OT/ICS Security – Going From A(ir Gap) to Z(ero Trust)

Zero trust has become a bit of a buzzword lately, especially since the disclosure of the SolarWinds incident. In addition, it’s possible that the concept of zero trust is thought of as applicable only to IT systems and may have industrial systems operators dismissing it. But as the air-gap continues to erode in favor or greater (remote) access to control systems, zero trust becomes essential. Likewise, in its “Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses” included in the Security & Resilience Update for August 18, 2020, NIST expects zero trust to be implemented within industrial networks and workflows – “a zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”

Zero trust is not a defined product, but refers to an evolving set of security controls that narrow defenses from wide network perimeters to individual or smaller groups of resources. ZTA is an additional security process that focuses on protecting resources rather than network segments. According to Palo Alto, zero trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control. On a high-level, zero trust could be compared to “whitelisting.” By default, whitelisting denies access to everything and explicitly enables access to resources (and ONLY those resources) after verification and determination of trust. An additional measure would be to then only allow users with legitimate needs to access “said” resources, like with the principle of least privilege. That sounds like a great strategy for our critical infrastructure industrial control networks! Read more at Automation.