Zero Trust strategies need to address OT environments

Many organisations across all sectors are adopting the Zero Trust model to strengthen their network security and increase cyber resilience. However, in the view of the World Economic Forum (WEF), the implementation of the concept of Operational Technology (OT) systems is often overlooked, focusing mainly on Information Technology (IT) environments.

Aiming to contribute to successfully integrated implementations, the WEF recently published a document bringing together the best Zero Trust practices.

The World Economic Forum’s Centre for Cybersecurity defines Zero Trust as a “principles-based model developed within a cybersecurity strategy that enforces a data-centric approach to treat everything as unknown (and untrusted) – whether human or machine – to ensure trusted behaviour.”

While not a new concept, Zero Trust has recently gained more attention as it was a central element of a 2021 US Presidential Executive Order to improve the country’s cybersecurity posture. The order calls for government agencies to implement Zero Trust as part of measures to modernise cybersecurity approaches. Another contributing factor to the increased popularity of Zero Trust is the growing wave of shift to remote working and decentralised virtual environments.

And why is zero trust important for OT environments? According to a Skybox Security survey in 2022, 83% of respondents said they had experienced at least one OT security breach in the past 36 months. Other research shows that the manufacturing sector was the most affected in 2021 – 61% of total cyberattacks on OT environments. The oil and gas industry, the second most targeted sector, accounted for only 11%.

The WEF guide highlights that to deploy Zero Trust models in OT environments successfully, three leading practices need to be considered:

1. Increase the visibility of critical OT assets to ensure better protection: Lack of visibility over thousands of devices connected to OT networks is a significant challenge in cybersecurity. And according to Fortinet, only 13% of organisations have this visibility guaranteed. One of the reasons for the low visibility comes from the fact that OT environments are often widely distributed across various geographies and locations.

In addition, many organisations still maintain manual inventories of OT assets, using simple spreadsheets and making it difficult to present a clear, accurate, complete picture of assets.

It is, therefore, essential to automate inventory management and maintain a centralised, real-time view of OT assets so that vulnerabilities can be identified and mapped and possible consequences and impacts of compromised security can be managed.

2. Segment networks into critical areas: Keeping IT and OT environments secure an unquestionable demand. To avoid lateral movements between these two environments, it is vital to separate your networks.

When properly configured, network segmentation can help deter intrusions and minimise the damage caused by attacks. On the other hand, attackers can open backdoors to navigate through networks if not correctly configured.

To isolate several networks, it is necessary, in short, to have good visibility of the assets within each perimeter, to create network segments; and to count on an access control mechanism based on identities.

3. Implement access control policies and practices: Authenticating all activities should be mandatory, ensuring more granular permissions to make it easier for cybersecurity teams to identify unusual activities. It is necessary to define who will have access to systems and information and under what conditions, using appropriate policies for all moments of the user journey.

The WEF document does warn that barriers must be overcome to ensure an exemplary implementation of Zero Trust models in OT scenarios. One is the perception that security can be an obstacle to running operations. In addition, many legacy systems in the OT space may not support multi-factor authentication schemes or identity and access management. And lack of cybersecurity skills in the workforce of OT environments is another major impediment.