Zero Trust: Practical Approaches for Securing OT Networks
In traditional industries such as manufacturing, energy, construction, mining, and transportation, organizations are living through the convergence of two worlds. First, there is the world of operational technology (OT) and physical industrial devices. This can include automated industrial control systems (ICS) such as distributed control systems (DCS), remote terminal units (RTUs), human-machine interfaces (HMI), and supervisory control and data acquisition (SCADA) systems. And then there is the data-centric world of information technology (IT), with its array of servers, storage, and business applications, in the data center and the cloud.
In the past, OT environments were “air gapped” with no direct network connectivity to the IT world, safely isolated within their own local area network (LAN). However, the rise of IoT devices, the adoption of Industry 4.0, and increasing digitization have driven a convergence of IT and OT environments. Traditional enterprises are now routinely feeding OT data into IT systems to benefit from AI, machine learning, and advanced analytics to improve inventory controls, supply chain efficiencies, and process quality.
The efficiency gains of this IT/OT convergence are real. Unfortunately, OT networks and devices that were previously isolated are now exposed to external threats, and cybercriminals have made OT networks a major target, particularly for ransomware attacks. These attacks can come from many angles, including phishing attacks to first gain access to the IT network and then the OT network, or using known vulnerable network protocols and ports to load infected control logic into OT devices.
Bringing Zero Trust to OT Environments
The convergence of IT/OT environments in traditional industries is also bringing another kind of integration. IT cybersecurity best practices, such as Zero Trust, are now being actively applied within OT.
The Zero Trust framework is based on a simple principle – that no entity should ever be considered trusted, no matter where it is located. Zero Trust inherently treats every device as if it were already compromised. This “never trust, always verify” approach requires that whenever any wired or wireless network node requests access, it must be verified before access is granted. It also means practicing the “principle of least privilege” by providing only the bare minimum of required access even when access is approved.
But although Zero Trust is an established paradigm within IT, the unique nature of OT networks makes generic Zero Trust approaches difficult to implement. Flat networks, legacy assets, IoT and OT devices that can’t accept agents, and an inability to provision multi-factor authentication all compromise efforts to deliver Zero Trust effectively in OT environments. Many efforts unfortunately result in a partial Zero Trust implementation, where easily protected devices are secured, but a patchwork of more problematic devices remain vulnerable.
Three Steps to Implementing Zero Trust in OT
So how can traditional enterprises protect their valuable (but vulnerable) OT environment from cybercrime? Here are the three key steps every organization should take to drive Zero Trust into OT.
Step 1: Shrink Your Attack Surface with Zero Trust Microsegmentation
Basic segmentation as a core networking principle isn’t new. Virtual local area networks (VLANs), access control lists (ACLs), and firewalls have long been used to provide north-south (client to server) network segmentation. The focus of Zero Trust microsegmentation, however, is to segment vulnerable east/west traffic (the lateral flow between workloads and devices). This is critical as devices on a shared VLAN get a complete view and communication path to all other devices, allowing ransomware to easily propagate throughout the network.
Microsegmentation is so central to protecting OT networks that Gartner, in their most recent Hype Cycle™ for Security Operations, 2022, recommended that enterprises “Determine immediate gaps, such as flat networks or missing or misconfigured firewalls” as a key first step in Zero Trust implementation for OT environments.
Unfortunately, applying microsegmentation in OT networks can be hard. OT environments are often filled with legacy and headless devices that cannot accept the endpoint agent software most solutions require to enforce granular isolation.
Airgap Zero Trust Network Segmentation shrinks the attack surface by isolating every device into a microsegment of one for perfect Zero Trust. Our patented platform uniquely does this without agents or significant hardware changes. For the first time, microsegmenting OT environments with legacy and headless devices is not only possible, it can be done in just a few hours.
Step 2: Close Multi-Factor Authentication (MFA) Gaps
Enterprise applications are a frequent target of cybercriminals, whether through compromising weak passwords, brute force attacks, or leveraging stolen credentials (“credential stuffing”).
Organizations have typically responded by provisioning Multi-Factor Authentication for employee access to SaaS and cloud applications via their single sign-on provider (SSO). Using a phone or token, MFA provides an added layer of validation to verify user identify before permitting access.
Unfortunately, unlike SaaS and cloud-based applications, legacy applications pre-date modern authentication schemas, so modern SSO protocols can’t be used to protect them. These legacy applications are common in traditional industrial environments. This again results in a patchwork of Zero Trust – some high-value assets are protected by MFA, and others are not – leaving behind well-known and easily exploited vulnerabilities.
Airgap Secure Asset Access immediately closes this crucial authentication gap with MFA for legacy enterprise applications. Airgap protects these vulnerable applications with modern MFA that fully integrates with an organization’s existing VPN and SSO solution providers. Enterprises can now enjoy universal MFA across all applications, closing a major security vulnerability in many OT networks.
Step 3: Gracefully Shut Down Lateral Traffic When Under Attack
Attacks happen even to the most prepared. The only response available to many organizations when an attack is underway is a brute-force shutdown of the entire compromised VLAN, including business-critical north-south traffic between users and major business applications. This can bring the whole operation offline, as we’ve seen in some recent high-profile attacks. What is needed is a more targeted approach to shut immediately down lateral traffic from suspect devices while maintaining north-south traffic and therefore business continuity. Time is of the essence here – delays in mounting an effective response compound the ultimate business impact of the attack.
Airgap Ransomware Kill Switch™ instantly blocks lateral communications to or from any endpoint without impacting north-south traffic. This effectively reduces the “blast radius” of an attack, usually down to just one endpoint. Airgap Ransomware Kill Switch lets organizations tightly control this lock-down of compromised devices by using policy-set severity levels. The Airgap solution also provides visibility to all device-to-device lateral traffic flows within a shared VLAN to easily spot threats and anomalous behaviors. Our built-in monitoring can also detect even low-volume ransomware attacks using continuous machine-learning/AI behavioral and anomaly detection, to shorten incident response time and attack blast radius.
Unified Zero Trust For IT and OT
Zero Trust, originally implemented to protect IT, is rapidly gaining ground in OT. Unfortunately, most solutions on the market only protect pieces of any given environment. Attackers use the remaining exposed vulnerabilities, such as legacy and IoT devices, as a common entry point for their attacks.
Airgap provides a more unified approach, by microsegmenting every device for true zero trust regardless of device type or its ability to accept modern authentication. Airgap complements existing infrastructure, improving and enhancing the security and zero trust posture of both IT and OT networks. Customers enjoy a single security policy that spans all environments, and delivers a common experience for all end users regardless of access location. And with no agents to install, no APIs, and no major hardware changes, customers can now implement a unified true Zero Trust posture in a matter of hours.