AI
Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
News
Threat Landscape
Vulnerabilities
Zero Trust

WEF assesses that implementation of zero trust concept in OT environments faces significant barriers

September 01, 2022
WEF assesses that implementation of zero trust concept in OT environments faces significant barriers

The World Economic Forum (WEF) identified that the zero trust concept in its current form had been chiefly applied within the IT area. However, as the IT and OT (operational technology) systems converge across industries, keeping both secure is a challenge in the age of digitalization. Thus, it added that the concept of zero trust must go beyond the sole focus on the IT environment to ensure that the entire organization is protected from cyber risks and threats. 

“Even though certain zero trust practices (e.g., network segmentation and multi-factor authentication) can be adopted from the IT environment and translated into the OT context, it is important to understand that OT systems were not designed with cybersecurity in mind,” the WEF observed in a whitepaper released this week. 

Consequently, the full implementation of the zero trust concept in OT environments faces significant barriers, such as the perception that production lines must keep running, with security being a roadblock, and the need to evolve the cyber capabilities of the OT workforce

The WEF document also assesses that the lack of technological readiness of the OT environment has involved various factors, including a significant number of legacy systems in the operational space that does not support modern authentication such as multi-factor authentication. It also said that protocol support within the major industrial protocols is missing, and computational resource constraints exist in the internet of things (IoT) and IIoT devices. Furthermore, the whitepaper identifies and assesses that management between physically and logically isolated networks is a challenge. Lastly, the WEF said that the lack of precedent, with implementation examples being largely unknown.

The agency cited the approach that Schneider Electric is pursuing, which focuses on aligning ongoing and future OT security efforts towards a set of core principles rooted in zero trust best practices. 

The current and future efforts include improving authentication in the factory environment through identity-based authentication across industrial personal computers (PCs) and human-machine interface software (HMIS); role-based access control for critical systems; and replacement of obsolete, legacy or insecure-by-design equipment where possible. It also listed increased security oversight of third-party suppliers and manufacturing partners and the certification of control systems against IEC 62443 standards that secure the development and maintenance of industrial automation and control systems.

Furthermore, the WEF whitepaper also included instating systematic backup, restoration, and management of all OT devices such as PCs, programmable logic controllers (PLCs), and printers. It also called for the education of OT actors on this upcoming change. Finally, it added that efforts would convert over time into impact since the organization is launching the initiative.

The WEF said that the significant traction gained by the zero trust concept across the cybersecurity domain could be attributed to the shift to hybrid working practices that call for a more secure work environment, whether on- or off-premises. The approach contrasts with the perimeter-based security model that considers anything inside the corporate network to be secure and trustworthy and assumes that no user or device can be inherently trusted. However, given that threats can be both external and internal, zero trust is not a silver-bullet solution to all the cybersecurity challenges within organizations.

“Although not a new concept, zero trust has become more prominent in the last couple of years for a number of reasons,” the WEF said. “First, it is a central feature of the US Presidential Executive Order 14028 focused on improving the nation’s cybersecurity posture. The executive order calls on government agencies to implement zero trust as part of the steps taken to modernize approaches to cybersecurity.” 

The executive order by the U.S. administration came last year after several cybersecurity attacks on U.S. critical infrastructure, including one at fuel pipeline company Colonial Pipeline. It set the ball rolling to bring about decisive steps to modernize U.S. critical infrastructure and its approach to cybersecurity by increasing visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. 

The increase in attention on the zero trust concept is also, in part, a result of the massive shift to remote work, and the growing popularity of the ‘bring your own device’ (BYOD) practices that emphasize the need for organizations to secure their workforce and digital workplaces, WEF said.

While each organization should analyze which contextual principles it should consider according to the feasibility of their implementation, the zero trust action group identified five guiding principles of zero trust, the WEF said. These include assuming that cyber threats can come from inside and outside the corporate network perimeter and mapping the ‘protect surface’ of the network, including the ‘crown jewels,’ such as critical applications, data, devices, and users, apart from maintaining automated and continuous visibility into these resources.

The agency also included continuously and dynamically verifying and validating access for all users/devices to all resources, limiting user access rights to only the necessary resources depending on the role of users/devices, and ensuring security controls do not negatively impact end-user experience and productivity.

The WEF called upon organizations to regard the zero trust concept as a journey that needs to be approached systematically and constantly revisited instead of thinking of it as a destination. To navigate the journey and deploy a zero-trust model successfully, the agency suggested ensuring buy-in across the organization with tangible impact, understanding and mapping the ‘crown jewels,’ introducing adequate control mechanisms, implementing the zero-trust model, and maintaining, monitoring, and improving the model to be adopted sequentially.

The WEF whitepaper said that as innovation continues to transform the industrial environment from the perspective of the IT and OT environment, emerging technologies could be employed to enable novel cyber capacities and improve existing ones. 

“Technologies such as biometrics and artificial intelligence (AI) can play a key role in supporting some of the foundational principles of zero trust,” WEF said. “For instance, facial, fingerprint, and voice recognition could be used to identify users, verify access and detect intrusions. AI could, among other things, automate the detection of threats and abnormal behavior in real-time. In the long run, this would enable organizations to take preventive rather than reactive measures,” it added. 

WEF said that to avoid the hype surrounding emerging technologies, organizations should be aware of the technologies they already have at their disposal and identify how these differ from the new ones that are supposed to accelerate the shift to zero trust. It is also worth highlighting that a single new technology will not be responsible for implementing a single zero-trust principle. Instead, it will need to work in sync with other technologies to ensure that all regulations of the security model are observed. 

The deployment of the zero trust concept must keep pace with new technologies and the digital transformation of the cybersecurity industry, WEF said. For instance, the shift to cloud technology means that organizations store their valuable assets and data outside their perimeter, making it difficult to apply a single security control system across the entire network. 

WEF said that the widespread use of IoT devices is also a challenge from the point of view of zero trust – not only does a diverse range of devices performing various functions make cybersecurity standardization difficult, but devices also often lack in-built security controls. Moreover, smart devices are not always recorded in the IT inventory, making it difficult to ensure their visibility in the network.

“As such, zero trust is a powerful model that can help enhance the cybersecurity posture of an organization. Nevertheless, to realize its full potential, it must be viewed in the context of the security practices that already exist,” the WEF said. A good understanding of the best practices in the industry, a clear deployment plan based on a clearly defined set of principles applicable to the current state of the organization, and a future-looking vision where technology has a key role to play are essential for a successful implementation of zero trust, it concluded.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity