Is OT the best place to start your Zero Trust Journey?

With more than 75% of organizations planning or deploying Zero Trust, the question comes up frequently on where should an organization start? Many vendors will tell you that Identity/MFA or Zero Trust Network Access (ZTNA) is the best place, typically based on their unique offerings. But like most things in cybersecurity, the right answer depends on where the business or organization has the most risk. Energy, Manufacturing, Transportation, Utilities, Process Industries, and Healthcare all have increased decencies on Operational Technology (OT) environments. Industry digitization has increased the attack surface and the deeper integration between IT, Cloud and industrial networks is creating many security issues that are now becoming the primary obstacles to industry digitization efforts. Not to mention the increased attacks, targeting critical infrastructure makes OT environments a perfect candidate to start your organization zero trust journey.

Characteristics of OT Environments​

Many IT security professionals know the ins and outs of how workstations and mobile devices work and communicate, but when it comes to OT, all bets are off on the behavior and security of the devices. Here are some of the top differences between IT and OT devices:

• Longer technology lifecycles: It isn't uncommon to find Windows XP with SMBv1 in many organizations’ OT environments.
• Environments are very static and see infrequent changes: Unlike the agile nature of modern IT, in OT you will find statically addressed IP addresses are typically and it is normal to see large layer 2 domains for simplicity. 
• Downtime and maintenance windows are less accepted: As a result, it is common to find decommissioned assets still connected. Updates and patches are harder to deploy
• Applications and Protocols: Many of the OT Vendors utilize different protocols, some of which are proprietary and some that are not even IP, but most are very different than what you see in IT. The protocols you must support are based on the manufacturer (e.g. Eaton, Emerson, General Electric, Honeywell, Mitsubishi, Rockwell Automation, Schneider Electric, Siemens, etc.) and how they have standardized or built their OT/IOT product/solution.
  • Example list of protocols supported by Cisco Cyber Vision
• Workers are often less aware of cybersecurity: Many professionals are experts in their specific field and technology, but because they do not have a cybersecurity background, you find many challenges:
  • Default credentials used to log into systems
  • Unpatched security vulnerabilities
  • Unauthorized remote access by subcontractors.
• Impacts of cybersecurity incidents are more serious: Risks of cyber incidents involving OT include injury, deaths; or damage to environments. 
• OT networks are increasing fully interconnected with IT: IT and OT organizations merging provides CIOs and CISOs enhancements that can be game changers to the business, but open threat vectors and increase risk. Many OT devices have been documented having unnecessary network communications(DNS queries to external servers) and excessive privileges. Extending IT security to OT requires specific skills, capabilities, and the right architecture.

Organizations with OT have to ensure, business continuity, the resilience of their production system, the safety of their operations, and compliance with regulations (NIS, NERC CIP, etc)  This leads to the absolute need to implement cyber security best practices at the plant or process level. In 1990, a consortium of experts developed an approach to industrial network configuration design called the Purdue Enterprise Reference Architecture (Purdue Model) to keep an organization's vital OT, ICS, and SCADA systems and equipment segregated from IT. The Purdue Model was predicated on the concept of segmentation and isolation — grouping like systems together to enable the right balance of performance and security at all levels of an organization's business operations. While many organizations still leverage the Purdue Model, it was built before the world became connected and before data-driven organizations realized they could utilize the Internet for better business efficacy and OT outcomes.

Zero Trust for OT Environments​

Zero Trust is a security strategy focused on removing implicit trust, enforcing least privilege, and assuming compromise. Zero Trust Architecture can be leveraged to apply zero trust principals(See Figure 1) to OT Environments. Zero Trust in OT environments enhances visibility, provides operational insights, reduces risk, and detects anomalies and malicious activities.

Remove Implicit Trust​

Asset and application discovery should be used to identify all of your OT assets to give your organization the situational awareness and visibility in order to remove implicit trust. The same information also allows for risk assessment of OT environment. Knowing your assets and application flows is the first easy step in allowing your organization to:

• Locate unknown devices
• Who/What is connecting to my OT environment
• Identify vulnerable devices to patch
• Spot unwanted communications
• Determine the level of criticality of devices
• Visibility into communication patterns (***Critical Step to Enforcement, See Figure 2)
• Fine-tune asset configurations

Ensuring you have the correct architecture and tools in place to remove implicit trust is critical to success. Without the granular detailed visibility into users/devices/networks/applications, enforcing policy can cause more harm than it prevents.

Enforce Risk-Based Least Privilege​

Least Privilege or Need to Know are common terms to describe only allows the minimal level of access to resources. By enforcing least privilege you are effectively reducing the attack surface minimizing risk, and preventing threats from spreading. The following are the top 3 use cases for least privilege policy in OT environments:

• Enforce micro-segmentation policies: Extend software-based segmentation policies to your OT devices. Policies are applied dynamically based on zones and conduits defined by OT teams. ISA/IEC 62443 introduces the concepts of “zones” and “conduits” as a way to segment and isolate the various sub-systems in a control system. A zone is defined as a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence.
• Apply least privilege to firewalls: using visibility and deep-packet inspection to ensure conformance to IT/OT application/protocol standards and minimal access/privilege.
• Secure remote access to OT networks and devices: Empower OT teams to perform critical day-to-day operations on remote or distributed industrial equipment easily and securely. Whether its VPN, ZTNA, or secure remote desktop protocols, least privilege should be used to minimize risk and threats.

Assume Compromise​

Assuming compromise ensures defensive technologies and mitigating controls are in place when a breach or compromise occurs. With Zero Trust for OT, organizations can minimize their attack surface and limit the blast radius of the compromise, in effect, limiting an attacker's ability to find the path of least resistance and quickly move across a compromised network.  In our previous blog, The Role of Zero Trust in Ransomware Defense, we discuss the concepts ad nauseam. Along with proactive approaches with least privilege, organizations can choose to utilize other techniques like Cisco's Rapid Threat Containment, which allows for immediate response actions and change in privilege based on an incident or compromise. Implementing a zero trust architecture enables organizations to contain the damage of compromise, reducing the scope, and limiting the extent to which an incident can cause damage.

Reference Architecture: Fully Integrated IT + OT Security Solution​

Cisco has invested heavily into ""building a bridge"" between IT & OT teams which enables zero trust from cloud to the edge(industrial/OT network). With Cisco's Cyber Vision Sensors embedded into industrial network equipment and integrating application data, OT Context/Asset Data, and Enforcement Policies(Cisco ISE and Cisco Firepower), this architecture delivers the integrated capabilities to simplify your transition to zero trust. Figure 3 illustrates the sharing of information between systems.

Along with policy enforcement, this architecture provides converged threat investigation and remediation by adding OT security events and context to your security operations center (SOC), so that you can build a truly converged IT/OT security strategy. Give your IT SOC visibility into your OT network. Enrich OT security events with threat intelligence from your other security tools. Build playbooks to orchestrate remediation without disrupting OT processes. Figure 4 shows a OT Security event in Cisco SecureX.

Summary​

Yes, OT could be the best place to start your Zero Trust journey and could reduce the largest area of risk for your organization. At ModernCyber, we are passionate about simplifying and accelerating Zero Trust adoption & journeys.. For a full demonstration or to talk through your journey, strategy, or architecture: Schedule a meeting to speak with one of our Zero Trust experts.