Critical infrastructure, from power systems and water supply to transportation and supply chain operations, remains a prime target for cyber attacks. Not only are they vulnerable because of their distributed nature, but it’s typically difficult to secure these operations. Operational technology (OT) and industrial control systems (ICS) environments frequently lack built-in security controls, connect using multiple networks, and require remote access to physical assets. Successful infiltration can result in shutdowns, reputational harm, environmental damage, and even loss of lives.
As cybersecurity leaders at these organizations look to secure critical systems, a zero-trust model naturally arises as a solution. In fact, 100% of OT cybersecurity leaders have plans to adopt zero-trust. Despite this promising statistic, there are pervading, long-held notions around zero-trust that give practitioners pause. This includes a perceived inability to combine zero-trust with additional layers of protection, as well as that they must entirely overhaul existing equipment. Both of these ideas, while born out of valid concerns, are misconceptions which we can lay to rest thanks to recent cybersecurity innovations.
Zero-trust and defense-in-depth
Popularized by John Kindervag, a former Forrester analyst, zero-trust only grants access to the specific data, assets, devices and systems needed for tasks based on verified identities. While federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration (TSA), point to zero-trust strategies in evolving security guidelines, lingering confusion remains on zero-trust implementation.
Today, traditional perimeter-based security models (castle-and-moat) have become less relevant, especially for converged IT and OT systems. Prior to zero-trust, a defense-in-depth (DiD) strategy was used to enhance perimeter security – the DiD notion meant building more and more layers of protection through tools like firewalls and jump boxes. The thinking was the more layers created, the more protected. Yet, bad actors were still getting inside and could spread laterally inside zones, leading to increased interest in zero-trust.
The first misconception that we should lay to rest: the idea that organizations can’t have zero-trust alongside defense-in-depth. Some security leaders believe that we need to remove security layers to adopt zero-trust. They understand they’ll receive secure identity-based authentication, authorization, and granular access control with zero-trust, but they fear that if it fails (a hacker compromises one password and account), then they may lack fallback protections. The most resilient cybersecurity approaches combine zero-trust and DiD. What’s more, we can deliver zero-trust and DiD on top of current network architectures and equipment.
For example, power generation turbine assets, if compromised, could cause power shortages and widespread disruption. Current asset protocols include DNP3, Modbus, and others, which lack built-in access control methods. A zero-trust approach eliminates all unnecessary interactions with the asset, as only authorized users and applications receive access. Yet, it’s risky to expose these assets to a flat network. Delivering zero-trust with DiD requires a multi-layer approach where identities of a user or assets are independently reconfirmed when crossing layer or zone boundaries. Essentially, the more critical the asset, the more layers of defense are required. This can look like:
- Layered authentication, including multi-layer MFA, to minimize the risk of compromised identities.
- Layered protocol and session breaks to protect insecure protocols.
- Layered filtering to minimize unnecessary network traffic that could potentially limit the available bandwidth for critical operations.
- End-to-end message integrity and authenticity validation to protect against spoofing and injection.
Equipment overhauls and cyber mesh
The second misconception that we should lay to rest -- still believed by almost half of cybersecurity leaders (42%) -- is that adopting zero-trust requires a full equipment overhaul because of the prevalence of legacy technologies in operational environments. In fact, we can deliver technologies that allow for a zero-trust security model as an overlay on top of existing systems, for example using a “cyber mesh” architecture.
A cyber mesh creates individual perimeters around each site, asset, device or data stream. It fuses tools such as identity and access management (IAM), privileged access management (PAM), zero-trust network access (ZTNA), segmentation, and local redundancy with continuous operation. With cyber mesh, leaders at these operations can seamlessly control the interactions between physical assets, users and connected tools to reduce attack surface. Cyber mesh shows that ripping and replacing current systems isn’t the only way forward, instead enabling an overlay approach to deployment.
Today’s operations need to deliver zero-trust to these cyber physical assets on top of existing architectures with layers of protection. Misconceptions slow adoption, continuing to leave these systems at-risk and vulnerable. It’s crucial we develop a new understanding of practical zero-trust adoption in operational environments to reach an upleveled, secure protection for the systems we rely on daily.
Roman Arutyunov, co-founder, vice president of products, Xage
