Taking a manageable approach to zero trust for operational technology

What you’ll learn:

• The majority of installed OT equipment cannot natively support zero-trust requirements.
• Other than for air-gapped systems, achieving zero trust with OT means legacy equipment must be modernized, updated, and patched.
• Implementing zero trust requires a comprehensive systems-level review of an entire OT environment.

The scale of cyber risks to critical infrastructure has significantly increased in recent years. Consequently, many critical infrastructure providers are adopting a zero-trust architecture approach to protect their IT from cyberattack.

That is a heavy lift in and of itself, but it also falls short of securing the OT devices that run facilities’ operations.

See also: Digital reliance is growing, but so are cyber risks. Is your operation prepared?

Transformers, water treatment systems, industrial control systems and other OT equipment are difficult to replace, so many have been in use for decades. They may be mechanical, not computerized. Newer IoT sensor-based devices may be physically small with low power capacity.

Taken together, these systems create a complicated environment where, despite an industry push to move to IP-based platforms, the majority of installed OT equipment cannot natively support zero-trust requirements.

How zero trust works

Fundamentally, zero trust is an exhaustive set of industry best practices. The idea is to never trust and always verify―an all-or-nothing proposition for whatever domain is being secured. The environment is only as strong as its weakest link.

See also: AI, digital transformation helping to fuel boom in bandwidth demand with infrastructure shortage looming

Consider, for example, the 2021 Colonial Pipeline hack. A legacy VPN router had not been patched or updated, leading to the breach, which ultimately led to shutting down the pipeline for six days.

Zero-trust principles would require that all devices on Colonial Pipeline’s network have an agent to verify if equipment is properly patched and running the right rules; if any does not, it gets removed from the network.

Had such a scanning agent been in place, the pipeline hack could have been prevented. With new Common Vulnerabilities and Exposures (CVEs) and software updates being frequently issued, equipment lacking such continual verification cannot be protected from this class of attack.

See also: ‘Perception problem’ pours from new survey that U.S. manufacturing remains too technologically outdated

Other than for air-gapped systems, achieving zero trust in an OT environment means legacy equipment must be modernized, updated, patched, and able to perform continuous authorization and authentication. Such a massive updating effort and expense can only be achieved over many years, if at all, even in the face of pressing cyber threats today. That means vital infrastructure remains vulnerable.

Staking out zero-trust boundaries

Rather than attempting the unrealistic goal of a wholesale OT upgrade, a more manageable approach is to set zero-trust boundaries. There are three different levels of zero-trust maturity: basic, intermediate and advanced.

The level of maturity that can be achieved depends largely on a device’s capabilities. For example, continuous monitoring may be a zero-trust requirement, but there is no way to monitor legacy devices that don’t generate logs.

Instead, focus on making internal enterprise services zero-trust compliant at the application and services layers, then augment with technologies like filtering and data diode to secure the user layer and specific infrastructure microsegments with the most sensitive data.

Podcast: Texas Pride Trailers a prime example of digital transformation success

This necessitates determining what data needs to move between the OT and enterprise IT systems. Extracting data from an old OT device can be easily secured using data diode technology that limits data transfer to one direction only. Data can be tagged and fed into the zero-trust environment as it is imported. However, moving data from IT systems out to legacy OT devices is more complex.

For example, under zero trust, command and control data requires multifactor authentication, but legacy devices were built before MFA capability was available, and implementing MFA increases cost where the lowest price is often the competitive advantage.

By separating the IoT devices with data diodes, organizations can focus precious resources on the zero-trust compliance of the more capable systems that  process the data from the IoT devices.

Transport layer security (TLS) certificates are also essential to zero-trust compliance, providing strong cryptographic identity verification and secure communications for both users and machines. Multiple certificates are often required for just one single zero-trust service; many services will be needed.

See also: Without strict security governance, AI could become a liability

Mutual TLS authentication establishes non-repudiation—determining if the entities in the conversation actually are who they say they are.  Based on this identity, zero-trust architectures can enforce concepts like least privilege—only allowing systems, devices and users access to the resources they are required and allowed to access.

Certificates have typically been valid for one year, then renewed annually. However, zero-trust continuous authentication and authorization requirements are reducing that window over the course of the next four years down to just 47 days. Web browsers and applications will start enforcing expiration, refusing to connect if a site’s certificate is too far out of date.

This can become especially problematic in the event of systems outages, each of which can often cost hundreds of thousands of dollars or more. Expired certificates will prevent the users or devices holding them from working to correct the outage.

Webinar replay: Building new facilities in the U.S. to avoid tariffs? Not so easy or cheap

Without having fully thought through zero-trust requirements, the impacts of staffing it (for example, designating a person to manage their public key infrastructure certificates essential to encryption), the means to troubleshoot issues (like expired certificates), and automating many of the associated processes, commercial and even government OT operators will struggle to recover from such incidents.

Taking an incremental approach

Implementing zero trust then requires a comprehensive systems-level review of an entire OT environment. Operators need to understand where they are vulnerable and how they can survive more than one fault. Any zero-trust plan should incorporate troubleshooting and testing the same as for any disaster recovery effort.

Fortunately, there is detailed guidance to help. The Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model and the U.S. Defense Department’s Zero Trust Reference Architecture both offer detailed frameworks.

See also: AI can expose manufacturing data to risk, so audit your implementations, third-party links

The key is taking incremental steps, applying technologies that are best suited to the need. By focusing on zero trust at the application and services layers, using data diodes between IoT devices and filtering between internal and external users, critical infrastructure operators will make significant strides in protecting the OT on which their business and their uses greatly depend.