With the loss of OT’s air gap, organizations need a zero trust security strategy.
by Rick Peters, CISO for Operational Technology, North America for Fortinet Inc.
In the past, operational technology (OT) was isolated from the rest of the enterprise, and this separation or “air gap” was the principal security for command and control networks and systems designed to support industrial processes. Today, the digitization of operational processes and connection to other areas of the enterprise afforded productivity and efficiency improvements, but the convergence of IT and OT networks revealed new threat vectors.
Since OT currently has to contend with IT threats, there must be an increased focus on cybersecurity. Given the unique challenges of OT systems and devices, CIOs are now seeking tools designed to span their IT and OT networks with solutions that can meet the operational needs of both sides of their organization. One of those is zero-trust access (ZTA), which is about knowing and controlling who and what is on the network. Role-based access control is a critical component of access management.
The zero-trust security model turns the traditional perimeter-based “trust, but verify” model on its head. Instead of assuming that any device or user that is within the network perimeter can be trusted, zero trust takes the opposite approach. Zero trust starts with the assumption that nothing can be trusted, no matter where it may be located. This “never trust, always verify” model means that whenever a user or device requests access to a resource, it must be verified before access is given.
Zero trust should be an abiding principle or security practice that persists across any OT enterprise, whether you’re talking about energy and utilities, manufacturing, or transportation.
Enforcing Zero Trust in OT
Enforcing the concept of never trust, always verify means there must be protection at every wired and wireless network node to ensure that all endpoint devices are validated. Due to the exponential growth of enabled sensors for OT systems, protecting these nodes is a crucial step in defending against attack. The ever-growing profusion of network-connected devices include “headless” IoT devices that do not have a user name and password to identify themselves and a role. For these devices, network access control (NAC) solutions can be deployed to discover and control access. Employing NAC policies, the zero-trust principles of least privilege access can be applied to these IoT devices, granting sufficient network access to perform their role and nothing more
OT organizations must practice the principle of least privilege across both the internal and external network communications by providing only the access that is minimally required and nothing more. Additionally, creating an internal segmentation firewall at multiple points within the network gives the enterprise extra layers of protection from an array of attack vectors. The practice of internal segmentation acts as a containment strategy that prevents vertical or horizontal movement within the network environment.
The OT world is incorporating many security practices from the IT side, including zero-trust network access (ZTNA), which is an element of the larger ZTA proposition. Because of the rise in remote work, ZTNA has received more attention because it is used to control access to applications, no matter where the user or the application resides. Many organizations are moving from traditional VPNs to ZTNA because it provides better security, more granular control, and a better user experience.
As part of their zero trust implementation, organizations should also include multifactor authentication (MFA). With MFA, access is only granted after a user successfully presents two or more pieces of evidence (or factors) to an authentication mechanism. For instance, one factor often incorporates a piece of knowledge that the user and only the user knows, like a password or a pin. A second factor may be a possession, which is something the user only user has such as a badge or a smartphone. And lastly, a factor may be something unique to a person, such as a fingerprint or your voice recognition. This combination of key elements provides the credentials that make theft more difficult to accomplish.
Zero Trust is Only the Beginning
Although implementing zero trust is a solid – and highly advised – start, you can’t detect the full range of cyberattacks with it solely. OT organizations should also look to incorporate products, services, and tools that directly meet the operational and regulatory requirements of OT networks and that can support and survive in even harsh environments common in some cyber physical/OT infrastructure. By choosing OT-focused solutions that are fully integrated with centralized management and a unified context-aware security policy for complete visibility and granular control over their entire organization, OT organizations can reduce their risk and better protect their networks and infrastructure.
Richard Peters is the CISO for Operational Technology, North America for Fortinet Inc., delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities.
Prior to joining Fortinet, he served the U.S. Intelligence Community for more than 37 years imparting cybersecurity and global partnering experience across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). He led development of cyber capability against Endpoint, Infrastructure, and Industrial Control System technologies at the agency.
Mr. Peters is a repeatedly published OT Security thought leader and a frequent speaker at global industry events. He holds a BS in Electronics Engineering and an MS in Engineering Management from the Johns Hopkins University.