Zero Trust, but verify - finding the OT in ZerO Trust
The move to remote and cloud-based technologies has shifted the goalposts for cybersecurity. It now needs to cover multiple people, devices, platforms, and networks.
Each variable comes with a new range of vulnerabilities and unique security needs. Zero Trust has appeared in response to this to ensure IT systems are adapted to each user in the age of mass remote work.
Gartner describes Zero Trust as an architecture that “never trusts, always verifies” connections and first assumes a bad actor. This creates highly resilient and highly flexible environments prepared for modern attacks.
The Zero Trust approach customises access with consideration to what resources are needed where and in what context. Ideally, this access is assessed continuously without any added time burden for genuine users.
Operational technology challenges
For many businesses, Zero Trust is relatively simple to adopt. A business that only communicates internally, and doesn't use any automated processes, will find it easy to implement Zero Trust user access – a regular user with a consistent history will not be blocked by the security protocols.
But operational technology (OT) and information technology (IT) devices are different. User Agents are often headless – the frontend is separated from the backend. These include controllers, sensors, robots, and smart glasses which can't have software installed on them.
This is especially the case if they are streamlined, single-purpose processes that don't even run a full operating system. These devices were often designed without consideration for security, probably because OT and IT threats weren't as well understood or differentiated.
Context matters for Zero Trust policies
To make better-quality decisions about connectivity, organisations need better information. This starts with understanding what they're trying to protect.
Zero Trust architecture verifies prior to allowing access to the network and determines whether this connection will be made safely. Once it has been approved, the connection will only have access to the minimum number of resources that the user or machine needs. And these checks will be done for every session: there's no ongoing access.
The system asks questions of users: where are they based, what machine are they using and could it be compromised, is there a history between these systems? All this informs better quality decision-making in real-time.
The Zero Trust architecture
Zero Trust is not a one-size-fits-all approach: those are easy to crack. Zero Trust requires fundamental infrastructure and policy changes. Network and security architectures must undergo significant changes to implement the necessary policies and enforcements throughout the organisation.
This can be disruptive to operations and applications in the short term. When combined with industrial processes and critical infrastructure automation, the unique requirements of OT and internet of things (IoT) can hinder deployments.
OT system owners need flexibility for a workforce that could now be located anywhere, working with different levels of security and even under a different data protection legislative framework.
OT and IoT devices aren't positioned to easily adopt Zero Trust with microsegmentation. When these networks do adopt Zero Trust, it's usually to secure remote access scenarios and not deployed across the entire internal network.
In OT, the choice is perceived to be between quick and easy access to systems and overly cautious security. In automated systems, automatically blocking users would seem like an unnecessary burden. If an OT provider believes that Zero Trust makes it difficult for workers to access systems, they'd likely choose productivity over security.
This luxury may have been the case pre-COVID and pre-remote work, but threats have changed faster than our work habits have, and security needs to keep up.
But Zero Trust is not intended to be a download-and-forget solution nor a huge burden for genuine users. Organisations need a mindset shift, paired with significant upgrades and infrastructure modifications to make Zero Trust work and embed cybersecurity hygiene into the heart of how their people work.