Zero-trust cybersecurity for increasingly interconnected OT
What you’ll learn:
- OT teams are realizing they need to step up their cybersecurity posture, but traditional OT architectures are shifting.
- As process manufacturers evolve their operations, they will need new cybersecurity tools designed to support a more connected future.
- Many organizations are starting to look for cybersecurity solutions that are more advanced.
- Organizations should ensure they have implemented the basic solutions that every team should have in place.
Process manufacturing has reached an inflection point, with the days when OT teams could rely on “security by obscurity” long gone. Today, everyone is a target, as evidenced by high-profile attacks on OT assets around the globe in just the last five years. Forward-thinking teams know it’s now not a matter of IF their assets will be attacked, but WHEN. The clock is ticking.
OT teams are realizing they need to step up their cybersecurity posture, but they face another related concern. Traditional OT architectures are shifting—some would even argue, disappearing—as interconnectivity between OT technologies and external systems becomes central to the way businesses operate. The data inside OT assets is of increasingly critical value as companies strive to enhance performance and efficiency across the enterprise to capture operational excellence.
Webinar replay: Cybersecurity Challenges, Brought to You by AI
This means that as process manufacturers evolve their operations to better compete in a global marketplace, they will need new cybersecurity tools designed to support a more connected future. While the traditional defense-in-depth architectures will still apply, a move toward a foundational zero-trust cybersecurity architecture is likely to happen in parallel.
OT teams should already be thinking about the strategies that will make the zero-trust journey more successful in the years ahead.
What is zero trust?
The zero-trust security framework follows a single, common baseline: never trust, always verify. No user or device, whether inside or outside of a given network, is trusted by default. Every access request to and from any node on the network, however, must be individually authenticated, authorized, and continuously validated before it is granted access to applications and/or data.
See also: Patchwork of tech, siloed staff plantwide can make for cybersecurity nightmares
An important concept to understand is that zero trust is not a device or product that can be purchased, but it is instead a long-term strategy and company culture made up of individual products, services, behaviors, and architectures.
As such, it is in a constant state of evolution. Like the cybersecurity threats it seeks to remediate, zero trust is always in a state of change. Moreover, zero trust is not only about technology, but involves people and processes as well.
A trend driven by industry
Whether they are steeped in cybersecurity culture or have been impacted by a breach, many organizations are starting to look for cybersecurity solutions that are more advanced.
Some are hearing about zero trust as a potential supplement to their existing cybersecurity strategy, either through security publications or guidelines and recommendations issued by government regulators.
However, when searching the market for zero-trust solutions, OT teams frequently find few or no vendors providing them. While this is frustrating, it happens for a reason. There is no single magic bullet appliance that will provide zero-trust cybersecurity.
See also: How agentic AI can be a 'force multiplier' in IT and OT cybersecurity
Instead, teams wanting to implement zero-trust cybersecurity need to commit to a journey that will evolve in the coming years, and they must do so in collaboration with the solution providers supporting the technologies they rely upon.
The journey will not necessarily be simple, but it will be worth the effort, and those who start today will be far ahead of the curve and much more secure as threats increase in intensity and cadence in coming years.
Where to start the journey
The most important step on a zero-trust journey is defining the roadmap. The OT teams having the most success securing their assets spend time and effort to understand their current cybersecurity posture and their needs and then put a plan into writing.
A zero-trust cybersecurity journey will have several solutions along the way, some that can be easily implemented today, and others which are not yet available or vetted by the organization’s automation solutions provider. However, both the available and emerging technologies should be part of the overall plan.
See also: New report sees surge in OT cybersecurity awareness among manufacturers
Once the team has a plan in place, it can begin implementing the solutions available today. To start this stage, the organization should ensure it has implemented the basic solutions that every team should have in place.
Account management, segmentation of networks and duties, recovery and incident response plans, and endpoint protection are all elements of the baseline for success.
Teams should not wait until the last minute to upgrade soon-to-be-obsolete components, a difficult task, but a fundamental part of the zero-trust journey.
Once those issues are locked down, the team can start exploring more advanced technologies that are available today—such as improved authentication and threat monitoring—and even cutting-edge solutions like endpoint detection and response tied to sophisticated threat intelligence feeds, possibly powered by machine learning and artificial intelligence.
It’s worth noting that OT users are still accustomed to being fully supported by their automation supplier of choice, and while there are indications of a potential paradigm shift within the industrial space, it will take several years—if not decades—before OT users embrace a more flexible and less vendor-dependent approach.
This means that the zero-trust journey now relies primarily on industrial control system providers, and their ability to release features and functions to unleash the full potential of the zero-trust concept.
Preparing for the future
Laying the groundwork for zero trust with today’s available defense in depth technologies is a critical first step, but teams should also be preparing for the future as they implement those solutions. As technology changes and new solutions emerge in the marketplace, some components will reach end-of-life and will need to be replaced.
However, by forming the right collaborative partnerships and making lifecycle-focused decisions early, manufacturers can, to some extent, future-proof their automation and cybersecurity investments in tandem, limiting the amount of required rip and replace.
In addition, teams should not wait until the last minute to upgrade soon-to-be-obsolete components, a difficult task, but a fundamental part of the zero-trust journey.
See also: Securing smart factories when the ‘attack surface’ keeps expanding
Teams should work closely with their automation solutions provider to be sure they are implementing the best protections available for their automation investments across the lifecycle.
This type of partnership not only ensures the OT team is implementing technology appropriate for their unique architecture, but it also helps confirm the solutions provider is continually developing solutions designed to support zero trust architectures as part of their lifecycle development plan.
The most advanced automation solutions providers will view cybersecurity as part of the design process—central to everything they do—rather than something they add on at the end of product development.
Ultimately, because the shift toward zero trust cybersecurity is a long-term goal, investing in collaboration and partnership will be just as important as investing in technology. As end users and solution providers collaborate, they will continue to influence each other, helping create and implement the best solutions as zero trust technology evolves.
Today is the time to start
The Cybersecurity and Infrastructure Security Agency (CISA) provides a Zero Trust Maturity Model to help organizations define criteria and set goals for the zero trust cybersecurity journey. Working with CISA’s model can be helpful, but it can also be overwhelming. That potential complexity, however, should not be a roadblock to starting on the journey.
See also: Unpacking the risks of cyberattacks that bedevil modern manufacturing
Any OT team, no matter their starting point, can begin the zero-trust journey with small steps and preliminary planning to build the right foundation and a targeted roadmap. The team will learn, evolve, and meet limitations along the way, but that is no reason not to start immediately.
Cyberattacks do not wait until targets are ready, and even the smallest steps taken today can dramatically reduce risk and begin a successful cybersecurity transformation across an organization.
About the Author
Alexandre Peixoto
Alexandre Peixoto is cybersecurity business director of Emerson’s process systems and solutions business. In this role since 2021, Peixoto is responsible for sales and operations of cybersecurity solutions and services for the DeltaV system installed base. He actively provides consultation to customers and stakeholders across the organization to improve their cybersecurity posture while reducing the exposure to cyber threats, hence increasing process uptime.