Zero Trust, otherwise known as zero trust architecture (ZTA), is a shift in how we think about security. Zero trust is the concept of centralising policy control, limiting lateral movement throughout the organisation, changing from traditional edge boundaries to fine-grained segmentation, and providing least privileged access to resources based on context. This shift means that organisations need to treat their assets, whether they are machines, people, or data, differently than before.

Organisations should limit the visibility of resources on the network through dynamic identity-based policies rather than providing broad access to large areas of the network and relying on user authentication only. As a result, the evolution to zero trust significantly reduces cyber risk for an organisation.

In a recent discussion with Jack Freund, Head of Methodology at VisibleRisk, and co-author of the book “Measuring and Managing Information Risk: A FAIR Approach”, Jack said, “I’d be willing to estimate that a relatively proficient threat actor leveraging a compromised endpoint to exfiltrate data or disable critical business services faces an additional 20%-70% level of difficulty in achieving their goal, depending upon how well configured and ubiquitous the ZTA is”. He says that “OT really should be zero trust by default, else the loss potential will skew towards worst-case outcomes.”

However, the recent push to adopt zero trust across industries is focused mainly on information technology (IT) and remote workforces, rather than the entire organisation, including any operational technology (OT) in use. This leaves a significant portion of the organisation unprotected and at risk.

While many cybersecurity programs are indeed IT-centric, the vast majority of what drives a company’s bottom line may be the infrastructure that manufactures products, operates data centres, cools buildings, and manages physical access to facilities and even shuttles people and products around the world in planes, trains, and automobiles. This infrastructure is known as operational technology and should not be left out of the equation when considering cyber risk to an organisation.

Consider this: if a ransomware attack happens in the building management systems, causing the air filtering systems in a semiconductor fab to go offline, this may cause production to shut down, ultimately affecting the company’s productivity and profitability. OT risks are real and should be addressed with as much importance as IT risks.

When identifying cyber risks in the organisation, it’s important to consider these additional questions:

  • What visibility does your security organisation have into what is going on in the OT networks?
  • Are OT networks physically separate or connected to IT networks?
  • What risk does that connectivity, or lack thereof, pose?
  • Who has access to the OT networks?
  • Do you know what vendors are really doing with your data?
  • What security measures do vendors take when they connect to your OT networks?

Before you can control access to a resource – whether it's data, a computer, or a piece of machinery – you need to know as much about that resource as possible. You can’t control what you don’t know about, and you can’t develop access policies if you don’t understand how it works on the network and where in the network it is connected. OT networks and devices are vastly different from traditional IT network devices. They can utilise specialised protocols, communicate over non-traditional networks, and sometimes even need to “phone home” to their vendors to function.

This creates many challenges for security organisations, especially when utilising traditional IT security tools to manage OT environments. Traditional IT security tools can be invasive and cause issues within OT networks, potentially affecting productivity. In many cases, specialised tools are a must.

Moreover, many organisations are trying to move their computing resources out to the public cloud. While this makes economic sense, especially when considering the rapid ability to scale, cloud migration poses an additional risk to security within the OT environments. Without proper architecture and tooling, the risk may be quite significant.

When developing their security architecture, security needs to consider all environments, whether cloud, on-premises IT, OT, remote workers or even third parties such as contractors and vendors. Leaving out one of these areas can significantly impact the organisation when hit with a security event.

No executive, board of directors or shareholder wants to hear that revenue was impacted because a section of the network was left unprotected – no matter how big or small. Work with your plant and facilities managers to develop an understanding of the difference between your IT and OT environments, and how the policies should be applied without impacting production capacity.

Tools from companies like Armis, Claroty and others, are specifically designed with OT security in mind. They are specifically designed to map out the infrastructure, monitor for behaviour anomalies, and control access. These types of tools are an essential component of a comprehensive zero-trust strategy that encompasses both the IT and OT environments.

Security has and will continue to evolve. Zero trust will evolve with it. Developing a clear strategy and adopting today’s zero-trust principles in (both) your IT and OT environments can help your organisation be more flexible and reduce the risk of outages and downtime significantly. 

This article was first published on 16 November 2021 by Help Net Security.