How can ‘zero trust’ help secure the operational technology environment?

Photo by ThisIsEngineering on

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Akshay Joshi, Head of Industry and Partnerships, Centre for Cybersecurity, World Economic Forum, Mansur Abilkasimov, VP Cybersecurity Governance & Strategy Deputy CISO, Schneider Electric

  • Many organizations across industries are shifting towards the zero trust security model to strengthen their respective network security and improve cyber resilience across industries.
  • However, the deployment of zero trust in operational technology (OT) systems is often overlooked. Much of the discussions on zero trust primarily focus on the information technology (IT) environment.
  • To successfully deploy zero trust in the OT environment and respond to the changing threat landscape, organizations should consider adopting best practices.

Recent developments and changes in cyberspace such as the rise in cyber threats, the shift to hybrid work and the ability to bring your own device to the work environment have increased discussions around the need to improve the overall cybersecurity posture across organizations. Zero trust has emerged as both a potential solution and a challenge creating confusion in cybersecurity circles about its efficacy.

What do zero trust and operational technology stand for?

Oftentimes, zero trust is wrongly regarded as the silver bullet or a single technology that will provide a solution to all cyber risks and vulnerabilities in an enterprise. In an attempt to demystify the notion of zero trust and provide more clarity around its actual meaning, the World Economic Forum’s Centre for Cybersecurity defined zero trust as a “principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an unknown – whether a human or a machine – to ensure trustworthy behaviour”.

While the development and implementation of zero trust in the information technology (IT) environment dominates much of the conversation, the deployment of zero trust in the operational technology (OT) environment remains relatively overlooked until now.

OT refers to technologies which control and monitor industrial infrastructure and manufacturing equipment. In essence, this kind of technology consists of digital devices that interact with physical objects in order to keep factories, manufacturing equipment, power facilities and such operational.

Why does zero trust matter for OT?

According to a survey issued by Skybox Security in 2022, 83% of respondents said that they suffered at least one OT security breach in the last 36 months. Such attacks, however, impact different industries to varying degrees. Research shows that the manufacturing industry was by far the most impacted sector in 2021. For comparison, the manufacturing industry faced 61% of the total OT cyber attacks, while the oil and gas industry, as the second most targeted industry, experienced 11% of them.

Considering that 90% of such interruptions need hours or longer to resolve, their cost cannot be overlooked. Another, perhaps more worrisome finding by Gartner suggests that by 2025 malicious cyber attackers could weaponize OT and result in physical damage, potentially causing harm to human life.

What does it take to implement zero trust for OT?

To successfully deploy zero trust in the OT environment and respond to the changing threat landscape, organizations should consider adopting the following three best practices for zero trust:

1. Increase visibility on critical OT assets for better protection

Similar to the IT environment, one of the major challenges in the context of the OT environment is the lack of overview on the thousands of devices connected to an OT network. According to Fortinet, only 13% of organizations have such visibility. One of the reasons why visibility is low is because the OT environment is often widely distributed across diverse geographies and physical sites.

Many organizations still tend to maintain a manual inventory of OT assets using a simple data sheet. Such a practice makes it difficult to ensure the accuracy and completeness of data, which in turn fails to provide a clear picture of procured and disposed assets.

This is why it’s key to automate the management of the inventory and keep a centralized and real-time view of OT assets. A clear overview of resources allows organizations to identify and map vulnerabilities and manage the possible consequence and impact of compromised security.

2. Apply network segmentation in critical areas of your landscape

In an era of rapid digitalization in which a convergence of the IT and OT environment is happening, keeping both secure is a necessity. However, the separation between IT and OT networks helps to prevent lateral trans-network movements when accounting for all devices.

If well-setup, a network segmentation can stop a breach and minimize the overall damage. Nevertheless, if not properly setup, any well-placed insider can open a backdoor to allow the attacker to navigate inside the network.

Isolating these various systems requires the following:

  • A good visibility of the assets in each perimeter
  • A creation of network segments
  • A well-maintained identity-based access control mechanism

Nowadays, the full implementation of zero trust in the industrial environment faces a significant barrier: the readiness of OT from a wide range of perspectives including workforce and technology.

3. Implement access control policies and practices

Both IT and OT worlds have evolved with different identity and access management practices over the years. Diverse practices such as physical access controls, remote connections with or without authentication, etc have been incorporated. The whole spectrum of these practices makes the whole access management topic a daunting challenge.

Nevertheless, authentication of every activity is a must and should not be negotiable. It allows for allocation of more granular permissions and enables the security team to detect unusual activity on any system, a prerequisite for a comprehensive management of the attack surface.

Organizations must define who is given access to systems and information under what conditions, with proper policies deployed at all times and across all those with access.

Access control policies must encompass the following:

  • Determination of who needs access to what specific devices, applications, and networks to gain visibility into asset usage and data flows
  • Limitation of user access rights to only the necessary resources depending on the role of users and devices
  • Continuous and dynamic verification and validation of access for all users and devices to all resources

Security needs to become part of organizational mindset

As many industries embark on the zero trust journey to strengthen their cyber posture, it is important to consider the shift to this security model as a change in organizational mindset rather than an introduction of a single technical solution. Accordingly, it demands a strategic approach to all organizational assets and resources, including OT systems.

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: