In the second edition of this two-part series on OT network security, the popular term “zero trust architecture” is fully broken down into individual devices that together take both an offensive and defensive approach to securing an OT network.
Zero Trust Architecture: An All-Encompassing Term for a Defensible OT Network
While the term “zero trust” has become popular within the field of operational technology (OT) network security, its meaning stems from the evolution of ever-increasing network security measures that have had to be implemented in response to increasingly complex threats. As the threat frequency and sophistication of a breach has increased, security measures have also had to increase in lockstep, assuming less and less trust for devices operating on the network. At this point in time, the most robust network design always assumes the worst – trusting absolutely nothing attempting to access an OT network until full authentication has occurred, and regularly interrogating devices currently on the network, as if they’ve become malicious. Trust no device, at any point in time – zero trust.
In this model, full identification and credentialing occurs on a continual basis. Traffic monitoring is continual, access is limited, and no safe perimeter is assumed. It is a different, nearly inverse approach than that which is normally implemented within an IT network, which assumes a “safe zone,” and primarily defends that zone at its perimeter. The zero-trust approach requires a collection of network components and software solutions, each doing their own task that collectively keeps the network secure.
Some components monitor data; some log events; some actively interrogate existing devices using the network to authenticate themselves and prove their credentials; another provides “backdoor” access to a network, a needed gateway in the event of a network failure. The combined effect of all these devices is that the network is secured through both offensive and defensive techniques.
OT Zero Trust: Core concepts
Zero Trust as a security paradigm is centered on data or resource protection and is based on the idea that trust should never be taken for granted and must always be assessed.
According to The Zero Trust Maturity Model, a zero-trust strategy is made up of 5 pillars:
- Identity
- Devices
- Networks
- Applications and Workloads
- Data.
An end-to-end strategy for protecting corporate resources and data, zero trust architecture covers identity (both human and non-human entities), credentials, operations, endpoints, hosting environments, and the network infrastructure. Limiting access to resources to those who truly need them and only granting the bare minimum of rights (read, write, and delete, for example) will help ensure that the mission is completed. While there are variations on the zero-trust strategies one could effectively utilize, an effective OT zero-trust implementation should be closely aligned to the CISA Zero Trust Maturity Model.
No implicit trust: Validate every user & every device.
This fundamental shift ensures that trust is earned, not assumed, as each user and device undergo thorough validation. Following an initial IT/OT Assessment, the spotlight turns to validating every interaction within the operational ecosystem. With the aid of advanced tools and protocols, system integrators meticulously authenticate users and devices, leaving no room for unauthorized access. By enforcing rigorous validation at every step, organizations fortify their digital landscape against potential threats, ensuring a secure and resilient operational environment.
The main objective of this definition is to prevent unauthorized access to data and services while enforcing access control at the most granular level feasible. In other words, only subjects who have been granted permission (a user, application, or service, and device) can access the data, excluding all other subjects (i.e., attackers).
Micro Segmentation: Transition from a flat network to a zero-trust network
To summarize, micro-segmentation is a strategic approach to network security in operational technology (OT) environments that aims to improve protection and control by dividing the network into smaller, isolated segments. OT micro-segmentation is closely aligned with the Zero Trust model because it implements granular access controls and segmentation policies within operational technology environments, enforcing the principle of least privilege and reducing the attack surface, thereby improving overall security posture.
The Purdue Reference Model and the ISA 62443 Design are both appropriate frameworks for this project. The Purdue Reference Model is a hierarchical framework that classifies network communication into five levels. The model allows for the implementation of OT security measures in an automated manufacturing network environment. The highest levels (four and five) are associated with management-related data flow and connectivity. Level 5 connects the network to the outside world. In contrast, level 0 is where local production devices communicate with one another during normal operations. Northbound/southbound traffic refers to network traffic that moves up or down a level, whereas eastbound/westbound traffic refers to traffic that remains on the same level.
Strategize your future: An IT/OT Assessment can help support the planning phase.
Automating the discovery of OT network inventory & mapping is the first technical step in the assessment process. Defining and laying out the devices on the system begins the process of securing the network. While a variety of tools and strategies can be used to complete this type of inventory of devices, an IT/OT assessment, commonly completed by a system integrator, will provide this full description and network layout as it currently exists.
To perform this analysis, an integrator may use passive or smart polling software for discovering asset data as well as network infrastructure monitoring use cases. While connected to the network, this software will determine all the connectivity within the network and generate an asset inventory list with firmware, IP address, make/model data including a topology diagram of the data connections of everything that uses the network to communicate.
Identify Asset Values: Crown Jewels
Following the initial steps of an assessment, the next critical phase entails performing a crown jewel analysis. This analysis focuses on identifying and prioritizing the most critical assets in the operational environment. These assets, known as “crown jewels,” serve as the backbone of industrial operations and must be protected at all costs. System integrators can use automated discovery tools and strategies, such as passive or smart polling software, to meticulously map out the OT network infrastructure and compile a detailed asset inventory. This inventory includes critical information such as firmware details, IP addresses, and device models, as well as a comprehensive topology diagram that depicts data connections. With this understanding, organizations can strategically fortify their crown jewels against potential cyber threats, ensuring the resilience and security of their operational infrastructure.
Ensure that Remote Access is Secure: MFA/PAM
In fortifying remote access mechanisms within OT networks, organizations can enhance security through the adoption of Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) solutions. MFA provides an added layer of security by necessitating users to authenticate using multiple factors like passwords, biometrics, or security tokens, thereby mitigating the risk of unauthorized access. Concurrently, PAM solutions play a vital role in upholding the principle of least privilege, granting access solely to authorized users and limiting their permissions based on predefined roles. By integrating MFA and PAM into remote access designs, organizations bolster their security posture, ensuring stringent control over access to critical OT systems and safeguarding against potential threats.
Ongoing Monitoring & Visibility: OT Threat Hunting
When an event occurs within the OT network, this information must be logged, analyzed, and potentially acted upon. This is the job of the Security Information and Event Management (SIEM) system in combination with a Security Operations Center (which is often cloud based). Together, they serve as the central hub of the organization’s cybersecurity strategy, keeping track of events and anomalies within the system and then acting upon any detected threats.
The job of a threat hunting engine, usually situated at level 3 on the OT network, is to proactively monitor for malicious data that could be a security threat traveling on the network. Recall that the zero-trust strategy assumes any device, at any time, can become malicious. In general, this type of engine will create hypotheses based on available normal data patterns within the network, as well as knowledge of current threat intelligence. From there, those hypotheses will be investigated by the engine to detect and then address potential security threats.
As an example, a threat hunting engine will constantly interrogate devices on the network for their credentials and compare them with those of known OT assets. Only known assets are permitted to communicate on the network, within their specifically allocated security level. In addition, a threat hunting engine will scan for known OT/ICS specific threats. To robustly secure an OT network, all levels, and directions of traffic within the Purdue model must be monitored, as if an attack has already occurred, to reduce its reach.
Remain in Operation amid an Attack
The concept of zero trust architecture has become critical to securing operational technology (OT) networks. As cyber threats continue to evolve, companies must take a proactive approach that trusts nothing and always assumes the worst. This approach involves continuous identification, authentication, and monitoring of devices on the network. To implement zero trust, it’s essential to start with an IT/OT assessment to understand the network’s layout.
In an era of increasing cyber threats, the possibility of an attack must not be considered as an “if,” but rather, as a “when.” With a fully implemented zero trust environment, the breadth and reach of an attack vector is reduced to only the device that has been breached. The result is that the plant remains in operation during an attack and the remediation process – a best case scenario for an otherwise devastating event.
Click Below to read Part One of this blog series
Learn more about our cybersecurity expertise
If you’re interested in implementing a zero-trust architecture at your facility, complete the form and we will be in touch to see how we can help.
Begin Your Journey to Industry 4.0
Download our Beginner’s Guide to IT/OT Assessments to gain an understanding of what an IT/OT Assessment is, its benefits, and how to get started today.