, where nothing is trusted without verifying.

In more practical terms, zero trust refers to a security model in which users and devices are no longer automatically granted access based on network location. Instead, it focuses on evaluating trust on a per-transaction basis. Degrees of access can be granted to verified users and devices based on the contextual factors surrounding the request. Reverification or re-evaluation of permissions is frequent.

Approaches to implementing a zero-trust model can vary greatly, and even some of the common solution initialisms can be confusing without detailed definitions.

• A zero-trust access (ZTA) solution focuses on identifying and having oversight of which users and devices are accessing the network. As more users work remotely and Industrial Internet-of-Things (IIoT) devices proliferate in OT environments, organisations should continuously verify all users and devices as they access applications and data.
• A zero-trust network access (ZTNA) solution refers to application access in which no user or device is trusted to access an application unless they prove their credentials. Zero-trust network access is often cited as a natural evolution from traditional virtual private network (VPN) tunnels, which assume anything that passes network perimeter controls can be trusted. Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.

What problems can zero trust solve?

An effective zero-trust implementation can address several pressing cybersecurity needs facing organisations today, namely:

• Enabling full mobility of staff without disrupting normal operations or affecting the access control policies in place.
• Unifying the organisation’s security strategy with regard to users, assets and (indirectly) applications, regardless of where they are physically located.
• Helping prevent cyberthreats from spreading laterally throughout organisations by continuously reassessing user and device identity and posture on a per-session basis.

Challenges to implementing zero trust in OT

The road from implied trust to zero trust isn’t without hurdles or complications. To effectively implement a zero-trust solution such as ZTA within an OT environment, security leaders may need to address some questions that are particular to how ICS operates within the OT environment and any safety-related aspects.

1. Does the warranty language of any current automation vendors restrict or limit what can happen on the network? This is a fairly frequent issue that should be fully investigated in advance.
2. Are the ZTA technologies compatible with the legacy technologies found in the OT environments? ICS longevity (20-year lifecycles) must be taken into account.
3. Asset owners often depend on system integrators and original equipment manufacturers (OEMs) for integration and commissioning. Are they prepared for the introduction of ZTA technologies that may disrupt currently integrated and commissioned subsystems?
4. Original equipment manufacturers and system integrators may also require remote access as part of their warranty or third-party operation and maintenance contracts.
5. Typically, much of the ICS/OT technology stack is headless, making user interaction impossible. Internet Protocol (IP) addresses are often static, and it would be hard to imagine re-authenticating a connection with a headless device lacking a user interface. Can the ZTA solution support this unique limitation of OT environments?
6. Because OT environments have historically been air-gapped, they sometimes rely on static passwords rather than those managed in Active Directory (AD) with secure credential management policies.
7. Some OT components (for example PLCs and HMIs) may not support the technologies or protocols required to fully integrate with a ZTA implementation. As a result, a ZTA approach might not be practical for some OT devices or systems.
8. Some ICS technologies within the OT environment may be designated for safety operations and may require timely and uninterrupted access to systems to execute safety functions. Thus, implementing ZTA for such an ICS shouldn’t impede the safety aspects of the infrastructure.

Another key challenge to implementing zero trust across interconnected IT/OT environments is that organisations need to establish distinct identities between the two sides of the business. Effectively embracing ZTA requires a solution capable of converged security operations for two management areas coming together with different priorities. Maintaining separate security operations centres (SOCs) for IT and OT increases complexity and potential risks when it comes to managing assets and policies in both environments, ingesting and analysing data from both IT and OT systems, and performing remediation actions in case of a cyber intrusion.

Figure 1: NIST SP 800-207 Core Zero Trust Logical Component³. For a larger image click here.

Acquiring and maintaining zero-trust solutions will also call for internal know-how and operational resources for managing logging and access controls. Combined with limited budgets, many organisations currently may struggle to find, hire and retain the skilled security staff required to deploy and maintain zero-trust solutions. In these instances, it may be important to consider whether a vendor offers the option of dedicated support services.

The path forward starts today

As IT/OT convergence continues to accelerate, security leaders should be evolving into a zero-trust model to keep their OT environments safe from disruptions due to internal or external security events. Today’s path to deploying zero trust in OT is threefold:

1. People: Start raising awareness about the risks of IT/OT convergence with users and training them on how zero-trust solutions can help secure the organisation against opportunistic threats.
2. Process: The era of security based on implied trust in OT is over. Any security policies and protocols should now be based on trust that is contextually verified and constantly reverified. Organisations need complete and continuous control over who and what is on the network, including automation vendors and service providers.
3. Technology: Evaluate zero-trust solutions for OT environments and be mindful that they may also impact your broader supply chain. Look for a zero-trust security vendor with strong partnerships across the technology ecosystem.

Ultimately, successfully implementing zero trust in OT environments requires a holistic approach — one that unites informed people, rigorous processes and the right technology to build a resilient and secure operational foundation.

^{1. Benestelli B and Kambic D 2022, IT, OT, and ZT: Implementing Zero Trust in Industrial Control Systems, Carnegie Mellon University,<<https://www.sei.cmu.edu/blog/it-ot-and-zt-implementing-zero-trust-in-industrial-control-systems/>>}

^{2. Chang M, Koerber B and Soganci M 2022, Converge IT and OT to turbocharge business operations’ scaling power, McKinsey & Company,<<https://www.mckinsey.com/capabilities/operations/our-insights/converge-it-and-ot-to-turbocharge-business-operations-scaling-power>>}

^{3. NIST 2020, SP 800-207: Zero Trust Architecture,<<https://csrc.nist.gov/pubs/sp/800/207/final>>}

Top image credit: iStock.com/ArtistGNDphotography