6 Min Read
Zero Trust for Operational Technology: 6 Key Considerations
Written by Mission Secure
Zero Trust has become the dominant paradigm for IT security, influencing how organizations around the world design their networks and grant access to systems and data. In fact, the Zero Trust concept is so prevalent that it effectively became U.S. government policy with 2021’s Executive Order on Improving the Nation’s Cybersecurity.
Despite its widespread adoption in IT, the concept of Zero Trust has met with suspicion, if not outright rejection, in the world of operational technology. Perhaps it's finally time for that to change.
Most OT security professionals would probably agree that the core principles of Zero Trust—assume the network has been compromised and limit activity to only what is necessary—are relevant in OT environments, especially now that industrial assets routinely connect to IT systems and the cloud. Actually implementing a Zero Trust architecture in an OT environment is another matter. The unique characteristics of OT devices, together with concerns about disrupting operations, have led many industrial operators to dismiss Zero Trust as an unattainable goal.
However, with the right technology and the right approach, Zero Trust principles can be implemented safely and effectively in OT networks, dramatically reducing the risk of a cyber attack against energy facilities, manufacturing operations, transportation systems, and other critical infrastructure.
Defining Zero Trust for OT
Any discussion of the topic has to include the disclaimer that Zero Trust is not a product or a technology. It’s a general set of assumptions and objectives that can guide an organization’s cybersecurity strategy. There’s not even a generally-accepted definition of the term, although the description in Executive Order 14028 sums it up well:
“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
Even in the IT world, one company’s interpretation of Zero Trust might be very different from another company’s, and neither would necessarily be wrong. In the same way, the OT version of Zero Trust will involve different tools and techniques than are used in IT environments, but the result should be similar: threat actors lose the ability to move freely about the network, and malicious activity is contained before it causes widespread damage.
The question is, what tools and strategies are needed to achieve those goals in an OT environment? Here are some key considerations OT organizations should keep in mind while contemplating Zero Trust security models.
1. Visibility is only the beginning
This is a settled point in the IT world, but in OT, the discussion still needs to be had. It’s not enough to simply map your assets and monitor what’s happening on your network. Effective security requires strong measures to detect—and actively block—malicious users, software, and activity.
Passive visibility and alerting tools remain the most common form of OT cybersecurity, even though those tools often create more problems than they solve, endlessly generating alerts and incidents that leave security teams exhausted and the facility no more secure. Many other organizations have avoided implementing OT cybersecurity altogether, in part because passive visibility tools don’t provide enough value to justify the expense and effort.
The landscape appears to be changing, though. According to the most recent Gartner Market Guide for OT Cybersecurity, 82% of organizations have moved past the “awareness” phase on their cybersecurity journeys and are beginning to investigate and implement OT security solutions. And while discovery and visibility tools are still the starting point, organizations eventually reach what Gartner calls the “Oh Wow” moment, when they fully realize the scale of their unmanaged risk and the need to do something active about it.
The next step on the journey can vary from organization to organization. Patch management, threat intelligence, and basic network segmentation are among the more common activities. But to move toward meaningful long-term security and a Zero Trust approach, organizations also need to look at solutions that address a fundamental reality:
2. OT assets weren't designed for security
In an IT ecosystem, where are the crown jewels? Typically not at the endpoints. Employees might store some valuable data on phones and laptops, but the essential IT assets—the ultimate targets for cyber attackers—reside in corporate datacenters or the cloud. The massive file shares and databases that keep an organization in business are housed on powerful, resource-rich computing platforms tended by teams of security personnel. Environments, in other words, that are capable of supporting any new cybersecurity technology the organization decides to layer on.
The ultimate OT targets, on the other hand, are often the lowest-powered, least sophisticated assets on the network—PLCs and other Level 1 controllers, together with the cyber-physical devices they control. These are devices that (until recently) were never intended to connect to the outside world, and they have little or no ability to support even basic security tasks like user authentication or malware scanning. They’re also typically the most difficult assets to replace without disrupting operations, even if they’re decades old.
To implement security that protects the lower levels of the OT network, organizations need to address the fact that key assets can’t do the job on their own. In many cases this will necessitate the addition of new technology to act as a security proxy for Level 2, 1, and 0 assets, and to perform operations the assets themselves can't support.
3. OT and IT have different things to worry about
IT Zero Trust—and IT cybersecurity in general—is about protecting data. Attackers are trying to exfiltrate data or encrypt it for ransom.
OT Zero Trust is about protecting physical processes. Attackers are trying to cause disruption in the real world by damaging or manipulating sensors, pumps, robots, vehicles, and other cyber-physical systems. To prevent that, OT organizations need to tailor their cybersecurity strategies to suit the unique realities of OT environments.
Some Zero Trust strategies, like network segmentation, are equally applicable in IT and OT. Others, like multi-factor authentication, may only be relevant in the upper levels of the OT network (more on that below). OT Zero Trust strategies also need to incorporate factors that don't exist in the IT world—for example, monitoring for anomalies in Level 0 process signals that might indicate a compromise.
4. Identity doesn't always matter
IT Zero Trust policies might take dozens of factors into account, but the single most important consideration is the identity of the user who's requesting access to data or systems.
In OT, the very concept of a user identity tends to disappear, especially in the lower levels of the network. A PLC isn’t going to ask which user entered a command, and the HMI that sent the command might not know anyway.
Rather than focusing on identity, OT Zero Trust policies need to evaluate whether network traffic fits the profile of "known good" activity and whether it makes sense given the current state of the assets in the environment:
- Location: does it make sense for this workstation to connect to this PLC?
- Timing: is this connection request coming during a scheduled maintenance window?
- Role in the process: should this device have read/write access to PLCs, or should it only be able to read?
- Relevant protocols: does it make sense for this protocol to be used in this network segment, or by this device?
Implementing any rules of this sort will be a tremendous change for most organizations, which is why it’s important to note that when it comes to Zero Trust for OT…
5. It’s a journey
Few if any organizations have implemented a top-to-bottom OT Zero Trust architecture today. In fact, most of the Zero Trust solutions being marketed for OT environments are simply passive visibility and alerting products. Others focus on narrow pieces of the security puzzle, such as secure remote access, leaving other risks unaddressed.
Mission Secure’s Sentinel 5.0 platform provides the ability to go much further. For the first time, OT organizations can implement true Zero Trust security strategies, with fine-grained, context-aware cybersecurity policy monitoring and enforcement, including the ability to allow or block connections to cyber-physical systems based on conditions such as asset vulnerability score, patch status, user profile, or time of day. To borrow the language of Executive Order 14028, the Mission Secure platform provides “continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
Getting there will take time, even for the most forward-thinking organizations. Asset discovery and passive monitoring remain the first steps on the journey to Zero Trust, usually followed by patch management and network segmentation. But once the organization has a clear picture of what should be happening in their environment, it becomes possible to start closing the door on the things that shouldn’t happen: unexpected external connections, connections to unsafe assets, unnecessary traffic, even erroneous or malicious commands.
6. OT can eventually pass IT on the road to Zero Trust
In a fully mature OT Zero Trust environment, every connection will be authenticated and authorized, every command will be validated, and only “known good” traffic will be permitted to cross the network.
That level of assurance is probably unreachable in IT, because IT systems are made to accommodate human beings, and human beings will always find a way to do something unexpected—something that will confuse even the most sophisticated security algorithm. In a properly regulated OT network, however, all of the expected inputs and outputs—even human interactions—can be defined in advance, and anything that goes outside the guardrails can be immediately detected and addressed.
It may be a slow process implementing that level of security in established facilities, but for greenfield projects, the future doesn’t have to be years or decades away. With the right strategy and the right technology, new facilities can be designed to support Zero Trust architectures from day one.
Mission Secure is already working with some of the world’s largest automation companies and industrial operators to build a Zero Trust future for operational technology. To learn more about how we can support you on your Zero Trust journey, explore our Sentinel 5.0 platform or schedule a consultation today.
Originally published January 4, 2023, updated July 20, 2023.