Attacks and Vulnerabilities
Critical infrastructure
Features
Identity and Access Management (IAM)
Regulation, Standards and Compliance
Secure Remote Access
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

Breaking down remote access hurdles to unleash power of ZTNA capabilities across industrial entities

November 12, 2023
Breaking down remote access hurdles to unleash power of ZTNA capabilities across industrial entities

In today’s interconnected world, remote access to industrial systems has become a necessity. Conventional remote access methods, like virtual private networks (VPNs), face hurdles such as complex configurations, security vulnerabilities, and limited scalability. Enter Zero Trust Network Access (ZTNA), a game-changer in the world of remote access addresses these issues by adopting a least-privileged access approach, enhancing security. However, implementing ZTNA capabilities in operational technology (OT) environments, especially across DMZ (demilitarized zone)-based solutions, requires careful consideration. 

ZTNA takes a different approach by adopting a ‘trust no one, verify everything’ mindset. Instead of allowing users into the network and relying on firewalls and network segmentation for security, ZTNA grants access on a per-application basis. This means that even authenticated users only gain access to authorized applications or resources. Factors such as seamless connectivity to OT assets, minimal latency, and diverse device management are considered. 

Implementing ZTNA helps industrial entities reduce the attack surface, enhance security, and improve compliance with industry regulations. For DMZ-based ZTNA in OT, understanding the unique requirements of industrial systems is crucial. Considerations should include legacy equipment compatibility, robust authentication mechanisms, and compliance with industry-specific regulations. 

To streamline and scale ZTNA in industrial settings, organizations should invest in automation for policy enforcement, leverage cloud-native solutions for flexibility, and prioritize user education on secure access practices. Clearly, the strategic approach enables industrial entities to navigate the complexities of secure remote access (SRA), balancing heightened security with operational efficiency.

Challenges of Traditional Remote Access Solutions

Industrial Cyber reached out to industry experts in the zero trust sector to identify the key limitations and security risks associated with conventional remote access methods in industrial settings. Additionally, they examined the compliance and regulatory issues that frequently arise when employing traditional remote access methods in critical infrastructure environments.

John Kindervag, chief evangelist at Illumio
John Kindervag, chief evangelist at Illumio

John Kindervag, chief evangelist at Illumio, told Industrial Cyber that industrial environments vary, “and there are dependencies in terms of how old the industrial environment is and what you can do to the controls themselves. Many organizations have a mix of older generation PLCs, HMIs, and SCADA systems, where you can’t do any security to specific assets so instead you have to control access to those assets.”  

“As older remote access solutions often don’t have a way to enforce granular, Zero Trust-style policy to specific assets, achieving Zero Trust-level compliance can be a challenge,” Kindervag said. “Especially as the industry moves away from the Purdue model and towards ISA/IEC 62443, we’re going to see a greater need for granular policy when accessing OT controls.”

Jason Greengrass, principal industry architect at Palo Alto Networks
Jason Greengrass, principal industry architect at Palo Alto Networks

Traditional remote access methods like VPNs cannot easily adapt to changing needs, making them complex and burdensome for security teams, Jason Greengrass, principal industry architect at Palo Alto Networks, told Industrial Cyber. “This can lead to slow and inefficient SRA processes, causing delays that can extend for days rather than minutes to fix issues at industrial plants. In industrial settings, people might find ways to bypass complex security measures, creating unauthorized and unmonitored entry points to critical systems.”

Greengrass added that VPNs also lack precise control, often granting too much access and increasing the risk of unauthorized entry. “There are other security challenges, too, like unmanaged devices, weak encryption, and inadequate monitoring and auditing, which make systems vulnerable to attacks.”

He further highlighted that regulations in the critical infrastructure sector – such as NERC CIP or NIST 800-82 – introduce imperatives for secure monitoring capabilities and mandate reliable audit records for compliance, something traditional remote access methods prove difficult to provide.

Kevin Kumpf, chief OT/ICS security strategist at Cyolo
Kevin Kumpf, chief OT/ICS security strategist at Cyolo

“One of the primary limitations to remote access within industrial environments revolves around third-party vendors controlling how remote access is done,” Kevin Kumpf, chief OT/ICS security strategist at Cyolo, told Industrial Cyber. “In many situations, vendors write into their contracts the tools and methods that will be used to facilitate access. One of the primary reasons for this is ensuring uptime, as most contracts have significant penalties for downtime of industrial systems. Additionally, the choice of access technologies and how they are configured also comes down to ease of use.” 

Kumpf added that most organizations have minimal OT resources that have the bandwidth to properly control and manage SRA. “This leads to least common denominator designs that allow network access (VPN) not granular application-level access, the use of shared credentials and accounts, and in many cases a jump-host system where the tools that third parties require to manage their assets are shared for all.”

Unlocking power of ZTNA across industrial organizations

The executives move on to explain the fundamental concept of ZTNA and how it differs from traditional remote access. They also provide the advantages and security benefits of implementing ZTNA for industrial organizations in comparison to conventional methods. 

“Traditional remote access solutions don’t have a policy inside the encrypted tunnel. And as Zero Trust is a set of granular allow rules, and we want those rules to be as precise as possible, a true ZTNA solution would have more granular policy controls in place,” Kindervag said. 

He added that the key thing industrial operators need to do however, when it comes to securing OT resources, is make sure that they’re properly segmented away from the rest of the systems, as they typically lie on flat networks that allow anyone with network access to access the OT asset (or all of IT, as industrial IT and OT increasingly converge). “This is where other Zero Trust technologies like Zero Trust Segmentation (ZTS) come into play, and when used in tandem with ZTNA, make it easier for security teams to manage access at the network layer and not just at the remote access layer.”

Greengrass observed that ZTNA offers SRA to authorized resources by regularly verifying users, devices, and application behavior. “It’s a significant improvement over legacy VPNs, which rely on a one-time trust approach and lack detailed controls and ongoing security checks.”

“Implementing ZTNA in industrial settings can significantly reduce the risk of malware and ransomware accessing the network through remote connections, in contrast to traditional VPN setups,” according to Greengrass. “When deployed in the cloud, it becomes highly adaptable and scalable, meeting the changing needs of a global hybrid industrial workforce and enabling remote access for external parties. This simplifies security operations, streamlining processes and allowing quick and dynamic SRA within minutes, reducing downtime for plant maintenance and lowering the chances of unauthorized backdoors being used.”

Pointing out that the concepts of ZTNA are best explained in the NIST Special Publication 800-207 which should be read by anyone thinking of implementing ZTNA / ZTA, Kumpf said “that the components and concepts discussed within address the best practices criteria that we are seeing continually referenced within directives and regulations globally.” 

“These concepts include micro-segmentation, session encryption, no inherent or implicit trust of resources, and any data, connectivity or workflow between enterprise and non-enterprise infrastructure needs consistent and continual with security policy and posture established,” Kumpf detailed. “When we layer in user validation through MFA, we now are securely validating all levels of third-party access and reducing threat.”

Considerations when using DMZ-based ZTNA for accessing OT assets

The executives further address the manner in which ZTNA covers the specific challenges faced by industrial entities in terms of remote access, especially concerning OT assets. 

Zero Trust as a strategy is essential not just to protect OT assets, but to protect the whole system and company, Kindervag highlighted. “To ensure that even if part of the business is compromised that operations continue impeded. This is the problem that ZTS (or microsegmentation) specifically is designed to solve.” 

“When an attack happens, it ensures that you don’t lose the availability of the technology, since industrial operations are 24/7 and ensuring a consistent output is critical for the revenue stream.”

Greengrass identified that ZTNA helps industrial companies with remote access smartly, ensuring dynamic authentication while verifying user and device posture continuously. “Adhering to the principle of least-privilege access, ZTNA restricts access to essential OT resources, reducing the risk of unauthorized entry and threats emanating from remote connections into OT.” 

He added that because many people use tools like Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) to connect remotely, “ZTNA is perfectly applicable to external connections reaching a ‘jumpbox.’ From the jumpbox, ZTNA provides granular access control, session monitoring, and security inspection. ZTNA significantly contributes to the creation of an audit trail for SRA through continuous monitoring and inspection, facilitating adherence to regulatory compliance.”

ZTNA at its core seeks to resolve the challenges that the use of VPNs, shared accounts, and lack of infrastructure segmentation bring to OT environments, Kumpf observed. “Additionally, it also strives to reduce the complexity of how access is achieved. In most situations, a third party must install a software component on their system to access an OT environment. Most ZTNA solutions today are browser-based, improving the user experience.”

Making ZTNA simple and scalable for industrial entities 

The executives analyze potential obstacles or resistance that organizations might encounter when adopting ZTNA and discuss strategies to address these challenges. 

Kindervag said that the biggest challenge in OT environments is a legacy mindset. “For 30+ years there’s been a paradigm on how you do ‘cybersecurity’ and a lot of people who run OT environments are loathe to change. Even though we see the manufacturers of OT equipment talking about the importance of a zero trust environment, there’s still a lot of pushback from folks who are used to a more traditional way of thinking.” 

He added that the best way to overcome this is to get more leadership to incentivize engineers to do OT and ICS security in a zero-trust way, which will better serve industrial organizations as convergence persists and the digital threat landscape widens. 

“Integrating ZTNA may seem like introducing another security measure to already burdened security operations teams grappling with complexity and rising costs from various solutions,” Greengrass mentioned. “Nevertheless, ZTNA should be recognized as a starting point in a phased progression toward a zero-trust framework throughout the organization.” 

He indicated that by adopting an enterprise-wide perspective, ZTNA can deliver better security outcomes, adept at meeting the evolving needs of modern industries, especially in facilitating Industry 4.0 initiatives and supporting hybrid work scenarios. “It ensures secure access across hybrid cloud, IT, and OT infrastructure from any location. Rather than an additional burden, ZTNA offers a strategic move towards enhanced security and adaptability.”

“The biggest obstacles we see are OT resource constraints, change concerns in relation to safety and availability, and lastly the belief in ZTNA,” Kumpf revealed. “Many use the term ZTNA but when asked what it is, they do not even know it is aligned to NIST SP 800-207. This lack of knowledge erodes any trust in those seeking to build a process or plan to implement ZTNA as safety and availability cannot be compromised at any level.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation