How can 'zero trust' help secure the operational technology environment?

Recent developments and changes in cyberspace, such as the rise in cyber threats, the shift to hybrid work and the ability to bring your own device to the work environment, have increased discussions around the need to improve the overall cybersecurity posture across organizations. Zero trust has emerged as both a potential solution and a challenge creating confusion in cybersecurity circles about its efficacy.

Oftentimes, zero trust is wrongly regarded as the silver bullet or a single technology that will provide a solution to all cyber risks and vulnerabilities in an enterprise. In an attempt to demystify the notion of zero trust and provide more clarity around its actual meaning, the World Economic Forum's Centre for Cybersecurity defined zero trust as a “principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an unknown – whether a human or a machine - to ensure trustworthy behaviour”.

While the development and implementation of zero trust in the information technology (IT) environment dominates much of the conversation, the deployment of zero trust in the operational technology (OT) environment remains relatively overlooked until now.

OT refers to technologies which control and monitor industrial infrastructure and manufacturing equipment. In essence, this kind of technology consists of digital devices that interact with physical objects in order to keep factories, manufacturing equipment, power facilities and such operational.

According to a survey issued by Skybox Security in 2022, 83% of respondents said that they suffered at least one OT security breach in the last 36 months. Such attacks, however, impact different industries to varying degrees. Research shows that the manufacturing industry was by far the most impacted sector in 2021. For comparison, the manufacturing industry faced 61% of the total OT cyber attacks, while the oil and gas industry, as the second most targeted industry, experienced 11% of them.

Considering that 90% of such interruptions need hours or longer to resolve, their cost cannot be overlooked. Another, perhaps more worrisome finding by Gartner suggests that by 2025 malicious cyber attackers could weaponize OT and result in physical damage, potentially causing harm to human life.

To successfully deploy zero trust in the OT environment and respond to the changing threat landscape, organizations should consider adopting the following three best practices for zero trust:

Similar to the IT environment, one of the major challenges in the context of the OT environment is the lack of overview on the thousands of devices connected to an OT network. According to Fortinet, only 13% of organizations have such visibility. One of the reasons why visibility is low is because the OT environment is often widely distributed across diverse geographies and physical sites.

Many organizations still tend to maintain a manual inventory of OT assets using a simple data sheet. Such a practice makes it difficult to ensure the accuracy and completeness of data, which in turn fails to provide a clear picture of procured and disposed assets.

This is why it's key to automate the management of the inventory and keep a centralized and real-time view of OT assets. A clear overview of resources allows organizations to identify and map vulnerabilities and manage the possible consequence and impact of compromised security.

In an era of rapid digitalization in which a convergence of the IT and OT environment is happening, keeping both secure is a necessity. However, the separation between IT and OT networks helps to prevent lateral trans-network movements when accounting for all devices.

If well-setup, a network segmentation can stop a breach and minimize the overall damage. Nevertheless, if not properly setup, any well-placed insider can open a backdoor to allow the attacker to navigate inside the network.

Isolating these various systems requires the following:

Nowadays, the full implementation of zero trust in the industrial environment faces a significant barrier: the readiness of OT from a wide range of perspectives including workforce and technology.

Both IT and OT worlds have evolved with different identity and access management practices over the years. Diverse practices such as physical access controls, remote connections with or without authentication, etc have been incorporated. The whole spectrum of these practices makes the whole access management topic a daunting challenge.

Nevertheless, authentication of every activity is a must and should not be negotiable. It allows for allocation of more granular permissions and enables the security team to detect unusual activity on any system, a prerequisite for a comprehensive management of the attack surface.

Organizations must define who is given access to systems and information under what conditions, with proper policies deployed at all times and across all those with access.

Access control policies must encompass the following:

As many industries embark on the zero trust journey to strengthen their cyber posture, it is important to consider the shift to this security model as a change in organizational mindset rather than an introduction of a single technical solution. Accordingly, it demands a strategic approach to all organizational assets and resources, including OT systems.