Cybersecurity, Zero Trust

Strengthening Operational Technology with Zero Trust

June 2nd, 2022
Alex Whitworth Headshot

Hurdles of Implementing Zero Trust

With the altered landscape of operational technology (OT), cybersecurity has adapted to bring the zero trust philosophy to the forefront. Zero trust has become a leading cybersecurity architecture. With zero trust, each user, device, and application is required to pass security measures to prove its trustworthiness in a network. Due to the importance of strengthening OT networks, several additional steps should be taken for increased security. With zero trust and the incorporation of segmented networks, visibility, a unidirectional security gateway, and cloud-based services, OT networks can be firmly secured.

Carahsoft Operational Tech Zero Trust Blog Embedded Image 2022The Danger of OT Breaches

Operational Technology (OT) is a category of computer and communication systems that manage, monitor, and automate changes to industrial control systems and devices. With improper OT security, severe damage can occur. Previous hacks to the OT system have resulted in pipeline networks and electric grid attacks. These breaches can slow down organizations, disrupt critical infrastructure, or cause environmental congestion, which make the public more vulnerable for an attack [1]. Such attacks have a widespread impact on the American economy, often forcing shutdowns for cyber systems. Invasions on organizations can cost them, on average, twenty-one days of downtime [2]. Preventing these breaches with a strong zero trust policy for OT is vital.

Problems and Solutions

Zero trust is the most effective security strategy for OT networks. However, connecting OT devices introduce new types of vulnerabilities for networks and enterprises. Problems that companies may encounter include:

  • A lack of OT visibility: One major benefit of OT visibility is the ability to safely control systems. As the security landscape becomes more dangerous for industrial networks, agencies must monitor OT networks to protect them. Increasing connectivity to supervise these networks also exposes more of the network to attacks.
  • Issues with OT change control: Most OT and IT networks are flat and internally unsegmented, which causes vulnerabilities within the framework.
  • IT/OT firewall risks: Modern attacks can reach through firewalls, including IT/OT firewalls.

Luckily, there are several security measures that address these issues. These procedures work with the zero trust framework to protect OT networks from severe breaches. Some of these include:

  • Utilizing a passive tool for increased visibility: By implementing a tool such as Remote Monitoring or NetFlow, users can detect changes, errors, and system breaches made to the system. By tracking user and device access, managers can quickly detect and report unusual activity. This can help identify security threats with minor maintenance and management from IT.
  • Creating segmentation: Utilizing segmentation will create individual isolation so that secure information cannot pass to unauthorized devices. In the case of a breach, this will reduce the blast radius.
  • Implementing a Unidirectional security gateway: By having a unidirectional gateway, no bad actors can penetrate the external network back into the OT network. Since the gateway hardware is only physically capable of sending information and data in one direction, no ransomware or outside attack can hack the security gateway.
  • Employing Cloud-based services: These services add value to both IT and OT networks by introducing offline backup, real-time threat and analysis tools, and equipment inventory. Although this opens up sensitive information to the internet, with a unidirectional gateway, there is no risk of compromising that information. Hardware-enforced unidirectional connections will make it physically impossible for security threats to be posed from the outside.
  • Applying privileged access: With privileged access, standard users will not have special access to critical IT and OT infrastructure above their required level. This will reduce the surface attack of potential breaches. To further this, managers should work to exclude or restrict vulnerable devices that can’t be patched or taken offline.

With these added functions, OT networks will be firmly secured against bad actors, ensuring a stronger and more united America.

Stronger with Zero Trust

With recommendations from the Biden Administration and security experts, zero trust is the leading security strategy. To maintain pace with the changing landscape of the internet, government agencies should prepare to implement not only a zero trust strategy, but the additional security measures that will solidify networks. Through zero trust, passive tools, unidirectional security gateways, and cloud-based services, agencies will have better oversight and control over their information and OT networks.

 

Check out our solutions datasheet for more information on how your agency can safeguard operations and the best practices to implement a Zero Trust framework.

 

[1] “A Zero Trust Approach to Secure Operational Technology,” Carahsoft, https://www.carahsoft.com/learn/event/36746-A-Zero-Trust-Approach-to-Secure-Operational-Technology-%28OT%29-Systems

[2] “Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands,” Coveware, https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020

Related Articles