Roping in zero-trust architecture to secure federal agencies from malicious cyber campaigns

The White House has stepped up efforts to adopt a zero-trust architecture across federal agencies. The move operationalizes the shift of these agencies to the highest-value starting points on their path to a mature zero-trust architecture while concentrating on multi-factor authentication, asset inventories, and traffic encryption.

The escalating threat landscape brought about by rampant ransomware and supply chain attacks has accelerated the federal government’s push towards a zero-trust architecture, where no network is implicitly considered trusted. The framework incorporates a maturity model that makes zero trust a continuous journey grounded in a mindset, design principles, processes, and risks.

Through the Office of Management and Budget (OMB), the U.S. administration issued a memorandum last month that sets the pace of the rollout of a federal zero-trust architecture strategy that works towards delivering on U.S. President Joe Biden’s Executive Order 14028, issued in May last year. The Executive Order had said that the “scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”

The January memorandum calls upon federal agencies to meet specific cybersecurity standards and objectives by the end of the fiscal year 2024 to reinforce the administration’s defenses against increasingly sophisticated and persistent threat campaigns. 

The concept of ‘zero trust’ is not new to the security industry. Coined in April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling, the term zero trust was repopularized a little over a decade ago by John Kindervag, a former Forrester Research analyst.

Increased popularization of zero trust has led to a range of definitions of the term requiring a level of standardization by recognized authorities, such as the U.K.’s National Cyber Security Centre (NCSC) and the National Institute of Standards and Technology (NIST). 

More recently, Forrester defined zero trust as a security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero trust supports three core principles that all entities are untrusted by default, enforcing least privilege access, and implementing comprehensive security monitoring.

Industrial Cyber reached out to industry experts to ascertain whether the industrial sector has developed a plan for implementing the zero-trust architecture and if zero trust strategy is achievable by the industrial control system (ICS) and OT sector.

The applicability of the zero-trust requirement to industrial environments extends only to those impacted agencies with industrial assets, Tim Erlin, vice president of strategy at Tripwire, told Industrial Cyber. “That’s certainly not a group of zero, but it is substantially smaller than the entirety of the industrial sector. The administration is addressing commercially-owned critical infrastructure security with a separate, but related set of activities centered around a series of ‘sprints.’” 

The electricity subsector was first, and the water subsector is the most recent to be announced, Erlin said. “These activities follow a different methodology because the Executive Branch can’t legislate cybersecurity requirements directly,” he added.

Still, the government industrial sector where the requirements would apply definitely doesn’t have a plan for zero trust, Erlin pointed out. “Such a plan hasn’t been required in the past, and while there may be some outliers implementing Zero Trust in commercial industrial environments, the majority of organizations simply aren’t. Secondly, it’s difficult to characterize the industrial sector as a single group. There are big differences between a modern manufacturing plant and a decades-old utility,” he added. 

Anyone operating legacy infrastructure or systems will struggle to modernize them, but the OMB memorandum leaves sufficient room to manage such challenges, Erlin said. “These differences are why the US Government is approaching critical infrastructure security as a series of sprints for different sectors. There may be a set of common, underlying best practices to implement, but each critical infrastructure sector has its own unique set of challenges and requirements as well,” he added.

The definition of ‘zero-trust’ is fairly nebulous, Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “The NIST SP 800-207 definition is rather extensive ‘Zero trust (ZT) provides a collection of concepts and ideas..,’” he added.

“By now, most folks are familiar with the slogan ‘never trust, always verify’ but what does it really mean to an industrial enterprise? Is the IEC 62443 architecture of zones and conduits considered zero-trust? While it does not deal with identity, granular access, or separation of control/data – some could see it a step towards zero-trust micro-segmentation,” according to Gordon. “So, it is likely that definitions and implementation plans will differ considerably,” he added.

“We see a growing interest coming from the OT sector to develop plans implementing zero trust architecture,” Eyal Manor, head of IoT, threat prevention and security management product management at Check Point Software Technologies, told Industrial Cyber. “This is a conservative industry, responsible sometimes for critical infrastructure and management of assets that we deployed over a period of many years, hence planning and implementing zero-trust policy projects take longer time than in modern, ‘born in the cloud’ organizations,” he added. 

Another area of focus is what are the requirements for the architecture in the ICS and OT environment to be considered zero trust.

Erlin said that any successful zero trust architecture has to start with a foundation of integrity, both in concept and implementation. “In order to allow access to resources based on continuously validated attributes instead of a static authentication, Zero Trust systems must be able to validate when both requestors and resources have changed. In order to ensure that the Zero Trust Architecture itself is secure, it must be monitored for integrity as well. The first place to apply Zero Trust principles is in the architecture supporting Zero Trust,” he added.

Industrial environments seeking to implement zero trust face multiple challenges beyond building a basic foundation, according to Erlin. “They have to look not only at Zero Trust, but also at modernization of their legacy systems. Furthermore, there are few, if any, Zero Trust providers specifically servicing industrial organizations. Implementing systems built for enterprise IT into industrial environments has not generally been a successful strategy,” he added.

The fundamental approach is that “one should not believe what anyone or anything tells you – always validate, only provide access to the specific data or service that is required by authorized sessions and secure the communication between,” Gordon said. “Things change all the time – so it requires constant observation and dynamic policy changes – never trust, always verify all the time,” he added.

“First, organizations need comprehensive discovery capabilities, to map all OT and IoT assets and their network connection inside the network and to/from the Internet,” Manor said. “Then, to become Zero Trust, organizations must be able to inspect and control all communication and commands that enter or leave these devices and take a decision in real-time if such communication is legitimate or malicious, to prevent an attack before it takes place,” he added. 

Defining such zero-trust policies is complex, and often requires machine learning and AI technologies to define an autonomous policy, according to Manor. 

There have been concerns raised if zero trust architecture can be realized by the ICS and OT sector since there is an underlying risk that it may cause critical disruptions to the services and systems, and impact efficient operations of the OT systems.

There’s little to no activity around zero-trust in industrial organizations, Erlin said. “The majority of these organizations are trying to get a handle on the basic security controls of asset inventory, secure configurations, and vulnerability assessment,” he added. 

Manor said “Absolutely yes, a zero-trust policy is definitely achievable for organizations in the OT sector. We definitely see organizations in this sector deploying and using it already today.”

Gordon said that “some [OT companies] do have what may be considered as ‘partial zero-trust architecture’ – I have been briefed on projects that embodied zero-trust architecture concepts long before the term was common. Zero-trust principles, and like everything we do in industrial cybersecurity, the path will be different for every organization – each industrial enterprise is at a different stage of maturity and capability,” he added.

Additionally, while some concepts of zero-trust architecture are relatively simple to deploy – zero-trust remote access for example – other concepts are complicated due to the nature of operational technology and production requirements, according to Gordon. “I believe many of these notions will continue to seep into the conscience and plans of folks determined to protect their industrial environments,” he concluded.