Challenges in Converting to Zero Trust
Zero Trust is a leading security strategy on business-critical or “IT” networks. For control-critical or “OT” networks, the shift to a zero trust strategy comes with challenges. Important issues include:
- A lack of OT visibility: The steadily worsening threat landscape steadily increases the likelihood of intrusions into industrial networks. Monitoring OT networks is essential to understanding and managing the security posture of those networks, but increasing connectivity into OT networks to implement such monitoring also increases the exposure of those networks to attack. In this case, the OT monitoring cure is as bad as the cybersecurity disease.
- Issues with OT change control: Most OT networks are flat, internally unsegmented and sometimes not even segmented from IT networks, which makes the OT networks vulnerable. Reconfiguring these networks with firewalls for deeper segmentation makes those networks somewhat more secure, but the impact of these networking changes on sensitive and change-controlled OT networks can be significant.
- IT/OT firewall risks: Modern targeted attacks routinely punch through firewalls, including IT/OT firewalls. This is unacceptable. No ransomware or other attack on IT networks should ever have any chance of impairing physical operations.
Three important security measures address these three challenges and help implement a strong zero-trust OT security strategy. The good news is that these solutions are simple. They do not require anything that needs constant managing, continual updates, or complex configurations. Instead, they give users increased visibility into, and protections for, the OT and industrial control networks that manage physical operations.
Utilizing a Passive Tool for Increased Visibility
Visibility over a network is incredibly desirable; it helps network users detect changes that are made to the system, which can often help identify security threats. Without proper visibility, you aren’t able to see potential system breaches, changes, or errors. Passive monitoring tools provide visibility. The problem with these tools is that they need regular maintenance and management from an IT network, but also require access to mirror and SPAN ports on industrial & OT network switches. The monitoring tools then become so-called “dual-homed hosts.” The tools have one network interface connected to an IT network, and another connected to the OT network, and so constitute a new attack path that leads from Internet-exposed IT networks into operations-sensitive OT networks. The solution is a hardware-enforced unidirectional device between the OT mirror port and the IT-resident passive scanning system. A hardware device that is truly unidirectional provides network information to the passive scanning tool without introducing any new attack paths back into the OT network through mirror port hardware that is intrinsically bi-directional.
Unidirectional Security Gateway
The consequences of compromising OT networks are generally unacceptable – consequences including all of safety issues, worker casualties, public safety risks, damage to very costly equipment and lost production opportunities. Zero trust means that when the consequences of compromise are unacceptable, the OT network cannot afford to trust business-critical or other networks reachable directly or indirectly from the Internet. Instead of trusting these systems, industrial sites are deploying unidirectional gateway technology at the IT/OT interface. The gateway hardware is physically able to send information in only one direction – from the OT network out into the IT network. No ransomware, targeted nation-state attack or any other attack information from an external network can penetrate the unidirectional hardware from an external network back into the OT network.
Unidirectional gateway software makes copies of the OT servers that are the focus of IT/OT integration – most commonly OT process historians or one of the many kinds of OPC servers. IT users and applications can then query and interact normally with the IT copies of these OT servers, because the IT copies contain all of the OT data that is authorized to be shared with the IT network. Unidirectional gateway hardware provides the strongest security against online attacks, while both IT and OT users and applications continue to interact normally with OT systems and their IT copies.
Cloud-based security services have emerged to add a wide range of value to both IT and OT networks. These services include everything from out-sourced security operations centers to offline backups and forensics, real-time threat intelligence and analysis tools, and equipment inventory and patch management systems. However, providing OT systems with connections directly or indirectly out to Internet-based cloud systems is problematic – why should our most sensitive OT systems trust that Internet-based cloud systems will not be compromised and subsequently used to attack OT systems through software-mediated OT-to-cloud connections? Again, unidirectional gateway hardware at the interface between OT and Internet/cloud-based systems is the answer. Hardware-enforced unidirectional connections enable the benefits of Internet-based cloud services, without the risks of Internet connectivity for OT networks.
Zero Trust Strategy for All
Even with sensitive, change-controlled networks, switching to a zero-trust strategy can be straightforward. Unidirectional gateways enable passive visibility into OT networks, safe IT/OT integration and safe cloud connectivity, making outside security breaches physically impossible to conduct. All of these changes occur at the IT/OT or OT/Internet perimeter, without any need to reconfigure sensitive OT networks for even the strongest of zero-trust configurations secured by unidirectional hardware. Unidirectional zero trust means we can enjoy the benefits of passive OT network monitoring, of IT/OT integration and of OT-to-cloud integration, without suffering the security risks of IT or Internet connectivity.
Waterfall Security Solutions is the leading provider of unidirectional gateway technology. Waterfall provides unidirectional tools for passive monitoring, safe IT/OT integration, and safe cloud connectivity. Waterfall’s tools are vital to implementing and maintaining a solid industrial & OT zero trust strategy. Watch Waterfall Security’s Webinar for more insights on implementing zero trust on industrial and operations networks.