Zero trust isn’t just for IT, it can also protect targeted critical infrastructure
Gartner predicts that by 2025 cyber attackers will have weaponized OT environments to successfully harm or kill humans. Not only is a solution to secure OT assets imperative, but it may also be a matter of life and death.
Bare-minimum OT security is no longer passable in today’s cyber landscape. A future-proof solution is already effective in the IT world: zero trust. Let’s examine some of the big challenges in OT security, and how zero trust can fix them.
Evolving the mindset
Visibility into OT environments is one of the biggest issues in the industry. Many organizations don’t have detailed information about their networks to the point that they aren’t aware of all the resources connected to it. Unless organizations have that visibility as a starting point, they won’t know what they are supposed to protect.
Many assume there is no problem until they see proof of a breach, and at that point it’s too late. A proper OT security plan certainly must include necessary certifications, protocols for understanding how to respond to incidents, how to detect them, and how to patch a network, but that plan also needs to go further.
The first step, which is a challenge for many organizations, is understanding what they have in their OT environments, how that’s connected to their IT networks and the Internet, and what risks exist due to those connections. Organizations need to automate the inventory of all production assets in real-time, including detailed critical asset visibility and vulnerability management capabilities. Once security teams are aware of what the attack surface truly looks like, they will know where the critical points in the OT environments are. From there, they can start reducing access to those immediately, and patch any areas that they find are vulnerable.
Zero trust, explained
Zero trust is a security framework that assumes every user or device is a potential threat. Tools that use zero trust apply least-privilege access to individual users and devices based on identity and context within changing parameters. (Legacy security tools simply look at an IP address.)
Implementing zero trust requires an understanding of best practices to keep OT environments safe. This can be a burdensome challenge for organizations that have had the same pattern of activity for decades and don’t want to affect the production of legacy machines. While implementing zero trust tools may break old patterns, it is necessary to make some uncomfortable changes for the betterment of security.
Zero trust is particularly effective in policing remote access, which has gained steam during the pandemic with so many people working from home. Remote access is also how many bad actors gain access to their victims’ systems. Sometimes they can infect third parties or even employees with malware and gain access to a network using those trusted users as vectors.
By deploying tools that utilize zero trust, you have a more comprehensive strategy than simply using a virtual private network (VPN), which is what was breached and provided access to hackers in the Colonial Pipeline attack. Many VPN alternatives are no better. Remote Desktop Protocol (RDP) was an attack vector 71 billion times between January 2020 and June 2021, according to ESET.
What makes zero trust a great approach to securing OT is the ability to map out where a company’s crown jewels are and then control access to those assets before attackers can breach the OT network. This can be taken a step further with micro-segmentation. While not a facet of zero trust, micro-segmentation plays well with that paradigm because segmenting a network and then granting access to certain segments is a great way to reduce lateral movement within a network.
Nearly every organization is “breachable” if a bad actor tries hard enough. Hackers are constantly finding new vectors to use as they attack. Micro-segmentation keeps your organization’s attack surface small. That means instead of losing tens or hundreds of millions in revenue, or even lives, you’ll just lose a production line or a specific part of your operational capabilities.
A look at the future
While there are some parallels to draw between the IT scene of yesteryear and today’s OT landscape, there is a big difference that’s beneficial: there is more awareness.
President Biden’s executive order takes one step toward organizations better preparing themselves for a breach, and cybersecurity teams more readily share news with their colleagues about everything from nation state attacks to individual security controls. With new levels of awareness, it becomes clear that another level of protection is needed and zero trust can help accomplish that.
It’s important to note that, while adopting zero trust is complex, it can be done in steps. Making wholesale changes to an entire organization’s security environment overnight isn’t feasible. It needs to be done bit by bit, and every advancement in that process helps reduce risk, which is ultimately the goal.