Recently, we announced the Zero Trust Enterprise — a comprehensive framework to deploy Zero Trust using what you have while also developing a clear roadmap. How does this work for critical infrastructure? In part one of our blog series on critical infrastructure (CI) security, we looked at why modernizing critical infrastructure requires security transformation. We briefly mentioned how a Zero Trust approach was a key component to its transformation. This time, we look at exactly how the 5-step approach to Zero Trust in critical infrastructure and its underlying operational technology (OT) can be applied.
I often get asked how relevant is Zero Trust in critical infrastructure/operational technology. To answer that, let's revisit the definition. As described in the Cyberpedia, "Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of 'never trust, always verify,' Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control." While the most important objective in CI cybersecurity is preventing damaging cyber physical effects to assets, loss of critical services and preserving human health and safety, the principles are highly relevant. We'll see that CI/OT's purpose-built nature and correspondingly predictable network traffic (as well as being unpatched for long periods of time and therefore creating vulnerability) make them ideal for Zero Trust.
Let's discuss the five steps and some of the OT related considerations for each step.
This step involves identifying the "crown jewels" which are critical to the operation of the business. IT and OT teams should work together to identify these surfaces which could include the holistic systems/networks within control centers, substations, power plants, production sites or factory floors. They could also be defined in granular detail as specific Distributed Control Systems (DCS), production lines, even specific automation servers or PLCs. Risk-based prioritization of surfaces is critical as it is not practical to try to secure every asset that’s given limited resources. In the early stages of Zero Trust deployment, the protect surface may need to be defined at a more coarse-grained level (think DCS) versus device level (think PLC), to encourage progress.
The next step is to understand the transactions to and from the protect surfaces. For example a third-party support engineer in a control center may be interacting with systems in other backup control centers and substations. You may find that they access only certain systems in a subset of substations, which has that third-party vendor's equipment. Furthermore, you may observe that they only utilize certain OT protocols and network utilities, such as DNP3, ICCP and HTTPS during normal work hours. In essence, you've identified what is needed for that person to do their job through awareness of their interactions with the assets. The Next-generation Firewall (NGFW), with its deep packet inspection capabilities, is used to gain visibility over OT/IIoT applications, protocols and devices, as well as users. Furthermore, the NGFW can be deployed passively to make this learning process more friendly with risk-averse operation teams, who may not be keen on deploying new technologies inline without a better understanding of the value.
With the transaction flows well understood, one can now define the actual zoning scheme that allows for the proper inline controls and threat prevention. The segmentation gateway or conduit, which is used to create zones and the interzone policy, is again realized through the NGFW. For the example in Step 2, the zone architecture may include the primary control center, backup control center, as well as separate zones for the different substations. More granular zoning may be required within each of these zones depending on the asset definitions, assessed risk and transaction flows. Think of an unsupported Windows XP HMI which needs to be hardened to reduce cyber risk. Again, it is important to find that balance between risk management and reducing operational complexity and risk-based approaches, such as Hazards and Operability studies (HAZOP) that could help to determine the level of segmentation required. For retrofitting brownfield environments, minimally disruptive inline deployment modes provided by the NGFW, such as Layer 2 VLAN insertion and VWIRE transparent mode, could be applied.
This step is all about codifying the granular rules into the NGFW. It involves using the Kipling Method to establish the who, what, why, when, where and how of the policy. It also utilizes the NGFW's policy engine to establish application controls, role-based access, device policy and threat prevention via App-ID, User-ID, Device-ID and Content-ID technologies. Going back to our example, we utilize the Kipling method and the NGFW to ensure that a third-party engineer (Who) is allowed to access the DNP3 and HTTPS protocols (What) to monitor and administer (Why) a Remote Telemetry Unit in the substation (Where) between 5PM to 7PM (When). Furthermore, decryption and threat services provided by the NGFW could be coupled to the access control policy to identify and stop any malicious traffic that may have come in through this allowed traffic.
As thorough as one might be in the planning phases, certain transactions may have been overlooked as a result of not considering the transactions across the entire operational life cycle of the OT systems. Furthermore, as static as OT is, it still might have some changes and in fact could be substantial with the rollout of a digital transformation project, such as 5G. It is important then that the inventorying of protect surfaces and transactions happen on a regular basis and that the associated zoning and policy schemes be adapted as needed. Again the NGFW with the granular visibility and ML features and services (such as the Policy Optimizer for fine tuning application policy and IoT Security service for asset inventorying and device policy optimization) will be invaluable in this process of monitoring the network and maintaining zero trust.
The path to realizing Zero Trust in CI/OT could become overwhelming so it's important to remember that deploying zero trust architecture doesn't have to be "all-in" from the get go. You can start with implementing Zero Trust at the IT-OT perimeter. As you get more comfortable you can then move into the lower layers of OT. Finally utilizing the framework you established, you can then also apply the same Zero Trust approach to secure your extended OT infrastructure in public clouds, 5G networks and even secure access service edge (SASE) connections with consistency and central management.
This blog was intended to highlight the relevance and benefits for Zero Trust in critical infrastructure. This awareness hopefully triggers a journey of learning to better understand what Zero Trust is and how it can help you to better protect your critical infrastructure. To that end, read this white paper that covers Zero Trust Enterprise (ZTE), which is a strategic approach to cybersecurity that simplifies and unifies risk management under one important goal: to remove all implicit trust in every digital transaction. For a more detailed view on Zero Trust for OT, read how a Zero Trust approach for OT aligns with the ISA/IEC 62443 standard.