Zero trust is a well-known term in cybersecurity. With its origins in information technology, the core guidance and advice has been built on a set of principles that not so long ago would have been difficult, if not impossible, to implement in a operational technology (OT) environment. But today, cybersecurity leaders in the OT space are also adapting zero trust to the unique requirements of their environments.
The history of zero trust dates back to the mid-1970s, to the Principle of Least Privilege (POLP), which simply states that only the authority required to perform the specific function should be granted. In other words, each entity must be able to access only the information and resources necessary for its legitimate objective. While this principle is implemented in the privilege rings of the application stack, the general principle of limiting access to authorized and validated resources applies directly to zero trust.
There are really only two main goals of Zero Trust. The first is to prevent unauthorized access to data, services and resources. Second, make access as granular as possible by reducing or eliminating explicit trust zones.
I can’t even count the number of zero trust articles I’ve read, and there seems to be a different opinion in each one. I’d love to give you the simple five-step method for implementing zero trust in your environment, but the methodologies are as plentiful as each author’s opinions. Instead, I’ll explore some of the basics of zero trust and how we might apply them practically to OT.
Considering the first step
The question I get most often is where to start to secure your OT environment. Migrating to a Zero Trust architecture should be viewed as a journey rather than a wholesale replacement of infrastructure, which is neither cost-effective nor even plausible in most cases. Effort should be prioritized based on criticality and risk or possible exposure, prioritizing safety and efficiency when implementing a proposed architecture. Focus on individual workflows within environments. For example, you might find that your initiative needs to be implemented one business process at a time.
The important thing is to start. Bad actors will choose the easiest targets to maximize their time as any rational business would. If they encounter resistance while scouting, they can simply put it away and move on to an easier target.
Adaptation for OT
Let’s start by taking a look at the general principles of IT Zero Trust where we find some basic guidance, at least in theory, for application in OT.
1. All data sources and compute services are resources.
2. No resources are approved.
3. Any remote/external connection is hostile.
4. Suppose the environment has already been compromised.
5. Network location is not a right of trust. Our internal networks are not implicit trust zones.
6. Data exchange is granted per individual session.
7. Access is assessed by a dynamic policy that continuously assesses the security posture of the asset.
8. Authentication and authorization are applied before access is granted.
9. Data collection requires collecting as much telemetry data from the environment as possible.
How do we translate this into OT? We need to change the solution to a hybrid approach. Some of the principles listed do not match or may not be possible in your environment.
If we want to define process architecture and apply security practices to establish trust, the number one priority is to understand what exists. You will need a clear picture of all assets, resources, people and non-person entities (NPEs). This visibility will allow you to identify, categorize and assess your target environments or processes. You will need a set of systems or solutions to perform active discovery and enumeration of assets in the target infrastructure.
Asset information will not only help identify risks and vulnerabilities, but also provide a starting point for mapping the individual business process. You can choose to identify and categorize processes across the organization for a global roadmap to zero trust. Consider tackling a low-impact process to create your workflows and implementation plans, then work through your priority list based on management goals. Ideally, you want a solution that continuously discovers, analyzes, monitors, and documents all OT assets within the operational environment, then correlates all discovered risks to prioritize them based on their impact on operational and business continuity.
Now that we have all that juicy data, let’s apply some controls based on our analysis and prioritization. Assuming you have perimeter hardening and detection, let’s focus on the internal OT network. Your main concern is never to leave anything in the environment that hasn’t been inspected. You’ll want to scan all incoming devices brought onsite by personnel to stop insider threats, as well as scan assets before onboarding to prevent supply chain attacks.
Referring to our main principle #2 – no resource is reliable – we will want to apply protection at multiple points in our network. Lock down assets and network communication by deploying trusted lists. Trust lists trusted endpoints and networks specifying what actions assets, apps, or users are allowed to perform and blocking everything else. At the endpoint level, they can prevent the execution of unauthorized applications and ensure that only approved users can make changes to configurations or data.
Network Level Considerations
At the network level, trust lists can be deployed as a political decision point (PDP), enforcing asset communication privileges strictly limited to those needed to perform the asset’s function. They can also be based on common OT protocols, ensuring that only approved commands can be sent at the network level. This prevents both malicious manipulations and manipulation errors. The same network devices should also enforce network segmentation groups, assigning vulnerable assets to security-friendly zones. This can help prevent both attackers from moving laterally and malware from spreading across a flat network.
Another network consideration is to protect assets to secure vulnerabilities in legacy assets and other unpatched assets without interrupting their work. The intrusion prevention systems (IPS) and native OT firewalls that make this kind of asset-centric cyber defense possible have rulesets specifically designed to fend off attacks without forcing endpoints to update. resulting in no system reboots and no production downtime.
It’s a long road to protecting your critical OT infrastructure, but a journey that must be made to secure enterprise environments.
Jim Montgomery is a Senior Solutions Architect with TXOne Networksa global leader in OT zero-trust cybersecurity that works with critical infrastructure manufacturers and operators to develop practical, user-friendly approaches to cyber defense.