Operational technology and zero trust
Zero trust, otherwise known as zero trust architecture (ZTA), is a shift in the way we think about security. Zero trust is the concept of centralizing policy control, limiting lateral movement throughout the organization, changing from traditional edge boundaries to fine grained segmentation, and providing least privileged access to resources based on context. This shift means that organizations need to treat their assets, whether they are machines, people, or data, differently than before.
Organizations should limit the visibility of resources on the network through dynamic identity-based policies, rather than providing broad access to large areas of the network and relying on user authentication only. As a result, the evolution to zero trust significantly reduces cyber risk for an organization.
In a recent discussion with Jack Freund, Head of Methodology at VisibleRisk, and co-author of the book “Measuring and Managing Information Risk: A FAIR Approach”, Jack said, “I’d be willing to estimate that a relatively proficient threat actor leveraging a compromised endpoint to exfiltrate data or disable critical business services faces an additional 20%-70% level of difficulty in achieving their goal, depending upon how well configured and ubiquitous the ZTA is”. He says that “OT really should be zero trust by default, else the loss potential will skew towards worst case outcomes.”
However, the recent push to adopt zero trust across industries is focused mainly on information technology (IT) and remote workforces, rather than the entire organization, including any operational technology (OT) in use. This leaves a significant portion of the organization unprotected and at risk.
While many cybersecurity programs are indeed IT-centric, the vast majority of what drives a company’s bottom line may be the infrastructure that manufactures products, operates data centers, cools buildings, and manages physical access to facilities and even shuttles people and products around the world in planes, trains, and automobiles. This infrastructure is known as operational technology and should not be left out of the equation when considering cyber risk to an organization.
Consider this: if a ransomware attack happens in the building management systems, causing the air filtering systems in a semiconductor fab to go offline, this may cause production to shut down, ultimately affecting the company’s productivity and profitability. OT risks are real and should be addressed with as much importance as IT risks.
When identifying cyber risks in the organization, it’s important to consider these additional questions:
- What visibility does your security organization have into what is going on in the OT networks?
- Are OT networks physically separate or connected to IT networks?
- What risk does that connectivity, or lack thereof, pose?
- Who has access to the OT networks?
- Do you know what vendors are really doing with your data?
- What security measures do vendors take when they connect to your OT networks?
Before you can control access to a resource – whether its data, a computer, or a piece of machinery – you need to know as much about that resource as possible. You can’t control what you don’t know about, and you can’t develop access policies if you don’t understand how it works on the network and where in the network it is connected. OT networks and devices are vastly different from traditional IT network devices. They can utilize specialized protocols, communicate over non-traditional networks, and sometimes even need to “phone home” to their vendors to function.
This creates many challenges for security organizations, especially when utilizing traditional IT security tools to manage OT environments. Traditional IT security tools can be invasive and cause issues within OT networks, potentially affecting productivity. In many cases, specialized tools are a must.
Moreover, many organizations are trying to move their compute resources out to the public cloud. While this makes economic sense, especially when considering the rapid ability to scale, the cloud migration poses additional risk to security within the OT environments. Without proper architecture and tooling, the risk may be quite significant.
When developing their security architecture, security needs to consider all environments, whether cloud, on premises IT, OT, remote workers and even third parties such as contractors and vendors. Leaving out one of these areas can significantly impact the organization when hit with a security event.
No executive, board of directors or shareholder wants to hear that revenue was impacted because a section of the network was left unprotected – no matter how big or small. Work with your plant and facilities managers to develop an understanding of the difference between your IT and OT environments, and how the policies should be applied without impacting production capacity.
Tools from companies like Armis, Claroty and others, are specifically designed with OT security in mind. They are specifically designed to map out the infrastructure, monitor for behavior anomalies, and control access. These types of tools are an essential component of a comprehensive zero trust strategy that encompasses both the IT and OT environments.
Security has and will continue to evolve. Zero trust will evolve with it. Developing a clear strategy and adopting today’s zero trust principles in (both) your IT and OT environments can help your organization be more flexible and reduce risk of outages and downtime significantly.