Industrial Cybersecurity: Applying Zero Trust and CARTA to Operational Technology (OT)

The integration of IT and OT is a well established trend, driven by the business benefits that typically come with richer real-time information sharing, analysis, and response. While the cybersecurity concerns of the IT-OT convergence are numerous and significant, the horse has left the barn, and cybersecurity teams need to respond strategically across infrastructure domains.

The IT-OT convergence is driving a related convergence of IT and OT cybersecurity teams, as well as a consolidation of responsibility. One interesting byproduct of that consolidation is the application of best practice IT cybersecurity models in OT environments. Two models that have been gaining traction over the last several years are Forrester’s Zero Trust model and Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA).

Learn about cybersecurity for OT in our A Comprehensive Guide to Operational Technology (OT) Cybersecurity.

What is Zero Trust in OT Networks?

As the name implies, Zero Trust security is based on the simple premise that there is no such thing as a trusted source. This means that cybersecurity teams need to assume that there are attackers present both inside and outside of their networks and therefore treat all traffic as suspect. This, in turn, suggests that no communications should be allowed until each party is properly authenticated and authorized.

The Zero Trust security concept has expanded over the years from its early focus chiefly on micro-segmentation of networks. Network segmentation, of course, isn’t new. Security teams have used firewalls, access control lists (ACL), and virtual local area networks (VLAN) for network segmentation for years. Micro-segmentation differs in several ways. While traditional segmentation was chiefly concerned with controlling north/south traffic (e.g., in and out of a data center), micro-segmentation is chiefly concerned with segmenting traffic moving east/west (e.g., between applications in a data center).

One Example of Micro-Segmentation or Process Segmentation in OT Environments

The term Software Defined Perimeter was introduced in 2016 in a Gartner research paper, and its utility in enabling Zero Trust network access was recognized. The Cloud Security Alliance (CSA) recently released a white paper titled Software-Defined Perimeter (SDP) and Zero Trust, which makes the case that Software Defined Perimeter is, in fact, the most advanced implementation of a Zero Trust strategy. SDP can also be used effectively to enable micro-segmentation.

The CSA calls out the following three requirements for implementing SDP:

• Separating the control plane where trust is established from the data plane where actual data is transferred.

• Hiding the infrastructure (e.g., blackening the servers) using a dynamic deny-all firewall (not deny-all, allow exceptions) — the point where all unauthorized packets are dropped for logging and analyzing traffic.

• Using single packet authorization to authenticate and authorize users and validate devices for access to protected services — least privilege is implicit in this protocol.

OT cybersecurity teams need to cloak all assets by providing no public IP addresses or open ports willing to accept connections. Authentication and authorization need to be completed prior to network connection acceptance, and access controls should take into consideration the current security posture of devices before granting access. After approval, connections should be monitored, analyzed, and audited.

This Zero Trust/SDP model requires the adoption of a least privilege access strategy that assigns access permissions to users, applications, and data based on specific and defined need. Secure access is enforced regardless of where (e.g., inside or outside the LAN) access is requested, and access controls are fine-grained and revocable. It is also important that all access control activity is logged and audited with the ability to generate alerts automatically.

Continuous Adaptive Risk and Trust Assessment (CARTA) in OT Networks

The Continuous Adaptive Risk and Trust Assessment (CARTA) strategy takes an even broader view of security than Zero Trust or SDN. But CARTA overlaps with Zero Trust in several important ways. Gartner sees Zero Trust as a necessary but not sufficient step in achieving CARTA. As described by Gartner, the Continuous Adaptive Risk and Trust Assessment (CARTA) Imperatives are as follows:

Imperative No. 1: Deploy Context-Aware, Adaptive and Programmable Security Platforms

Imperative No. 2: Continuously Discover, Monitor, Assess, and Prioritize Risk — Proactively and Reactively

Imperative No. 3: Perform Risk and Trust Assessments Early in Digital Business Initiatives

Imperative No. 4: Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling

Imperative No. 5: Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources

Imperative No. 6: Architect Security as an Integrated, Adaptive Programmable System, Not in Silos

Imperative No. 7: Put Continuous Data-Driven Risk Decision Making and Risk Ownership into Business Units and Product Owners

Several of these imperatives clearly overlap with Zero Trust, particularly Imperative No. 3. In practice, both strategies demand:

• 100% endpoint discovery, visibility, and control

• Posture assessment and remediation or blocking of physical and virtual devices

• Ability to manage agentless IoT devices and cyber-physical OT systems

• Micro-segmentation to limit lateral movement through networks and contain breaches

• Continuous monitoring, assessment, and remediation of operational and cybersecurity risk

Getting Started – Implementing OT Micro-Segmentation as a First Step

OT cybersecurity teams should embrace the maturing Zero Trust network strategy, which many of their IT counterparts have adopted as the default paradigm for enterprise cybersecurity. Fully implementing Zero Trust, however, should be viewed as a long-term objective.

Micro-segmentation should always be considered a best practice in implementing a Zero Trust strategy, and serves as a good first step on the journey to Zero Trust (for a closer look at industrial network segmentation, read Industrial Control System Security and Segmentation).

More mature implementations of Zero Trust for OT will include fine-grained access controls based on a continuously-updated view of asset conditions and network traffic, administered with a view toward enhancing the overarching goals of operational safety, reliability, and productivity.