Xage reports cybersecurity key priority across critical infrastructure organizations, as industrial operations adopt zero trust

Xage reports cybersecurity key priority across critical infrastructure organizations, as industrial operations adopt zero trust

Zero trust security firm Xage released a Thursday report identifying that increased cyber threats and government directives have made cybersecurity a top priority among critical infrastructure organizations. The data comes as half of these critical infrastructure installations are on a fast track to blocking cyber attacks, while the other half of organizations risk falling behind. In addition, concerns with rip-and-replace costs and lack of resources could also add years to zero trust implementations. 

The report said that zero trust in operations is doable and inevitable, making it clear that operational environments are moving towards zero trust. However, some are moving faster than others, with nearly half still viewing a full rip and replace of their existing systems as the only way forward. 

Duncan Greatwood, Xage CEO told Industrial Cyber that several factors have led operators to the conclusion that zero trust is doable and even inevitable. 

“First, critical infrastructure vulnerabilities have gotten progressively worse over the past several years,” Greatwood said. “Increased digitization, coupled with automation of operations and the supply chain, has brought these vulnerabilities to light; zero trust is the only strategy that addresses this by enabling operations to move from mere detection of hacks to a proactive prevention strategy,” he added. 

“Second, critical infrastructure organizations have begun to realize that ‘ripping and replacing’ existing technology isn’t necessary for the implementation of modern, proactive security models like zero trust,” according to Greatwood. “A cybersecurity mesh architecture, for instance, can be delivered as an overlay on top of legacy and modern equipment to implement zero trust access management and data security. Lastly, evolving government regulations continue to emphasize the need for zero trust, adding an additional layer of credibility to the model,” he added.

Xage partnered with Wakefield Research to survey 250 senior cybersecurity leaders across critical infrastructure organizations, including energy, aerospace, port operations, transportation, pipeline operations, utilities, retail supply chain, and warehousing. The report also sought to understand where OT cybersecurity leaders stand in their journey towards zero trust.

Xage disclosed that a majority of 58 percent had found paths to zero trust that don’t require an equipment overhaul, which is an otherwise daunting, disruptive, and costly undertaking for any industrial operation. However, this leaves 42 percent at risk of slower implementation timelines and higher costs. Furthermore, 93 percent claim that zero trust adoption is ‘inevitable,’ and 88 percent have already taken steps to adopt a zero trust security posture. 

“Those at risk of falling behind on implementation timelines are those using the ‘rip and replace’ method as their chosen path towards zero trust,” Greatwood said. “This method is inherently slower than leveraging something like a cybersecurity mesh architecture, which provides the same (and often better) protection benefits with significantly less disruption to essential operations,” he added.

For a slight majority of respondents, an age-old misconception is wearing off: the notion that implementing zero trust requires a full equipment overhaul. But this leaves nearly half susceptible to a slower timeline and greater disruption. In addition, 58 percent of the respondents indicated that zero trust implementation would not substantially impact existing OT infrastructure. 

“There’s a common myth among today’s industrial operations that to implement new and improved security technology, they must ‘rip and replace’ existing systems—which would be an expensive, time-consuming undertaking,” according to Greatwood. “However, many zero trust cybersecurity solutions can help avoid this complete overhaul. Technology like the Xage Fabric, for instance, can overlay existing infrastructure—even if that infrastructure comprises a mix of legacy and modern equipment. Innovations like these are what’s pushing the industry more quickly toward a zero-trust security model.”

As ‘100% of OT cybersecurity leaders have plans to adopt zero trust,’ Greatwood assessed how secure would these critical infrastructure organizations emerge in the long run. “Fully adopting and integrating zero trust alongside reactive strategies such as threat monitoring will make any organization significantly more protected against threats. A zero trust strategy ensures defense in depth to protect against emerging threats,” he added. 

Greatwood said that even if there is an initial breach, the threat is isolated and unable to infiltrate further into the system; this means that organizations can stay operational even during an attack. “For this reason, the fact that every respondent has plans to adopt zero trust is incredibly promising; even as hackers’ strategies evolve, operational infrastructure can be protected,” he added.

The Xage report said that the move towards zero trust marks a fundamental shift in how operators approach cybersecurity, from reactive to proactive. Further, it evaluates that the benefits of the shift extend beyond security. 

The majority of respondents agree that reactive attack-detection-centric strategies for OT are not enough to prevent breaches. In comparison, 64 percent indicate that they’ve moved to a proactive security approach to block and contain attacks before spreading. The other key benefits include improved user experience accounting for 60 percent, more efficient operations recording 52 percent, and saving money, registering 42 percent.

Xage said that the industry is evolving security strategies from purely reactive to proactive. Until recently, new security solutions focused on visibility and threat detection but couldn’t prevent hacks from happening. A zero-trust architecture creates an environment where hacking attempts are blocked outright or contained and mitigated. 

“Many of the organizations we work with are moving to identity-based consolidated policy management for local access, remote access, and data security to train their personnel to follow consistent procedures for accessing the operational systems no matter where they are and how they access these systems,” Greatwood said. “This has become critical with today’s hybrid workforce reality. They are also moving to implement multi-factor authentication for access to operational systems and training their employees not to depend on static passwords. Even if there is a reliance on static passwords to access operational systems, then the organizations we are working with are moving to rotate passwords periodically without having to depend on the employees to do it,” he added. 

Greatwood said that many of the company’s customers highlight the improvement in access usability which is often a beneficial side effect of zero trust adoption. “With the zero trust architecture effectively providing managed single-sign-on for the operation, the user is freed from having to use a multitude of access methods and system logins for different equipment. As a result, the adoption of zero trust is simplifying user workflows and ensuring access that is both controlled and low friction too,” he added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related