It is a relatively new development: Operations Technology (OT), i.e. the control of production systems, did not pay much attention to security concepts until recently because the machines were not connected to the Internet. That has changed in the context of digitization and now OT admins also have to deal with questions about security.
Why Zero Trust for OT?
To what extent is Zero Trust relevant for critical infrastructures (Kritis) and operations technology? To answer this question, take a look at the definition. Cyberpedia describes Zero Trust as follows: “Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from a company’s network architecture. Zero Trust is based on the principle of ‘never trust, always verify’ and is intended to protect modern digital environments by using network segmentation, preventing lateral movements, preventing threats on Layer 7 and simplifying granular user access control. “
The primary goal in cybersecurity of critical infrastructure is to prevent the harmful physical impact of cyberattacks on assets, the loss of critical services, and the protection of the health and safety of people. Nonetheless, the Zero Trust principles are very important. It is becoming increasingly clear that critical infrastructures (Kritis, CI) with OT are ideal for zero trust because of their purpose and the correspondingly predictable network traffic (as well as the fact that they remain unpatched over long periods of time and are therefore vulnerable).
Five Steps to Realizing Zero Trust in Critical OT Infrastructures
Below are five steps from Palo Alto Networks to achieving zero trust in critical OT infrastructures and some of the OT-related considerations for each step:
Step 1: Define the surface to be protected
In this step, the “crown jewels” that are critical to the operation of the company are identified. IT and OT teams should work together to identify these surfaces, which can encompass the holistic systems / networks in control centers, substations, power plants, manufacturing facilities, or factory floors. They can also be defined in detail, e.g. B. as specific distributed control systems (DCS), production lines or even specific automation servers or PLCs. Risk-based prioritization of areas is crucial as it is impractical to try to secure every facility for which limited resources are available. In the early stages of zero trust implementation, the protection area may need to be defined at a grainier level (e.g. DCS) than at the device level (e.g. PLC) in order to make progress.
Step 2: Mapping the transaction flows
The next step is to understand the transactions to and from the protection surfaces. For example, an outside support engineer in one control center can interact with systems in other backup control centers and substations. It can happen that he only accesses certain systems in a subgroup of substations that are equipped with devices from this third party provider. In addition, systems engineers may find that only certain OT protocols and network utilities such as DNP3, ICCP, and HTTPS are used during normal business hours. The next-generation firewall (NGFW) with its deep packet inspection functions is used to obtain transparency about OT / IIoT applications, protocols and devices as well as users. In addition, the NGFW can be used passively to make this learning process more pleasant for risk-averse operations teams who are reluctant to use new technologies inline when they know the benefits better.
Step 3: Building a Zero Trust Network for OT
If the transaction flows are well understood, one can now define the actual zone scheme, which enables the correct inline controls and the defense against threats. The segmentation gateway or conduit, which is used to create zones and the inter-zone guideline, is in turn implemented by the NGFW. For the example in step 2, the zone architecture can include the primary control center, the backup control center and separate zones for the various substations. A finer zoning may be necessary within each of these zones, depending on the system definition, risk assessment and transaction flows. Think of an unsupported Windows XP HMI that needs to be hardened to reduce cyber risk. Again, it is important to strike a balance between managing risk and reducing operational complexity. Risk-based approaches such as B. Hazards and Operability (HAZOP) studies can help determine the degree of segmentation required. When retrofitting brownfield environments, the inline provisioning modes such as Layer 2 VLAN insertion and the transparent VWIRE mode provided by the NGFW can be applied with minimal disruption.
Step 4: Creating the Zero Trust Policy
This step deals with the codification of the granular rules in the NGFW. It uses the Kipling Method to determine the who, what, why, when, where and how of the policy. The NGFW policy engine is also used to set up application controls, role-based access, device policies and threat mitigation via App-ID, User-ID, Device-ID and Content-ID technologies. To return to the previous example, the Kipling method and NGFW are used. This ensures that an external technician (who) is allowed to access the DNP3 and HTTPS protocols (what) in order to monitor and control a remote telemetry unit in the substation (where) between 5 p.m. and 7 p.m. (when) manage (why). In addition, the decryption and threat services provided by the NGFW could be coupled with the access control policy in order to identify and stop any malicious traffic that may have penetrated through this permitted traffic.
Step 5: monitor and maintain the network
As thorough as one may be in the planning phases, certain transactions may have been overlooked because the transactions were not considered over the entire operating life cycle of the OT systems. In addition, the OT, as static as it may be, can still change and with the introduction of a digital transformation project, such as B. 5G, even considerably. In this case, it is important that the inventory of protected areas and transactions is carried out regularly and that the associated zoning and policy schemes are adapted if necessary. Again, the NGFW, with its granular visibility and ML functions and services (such as the Policy Optimizer for fine-tuning application policies and the IoT Security Service for inventorying assets and optimizing device policies) is invaluable for this process of the Monitoring the network and maintaining zero trust.
Zero Trust for CI / OT is a journey
The path to achieving zero trust in CI / OT could be overwhelming, so it’s important to remember that implementing a zero trust architecture doesn’t have to be all-in to begin with. Organizations can start implementing Zero Trust on the IT-OT frontier. Once they become comfortable with this, they can then move on to the lower layers of the OT. Finally, they can also use the same zero trust approach to secure their advanced OT infrastructure in public clouds, 5G networks, and even secure access service edge connections (SASE) with consistency and centralized management.