A zero trust strategy establishes rules and good practices to improve the security and resiliency of your IT infrastructure, but what can it do for operational technologies (OT)? It turns out, quite a bit – but there are limits.
Last fall, my colleague Greg Young wrote a blog post IoT and Zero Trust are Incompatible? Just the Opposite, which opened the door to a worthy discussion on which elements of zero trust are applicable to an OT environment.
There is no one-to-one mapping of zero trust architectural principles onto ICS infrastructure. However, there are many useful areas where zero trust can substantially improve the resilience and safety of OT infrastructures. We’ll begin by highlighting the main principles of zero trust, and then map them against the Purdue model.
What is Zero Trust?
The zero trust model has four major principles:
- Access rights cannot be granted based on a requestor’s location. The fact that a user or process is on a certain network segment does not grant them access to the resources on that segment.
- Requestors must be authenticated. This means that identity management is a prerequisite for zero trust.
- The network must be segmented to isolate critical elements and limit the scope of a malware attack.
- The behaviour of requestors and processes must be assessed before granting access and monitored periodically afterwards. The robustness of user authentication, the granularity of network segmentation, and the frequency of monitoring are all determined by the degree of risk these processes can manage, balanced against the complexity and overhead of those measures.
The Purdue Model
Developed in the 1980s, the Purdue Enterprise Reference Architecture (PERA) defines the hierarchy of technologies that support a computer-integrated manufacturing operation. The original paper, The Purdue Reference Model for CIM, went well beyond the familiar graphic, discussing managerial processes, personnel and organisation, and external influences.
That work envisions supply chain security, discusses information security organisational and personnel issues, and models digital transformation for industrial enterprises. This image, from Cybersecurity for Industrial Control Systems, Part I highlights ICS endpoints:
Challenges with applying zero trust
Applying zero trust principles comes down to segmenting the network, using authentication technology to verify the requestor before making any service available, enabling secure point-to-point networking, and monitoring device and entity behaviour.
This breaks down where technological limitations prohibit these capabilities. Sensor ship with a built-in back door. These devices must be calibrated in the field. The engineer installing them sets the operating level when the device is installed. Many devices lack even simple authentication capabilities, which means they cannot securely verify their identity.
Additionally, many lack logging capabilities. Behavior analysis must fall back on potentially untrustworthy telemetry collected at the network edge of the segment in which these devices reside. The networks themselves are traditionally low capacity (although this is improving), meaning that they lack the bandwidth to support real-time analysis of indications of compromise. The cost of segmentation seems high compared with the simplicity of a flat network. These constraints mean that zero trust cannot be comprehensively applied across an entire ICT environment.
How to apply zero trust to ICS environments
Given these constraints, securing ICT environments requires stronger measures at the edge, and more edges. That is, network segmentation, where practical, can impede malware attempting to move laterally.
Over these segments, security teams need to perform reputation analysis on the segment rather than attempt it on each device. This will help isolate malfunctioning zones, allowing further forensic analysis.
Where possible, require multi-factor authentication for users. And as technology catches up, deploy processor technology offering a secure co-processor for critical functions, such as patching, logging, security updates and analysis, and authentication.
Secure coprocessors are now available from most major chip manufacturers. However, most organisations will not deploy them as the price remains higher than simpler designs. ICT has an in-use lifetime of decades, meaning upgrades are rare and the capital expense is significant. Unfortunately, market mechanisms prevent wide-scale adoption of advanced security technologies. Regulation will ultimately drive adoption.
The complexity of managing ICT security may slow adoption of zero trust. Enterprises that recognise the risk and invest in a comprehensive IT/OT information security program may find their path eased by using a managed security partner (MSP) with expertise in both traditional IT and ICT domains. The enterprise itself must maintain its own cybersecurity hub, but once procedures are nailed down, a partner can cover much of the normal incident response and remediation activities. That partner will help deploy and sustain a reliable, trustworthy, resilient, and secure infrastructure.
As we mentioned, zero trust is a model and a strategy, not a product. Taking into consideration the segmentation of ICS networks coupled with an expanding digital attack surface, using a variety of point products to apply zero trust can further complicate security—even for extremely knowledgeable MSPs.
Look for a unified cybersecurity platform to consolidate the security capabilities necessary to apply multiple aspects of zero trust across the ICS environment. From one console, your security team or MSP, can see at-a-glance any suspicious user behaviour for further investigation.
For more information on ICS security and zero trust, check out the following resources: