The zero-trust security model has entered the traditional enterprise in recent years in a big way. The market analysis firm MarketsandMarkets projects the zero-trust security market to grow from $28 billion in 2022 to $61 billion in 2027. That 17% annual growth rate is fueled by the need to make enterprise business-technology systems more resilient from increasingly sophisticated attacks.
Essentially, zero trust is a security model that assumes anything attempting to access a network or system can't be trusted. Therefore, access should be continuously validated, and all access must be minimal. System activity also needs to be closely monitored.
But zero trust isn't just about securing traditional IT systems. As IT and operational technology (OT) systems and their management increasingly converge, zero-trust security is also making its way within OT environments. Unfortunately, zero trust has gained a reputation for being difficult to implement within OT and extended internet of things (XIoT) environments.
That's not entirely accurate, and by adopting the right strategy, OT environments can benefit from the same level of zero trust security as traditional IT environments.
The idea behind zero trust is simple. John Kindervag, senior vice president of cybersecurity strategy at security services provider ON2IT, said during a panel discussion, below, at S4x22 called “The Evolution and Future of Zero Trust in OT:” "Zero trust is a strategy designed to stop data breaches and make other cybersecurity attacks unsuccessful."
Why is zero trust critical to OT security? Jonathan Townsend, vice president of engineering at Set Solutions, explained that system availability in OT systems directly affects the physical world and potentially people’s safety. Successful cyberattacks against these systems can have devastating consequences, including physical damage and financial loss, and even loss of life. These systems are also increasingly at risk.
Historically, OT systems were isolated from business networks and the Internet, which (hopefully) made them less vulnerable to cyberattacks. However, we've seen these systems grow increasingly connected with the convenience of remote monitoring and management and the convergence of OT systems with traditional IT systems. They're also often functional computing systems in their own right.
According to the SANS State of OT/ICS Cybersecurity in 2022 and Beyond report, nearly 40% of surveyed reported being most concerned with ransomware, extortion, and other financially motivated crimes. Roughly 39% said they are most concerned about nation-state attacks, and 32% cited non-state-backed attacks from criminals, terrorism, or hacktivism.
More organizations are turning to a zero-trust architecture to ensure OT systems are better secured from such threats. This fundamentally involves implementing key technical capabilities, including strong access controls, network segmentation, and network and system monitoring so that security teams can rapidly spot and respond to potential threats.
Still, implementing zero trust within OT environments does have its share of challenges:
Legacy systems: Many OT devices were deployed decades ago and were not designed with modern APIs, remote access, or authentication methods in mind. It may be challenging to apply zero trust principles to these systems.
Complexity: Because OT environments are often complex, with numerous devices, it can be challenging to implement and maintain effective and consistent security controls.
Performance: OT systems are often mission-critical and require high levels of availability and reliability. Implementing security controls, such as network segmentation and encryption, can impact system performance and cause delays or disruptions.
User resistance: Users in OT environments may resist new security measures, particularly if they perceive them as slowing down their work or making it more difficult.
The successful implementation of zero trust in OT environments requires proper planning and expertise, but it can be done.
According to Kindervag, the first step is to understand the business drivers and what the business is trying to achieve. Decide on what assets are crucial in supporting business drivers and their dependent systems. Kindervag suggests organizations define what he called a protect surface, which includes business-critical data and systems.
"Second, design the system from the inside out," said Kindervag. "Start with the data or assets you're trying to protect. Third, determine who or what should have access to any particular resource. You need to know their least privilege but enforce it. We've talked about least privilege forever but never enforced it."
And then finally, you inspect all traffic, he advised. The idea is to monitor the traffic and make improvements as weaknesses are learned about the environment. "Make the system stronger and stronger over time," he said.
Implementing zero trust in OT environments requires security teams to focus on those essential elements. It seems simple enough, but organizations need time to get there. Expect many more organizations to prioritize zero trust, especially since the White House released a memo early last year to move federal agencies to zero trust architectures. That was soon followed by the Department of Defense publishing its Zero Trust Strategy.
CISA's Zero Trust Maturity Model: /resources-tools/resources/zero-trust-maturity-model
The National Security Agency's Embracing a Zero Trust Security Model
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.