Embracing zero trust for IoT and OT: a fundamental mind shift
FYI, this story is more than a year old
Article by Forescout Asia Pacific and Japan senior director of systems engineering, Steve Hunter.
The professional workplace long ago evolved from being confined to traditional desk jobs in a central location. Now, remote working is common practice for many employees.
The digital workplace means that employees are often accessing their work’s network via personal devices, using their home internet or public Wi-Fi. Security protocols must evolve with this change as traditional VPN solutions can grant too much access and expose services to the internet to remote workers, increasing the surface for a cyberattack.
Internet of Things (IoT), operational technology (OT), and network-enabled smart devices all introduce areas of potential compromise for networks and enterprises. As a result, security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture in protecting their sensitive resources.
A zero trust security model addresses modern security challenges that come with a mobile workforce and cloud migration, by applying the concept of ‘never trust; always verify’. Zero trust reduces a company’s attack surface by assuming that anything with access to their data is a potential threat, including users, devices, virtual infrastructure and cloud assets.
With the nature of the professional workplace evolving rapidly, with dramatic changes over the past weeks and months, traditional security solutions that are designed exclusively for on-premise services can’t keep up. As companies move towards cloud services to host their resources, they must also look to new security models that cater to this new consumption of data.
Understanding device identity requires more than simply identifying their IP addresses, manufacturers and model numbers. It’s important to gain accurate situational awareness through detailed insight into every device on the network, including its business context and potential for risk.
Creating a zero trust architecture requires in-depth understanding of all IoT and OT systems on the network. This lets businesses make context-based segmentation decisions to reduce business risk without unduly impacting availability.
Forescout has identified four things businesses need to consider to embrace zero trust across their enterprise network:
1. Expand zero trust beyond users to include non-user devices including IoT devices.
2. Use agentless device visibility and continuous network monitoring for IoT and OT devices. Agent-based security methodologies can’t be used for such devices.
3. Understand the identity of every device that touches the network, including business context, traffic flows, and resource dependencies.
4. Use segmentation to address critical zero trust principles and risk-management use cases.
Segmentation is important because it separates enterprise IoT and OT devices into appropriate zones so that an attack on one is less likely to affect the rest of the network. Segmentation can enforce privileged access to critical IT and OT infrastructure and contain vulnerable devices and legacy applications and operating systems that can’t be patched or taken offline. Keeping them in separate zones reduces the potential attack surface. Segmentation also lets organisations control and continuously monitor user and device access to protect critical business applications.
IoT and OT device security is one of the hardest problems to solve within an enterprise. As evidenced in some widespread distributed denial-of-service (DDoS) attacks, botnets such as Mirai can control unmanaged IoT devices with weak credentials, potentially directing millions of them to disrupt critical services. As unmanaged devices become commonplace on networks, security and risk professionals must rethink the concept of identity and expand their zero trust initiatives to include all devices to provide maximum visibility, leading to improved operational control and, ultimately, security.