Addressing complexities of zero trust implementation in OT/ICS environments to bolster cybersecurity

Incorporating a zero-trust framework into OT (operational technology) and ICS (industrial control system) environments becomes imperative in addressing the distinct challenges posed by the convergence of traditional infrastructure with modern security measures. As these critical systems support vital sectors such as energy, manufacturing, and transportation, the seamless integration of robust security practices is essential to fortify against evolving cyber threats and safeguard operational continuity.

One prominent challenge lies in the complexity of interconnected devices and legacy protocols, making it arduous to implement granular access controls without disrupting operations. However, the diverse array of devices, often with limited computing capabilities, complicates the deployment of advanced authentication mechanisms. Balancing the need for heightened security with the necessity to maintain operational continuity becomes a delicate task. 

The dynamic nature of industrial environments, marked by frequent alterations in configurations and equipment, adds another layer of complexity. Maintaining an accurate inventory of assets and implementing continuous monitoring for anomalies necessitate resilient solutions. Balancing heightened security measures with the need to manage potential operational disruptions underscores the importance of integrating zero-trust principles effectively.

Moreover, fostering a culture of security awareness among OT/ICS employees becomes necessary. However, the challenge of educating operators as to how a zero-trust approach should guide their actions continues. With the evolution of the threat landscape, the adaptability and scalability of zero-trust frameworks have become crucial for safeguarding critical infrastructure against emerging adversarial threats and attacks. Addressing these issues requires a holistic approach that integrates technologies with a deep understanding of the operational intricacies within OT/ICS environments.

In 2024, the regulatory landscape surrounding zero-trust frameworks is gaining prominence. As industries adapt to these security paradigms, compliance with evolving regulations becomes paramount. Organizations must navigate and align their security practices with the regulatory implications of zero trust to ensure technological resilience and adherence to legal requirements in the rapidly evolving cybersecurity landscape.

Emerging challenges of zero trust implementation for OT/ICS environments

Industrial Cyber reached out to industrial cybersecurity experts to evaluate the primary security considerations unique to OT and ICS environments when implementing a zero-trust approach. They also examined the evolution of zero trust implementation in OT/ICS environments since 2022 and identified emerging challenges.

Ruben Lobo, director of product management at Cisco IoT said that zero trust assumes all devices will authenticate to the network. “In industrial networks, we know this is not a reality as most OT assets do not have strong security and authentication mechanisms.”

“As industries accelerate their digitization, they need seamless communications with external resources. They are now facing threats from third parties that need remote access into the networks and from local resources that need to access cloud resources and external applications,” Lobo told Industrial Cyber. “Zero Trust has evolved to meet both these challenges and we now need to differentiate between zero-trust network segmentation and zero-trust network access (ZTNA).”

Lobo highlighted that zero-trust network segmentation ensures OT/ICS assets are only allowed to communicate with resources they need to run the industrial process. “This is what the ISA/IEC 62443-3-3 security standard recommends by proposing a zones and conduits model. In addition to using firewalls for building macro network segments, using a network access controller to create smaller zones of trust within each segment allows for dynamic zero-trust policy definitions and more agile production infrastructure.”

“ZTNA ensures that remote users have access only to specific local resources at specific times based on identity and context policies,” Lobo evaluated. “It’s the perfect alternative to VPNs that have drawbacks of being always-on solutions with all-or-nothing access to OT assets.”

“Historically, downtime in OT environments resulted from errors, system issues, or natural disasters. Ongoing digital transformation has connected OT assets to IT and cloud, expanding the attack surface,” Qiang Huang, head of product management of Palo Alto Networks’ IoT security product, told Industrial Cyber. “Securing legacy systems is crucial for mission-critical environments, requiring a balance between security and operational efficiency. The convergence of IT and OT teams has revealed a skills gap, demanding rapid learning for efficient problem-solving. Enterprises must adapt swiftly to ensure operational resilience amid increased connectivity and potential threats.”

Huang said that the ‘trust nothing, verify everything’ zero trust principle is an effective approach for implementing security controls and processes. “With OT environments becoming increasingly dynamic and hybrid, traditional security measures face challenges. There is a growing interest in applying/extending zero-trust frameworks to OT or converged IT/OT networks, incorporating capabilities such as comprehensive visibility, improved segmentation, and continuous monitoring.”

Dave Purdy, regional vice president of sales for North America at TXOne Networks, told Industrial Cyber that the OT and ICS-specific concerns are legacy systems compatibility, real-time requirements, supply chain risks, resilience to attacks, and regulatory and audit compliance.

“OT systems use legacy equipment and protocols that typically do not integrate with modern security solutions,” Purdy said. “OT/ICS systems usually require real-time processing. At a minimum, they must introduce near zero latency to production processes. Production performance cannot tolerate any latency that a security solution might introduce. OT environments rely upon multiple suppliers and maintenance vendors. Zero Trust in an OT environment requires that the security posture of all components within the production process are verified.”

He also detailed that OT systems are critical infrastructure, and attacks can have severe consequences. “A zero trust approach not only protects against attacks but also provides resiliency should an attack occur by isolating the incident and preventing it from spreading across production processes.”

“OT/ICS environments are often subject to specific regulations and standards,” according to Purdy. “Ensuring that the implementation of a Zero Trust model complies with these regulatory requirements is crucial to avoid legal and financial repercussions.”

He added that the implementation of zero trust in OT/ICS environments has evolved over the past couple of years in the form of OT-native tools to protect critical infrastructure. “IT tools have been proven ineffective in an OT setting. As with any security framework, continuous monitoring, regular updates, and adapting to emerging threats is required.”

Kevin Kumpf, chief OT/ICS security strategist at Cyolo, expressed that organizations are growing a deeper understanding of the concepts of ZTA but the core challenges are not the understanding, but how to safely implement them. “While security is the significant driver, the key concerns are about potential disruptions to uptime and more importantly human and operational/environmental safety,” he told Industrial Cyber.

Boosting security while managing operational disruptions from zero trust 

The executives assess the delicate balance organizations must strike between enhancing security in OT/ICS environments and managing potential operational disruptions caused by zero trust measures. They explore how organizations adjust their zero trust strategies to safeguard critical infrastructure in OT/ICS environments, considering the growing frequency and complexity of cyber threats.

“Implementing zero-trust network segmentation is a project that IT teams need to run together with OT. It requires a detailed and accurate inventory of all assets and a collaborative workflow between IT and OT to build access control policies that will not disrupt production,” according to Lobo. “To avoid disruption, customers generally take a phased approach, starting with larger zones and shrinking those trust boundaries over time. This is where having industrial networking equipment capable of enforcing those access control policies is key; modifying zones now just requires a software configuration instead of installing new hardware.”

He added that ZTNA is designed to enable highly granular remote access policies. Remote users can only access specific resources at specific times using specific protocols. “But ZTNA needs to properly authenticate users and check their security posture to minimize risks.”

Lobo also pointed out that when implementing a ZTNA solution, it is key to use an OT visibility tool to identify all the different remote access methods already deployed in the environment. “Organizations can now remove these remote access backdoors and work with all stakeholders to have them transition to using the ZTNA remote access method.”

Huang pointed to the need to balance the controls related to threats and the impacts those controls may have on the process and systems they are meant to protect. “The capabilities of environments and the skills of the defenders will determine how best to defend. There are some core concepts that are universal and these are reflected in frameworks such as the Cyber Maturity Model which was recently updated. Visibility into the assets in the environment will drive the policies that are deployed. What do the assets need for protection and what are the capabilities of the control points available to protect will drive what can be achieved.”

Organizations must navigate the delicate balance between better security controls and the potential of operational disruption by adopting a nuanced approach to zero trust principles, according to Huang. “This is still early and we expect a lot more best practices will emerge. To address increasingly sophisticated attacks on critical infrastructure, it requires a proactive shift towards the Zero Trust principles of continuous monitoring, real-time threat detection, and having rapid response mechanisms in place.”

“Collaboration between IT and OT teams helps address the convergence challenges and helps ensure a unified defense strategy, which is crucial when every second counts,” Huang added. “The evolving nature of cyber threats requires that organizations regularly review, update, and refine their zero trust approach, staying ahead of potential risks to safeguard critical infrastructure from the growing threat landscape.”

Purdy detailed that organizations are trying to achieve a balance with phased implementations that are prioritized based on risk to their operations. “Risk in the form of human safety, automated critical assets and robots, financial impact, and brand reputation are key prioritization criteria. Once the priorities and timelines have been established, the typical focus will be on network segmentation to divide the networks into smaller segments so threats can be contained to minimize the impact of a disruption.”

He added that the rising instances of IT and OT cyber threats that are impacting OT operations require collaboration between IT and OT while recognizing the differences in security requirements. “A two-pronged approach that prioritizes confidentiality for IT and availability for OT helps professionals to effectively design, implement, and manage true IT/OT security. This collaboration ensures that security measures are aligned with operational needs.”

As cyber threats evolve, organizations are investing in advanced technologies such as anomaly detection, artificial intelligence, and machine learning to enhance their Zero Trust strategies, according to Purdy. “Continuous improvement and a proactive approach to security are essential to protect critical infrastructure from the increasing sophistication of cyber threats.”

Kumpf evaluates that emerging concepts such as digital twins are being used to provide balance on newer platforms and systems which allow organizations to patch, stress test, and diagnose results before moving to perform the process within production. “Unfortunately, when it comes to legacy systems it is not possible in many instances to take critical resources offline to do the same patch, test, and diagnose results for a myriad of reasons. When it comes to security vs. the need to ensure no operational disruptions, security will always be secondary,” he added.

Regulatory implications of zero trust frameworks in 2024

The experts examine the regulatory implications and compliance factors involved in implementing zero-trust frameworks within OT/ICS environments. They analyze how these considerations will unfold in 2024.

Lobo identified that zero-trust frameworks are included in most if not all recent cybersecurity regulations. “In Europe, for instance, the NIS2 directive requires zero-trust measures to be implemented. It specifically requires industrial organizations and critical infrastructure to enforce network access policies and adopt multi-factor authentication. NIS2 will be enforced by the end of 2024, so every organization in scope should be looking at implementing zero-trust network segmentation and zero-trust network access,” he added.

Zero trust frameworks are being dictated in U.S. government deployments today, Huang evaluated. “Regulations for industry incorporate many of the concepts of zero trust but not fully. With time we anticipate that more of those fundamentals such as asset identification, access control policies, and continuous monitoring will only expand. As these are key elements of both the Cyber Maturity Model and critical to zero trust, then the advancement will continue so long as impacts of adversaries continue.”

Purdy said that there is a mix of industry-specific, governmental, and international compliance ‘suggestions,’ regulations, and laws. “For example, the Utility industry has NERC-CIP, the automotive industry has TISAX, the Semiconductor industry leans on E187 and E188, and there are others to consider that have regional and international impacts.”

“These initiatives have a common set of recommendations or requirements that typically span risk management, incident reporting and response, access control and identity management, auditability and logging, documentation and policies, third-party risk management, and finally, training and awareness,” according to Purdy. “It’s important for organizations to stay abreast of changes in regulations and standards, as well as to continuously update their zero trust frameworks to align with evolving compliance requirements in the OT/ICS space.”

The real driver pushing organizations to meet regulatory compliance standards is the commonality of security best and compliance practices, Kumpf said. “We are seeing a global embracing of features such as the separation of the control and data planes, the continuous validation of people, process, and technology within the inclusion of threat intelligence information as examples.” 

Furthermore, Kumpf expects these best practice visions to continue into 2024 and to drive upward through senior leadership and board rooms, and pick up speed for budgetary funding.

AI’s role in OT/ICS zero trust, tackle workforce training challenges

The executives explore the role of emerging technologies, such as AI and machine learning, in bolstering zero-trust security measures within OT/ICS environments. They assess whether organizations encounter specific workforce training and skill gaps when implementing and sustaining zero trust principles in OT/ICS settings.

Lobo said that zero-trust network segmentation requires a precise understanding of communications required to run industrial processes so policies would not block important traffic and disrupt production. “Industrial networks often include thousands of OT/ICS assets, and it can be difficult to place each one of them into the right trust zone from the get-go. Control engineers have the expertise, but they can benefit from AI/ML to build a zone segmentation proposal they would just need to verify and approve.”

He added that AI/ML provides additional value to ICS settings, but often relies on cloud computing and the transfer of data outside of the physical walls of OT. “This transition requires allowing connections to trusted cloud providers and creates the need for visibility into those outbound connections to ensure ICS are only communicating with trusted clouds and not malicious servers.”

“With major trends of increasing connectivity, increasing risk exposure and increasingly sophisticated attacks, we see AI and ML are playing a critical role to improve scale and security effectiveness, in the areas of identifying IT/IoT/OT assets, understanding normal behaviors to inform policies, and detecting and stopping sophisticated attacks,” according to Huang.

He added that over recent years, OT organizations have increasingly embraced AI and ML to drive new insights into operations to improve efficiency and generate new revenues. “We recommend embracing AI and ML in cybersecurity operations to help them to scale, especially in the light of resource and skill gap challenges.”

Purdy said that artificial intelligence (AI) and machine learning (ML) are already playing a significant role in enhancing OT zero trust security. “AI and ML technologies enable solutions to adapt to the evolving threat landscape without stopping operations to make changes to the underlying OT security solution. Effective OT security solutions must be purpose-built for OT environments.”

He added that collaboration between IT and OT teams, along with a commitment to continuous learning, is essential for successfully implementing and maintaining zero-trust principles in OT/ICS settings.

“While AI and ML are being embraced in the security sector within the IT realm at a fast pace currently, I do not see them being implemented and functional on a large scale within the OT space in 2024 for several reasons,” Kumpf said. “AI requires data, patterns, situational context of operational information (among other inputs) before actions can be taken in a safe and secure manner. It also requires the ability for systems to feed that data into tools such as SIEMs, threat intelligence platforms, SOARs, and other left-of-boom technologies.” 

In conclusion, Kumpf said that currently these technologies do not exist at scale within many OT environments, and in those that do they are more passive in nature than reactive due to concerns about safety, downtime, and other operational risks.