Zero-Trust: An Imperative in IoT/OT Infrastructure
While information technology (otherwise known as IT) represents the overarching infrastructure used in processing and handling data and information is well understood, operational technology, otherwise known as OT, often remains a mysterious black box to many.
OT refers to a network of hardware embedded with sensors and software. These systems are considered to be a vital part of all oil and gas installations, energy monitoring, transportation, and manufacturing systems, and are used to monitor and control physical processes, devices, and infrastructure that lie at the core of ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition Systems).
OT systems are generally regarded as critical infrastructure and have been in existence since the 1970s. Having barely evolved in terms of the deployed hardware and proprietary protocols used for communication, they are jokingly referred to as “old technology.”
High risk: OT in today’s landscape
Let’s fast forward to today’s fast-paced and sophisticated threat landscape.
The convergence of IT and OT has now become a well-established trend, driven by business benefits that hinge on real-time information sharing, analysis, and response. Not surprisingly, however, network convergence poses great risks:
- OT networks grew historically and often lacked basic security features such as those which have been incorporated into today’s enterprise IT environments through various industry standards.
- OT equipment was never built to be software-deﬁned and therefore had little to no need for stringent security and access control enforcement.
- OT networks were generally designed to operate in “air gapped” environments and have relied mainly on isolation and obscurity as a security strategy.
Increasingly, we’re witnessing attackers exploit vulnerabilities in both directions across IT and OT environments, often with disastrous outcomes. The often difficult to manage complexities of the cyber-physical integrations in these two environments provide a plethora of easy to compromise attack surfaces, making it a lucrative target for attackers.
In addition to being the weakest security link within an enterprise, OT systems are generally very high-risk environments with strategic national interests, as well as the lives and wellbeing of plant workers tied to their seamless operation. This gives attackers additional leverage as observed in the recent article from ZDNet, Colonial Pipeline attack: Everything you need to know.
Leveraging zero-trust is essential
In today’s world, isolation, and obscurity, against the backdrop of IT and OT convergence, no longer works as a reliable security strategy. This means that existing OT environments need to become more agile and responsive to threats.
Enter zero trust.
Zero-trust security is a strategy based on the simple premise that a network is always at risk of threats. It implements three core principles.
- Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies
- Use least privilege access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity
- Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses
As cyberattacks continue to increase in frequency and impact due to state-sponsored advanced persistent threats (APT) and increasingly sophisticated and widespread malware campaigns, we begin to observe new cybersecurity strategies and directives mandated at government level such as the one issued by the Biden administration requiring all government agencies and departments to transition from the traditional perimeter paradigm to adopting comprehensive zero trust models to secure all infrastructure, networks, and data.
To protect your organization, you need a zero-trust architecture for your IoT/OT systems.