how to apply it in OT and IoT infrastructures
Emmanuel Témitechnical sales engineer Nozomi Networkanalyzed the possible application of the approach Zero Trust also in the field Operational Technology (OT).
Zero Trust is not a clearly defined IEEE standard, and there is no official description for it, Temi points out.
Each salesperson seems to take artistic liberties to achieve their goal, which makes for a very fluid conversation.
What does he have to do ? What problems should it solve? Most people agree: according to the name, Zero Trust somehow changes the mentality of the network allow default access block default access unless expressly requested.
A noble goal, but what does it really entail?
Context is Key to Zero Trust Policies
Before allowing a machine or user to connect to the network, a Zero Trust architecture must always check if this connection can be established safely and whether it is limited to the minimum number of resources it needs.
In addition, these checks must take place for each session instead of just once at the start.
The initial user verification process it shouldn't just be credentialsalthough more advanced controls such as 2FA are in place.
Of course, verifying identity is important, but it doesn't really help determine whether the connection can be made safely or should be allowed, especially if the device has been compromised.
Where does the connection come from? Is there any indication that the machine used for the connection is compromised? Are there vulnerabilities that pose risks to the rest of the network? What is the communication history between these systems or is it a new connection?
Based on these and many other metrics, much higher quality decisions can be made, all dynamically and in real time.
Essentially, Zero Trust is just a framework that prevents connectivity on the assumption that there is a risk, unless proven otherwise.
Rather than just defining a minimalist access policy, security posture and context can play a role in improving Zero Trust security, helping to significantly reduce risk and make more informed decisions.
In particular, in IT infrastructures, there is substantial movement towards adopting this framework. The networks are “micro-segmented”. Remote VPN access is evolving into something more advanced and granular. Agent-equipped software is deployed on the workstations to get more information about the security posture, etc.
Zero Trust for OT/IoT and ICS systems
These are developments that bring value to the IT infrastructure, but how it goes in the OT infrastructure /IoT? What can be done to adopt the same benefits for industrial control systems, cyber/physical devices and critical infrastructure?
Does micro-segmentation - continues Emanuele Temi's analysis - make sense for OT? Besides the technical challenges associated with implementation, what if traffic is blocked? What impact will this have on the processes?
It is perfectly normal and even highly desirable in IT to block traffic when it is suspected of being harmful, but in OT it is risky. Simply blocking it could impact production equal to or greater than allowing that traffic.
What about the agents installed on the systems? For many OT and IoT devices such as controllers, sensors, robots, etc., there is no software installation option, especially if they have dedicated processors, which do not run a complete operating system.
Very often safety was not a consideration when developing these products. If we combine all of this with the ongoing digital transformation in OT, we have the well-founded risk of a perfect storm.
So what can be done about OT? And where to start?
To make better connectivity decisions, more detailed information is needed. Understanding what you're trying to protect is the starting point, just like with computing, but the methods to get there are different.
Understanding isn't just about MAC addresses, IP addresses, or ports. It's about know the type of deviceswhat hardware and software are used and what is the expected behavior of these devices.
Context, policy and timeliness of decisions
It's about knowing how the whole OT environment behaves: which machine is talking to which other machine? With what protocol? What information is exchanged? How frequently?
If you understand this in real time - says Emanuele Temi - you are well on your way to optimal Zero Trust for OT/IoT environments.
Information gathering should be converted into usable data and, finally, into actions.
Knowing the hardware and software versions will help to know what vulnerabilities apply to these monitored devices, whether these devices are still supported by their vendors, and how they should act on the network. And it is relevant.
Knowing the behavior of entire OT/IoT networks also involves the ability to detect and alert in case of anomalies.
If suddenly devices that have never communicated with each other start to do so, or if there were communications before but now exhibit completely different behavior, a legitimacy investigation is warranted. This is probably the start of a breach.
Elaborating a bit on the concept of actionable intelligence, the data collected for Zero Trust should not be reduced to a few lines indicating what the probable problem is. They should help determine the impact on the OT network.
For example, patching vulnerabilities can be an exploit: how is your security posture improving for the effort required? This is quantifiable information to make an informed decision on the installation of any patch.
The suite of tools that form the cyber defense mechanism should work together and exchange information act as quickly as possible so that everyone can perform their function effectively.
Read all our articles on Zero Trust