Zero Trust is not a clearly defined standard. Each vendor seems to take liberties to match their focus. This makes it a very fluid conversation. What should it do? What problems should it solve?
Zero Trust is a framework that disallows connectivity by assuming there is risk unless proven otherwise
Zero Trust somehow switches the mentality of the network from allowing access by default, to blocking access by default unless required.
A lofty goal, but what does it really imply?
Context is very important for Zero Trust policies. A Zero Trust architecture, prior to allowing a machine or user to connect to the network, should verify whether that connection can be made safely. The connection should be established to be the minimum number of resources that it needs. These checks should be done on a per-session basis instead of once-off at the start.
Security posture and context can play a role in improving Zero Trust security
Incorporating context into Zero Trust policy decisions stands in stark contrast to the usual allow-list approach of Zero Trust implementations. Obviously, identity is important to verify but it still does not really help assess whether the connection can be made safely and should be allowed, especially if the device has been compromised.
Zero Trust helps significantly reduce risk by making more informed decisions about connectivity
Zero Trust is a framework that disallows connectivity by assuming there is risk unless proven otherwise. Rather than simply defining a minimalist access policy, security posture and context can play a role in improving Zero Trust security. This helps significantly reduce risk by making more informed decisions about connectivity.
Now how do you do this in an OT-IoT infrastructure?
Zero Trust for OT-IoT
Here is a basic check list:
- Does micro-segmentation make sense for OT?
- What about user agents?
- Where do you start?
- What if traffic is blocked?
- What impact will that have on the process?
It is totally normal in IT to block traffic, but in OT-IoT, this is risky. Simply blocking it might just impact production more than allowing traffic. Many OT-IoT devices such as controllers, sensors, robots, and so forth are headless. Very often, security was not a consideration when these products were developed.
Simply blocking might impact production more than allowing traffic
To make better-quality decisions about connectivity, you need better information. Understanding what you are trying to protect is where it all starts. It is identical to IT, but the method of getting there differs.
It is about knowing the type of devices, what hardware and software is used and what the expected behaviour of those devices is. It is also about knowing how the entire OT-IoT environment behaves, which machine speaks to another machine? With what protocol? What payload is exchanged? At what frequency?
Many OT-IoT devices such as controllers, sensors, robots, and so forth are headless
If you understand this in real-time, you are well on your way towards an optimal Zero Trust for OT-IoT environments.
Decision making for OT-IoT
Gathering information must lead somewhere – it should be converted into actionable intelligence and, ultimately, actions. Knowing hardware and software versions will lead to knowing what vulnerabilities apply to those monitored devices, whether those devices are still supported by their vendors, and how they should act on the network.
Incorporating context into Zero Trust policy decisions stands in contrast to the usual allow-list approach
Knowing the behaviour of entire OT-IoT networks also implies the ability to detect and alert upon anomalies.
To make better-quality decisions about connectivity, you need better information
If, suddenly, devices that never communicated with one another start doing so or if there were communications before, but it is now displaying entirely different behaviour, it justifies investigation into the legitimacy of it. It is very possible that this is the start of a breach.
Data gathered towards Zero Trust should not just be an observation or a statement on what the likely issue is. It should help determine what impact it has on the entire OT-IoT network.
It is totally normal in IT to block traffic, but in OT-IoT, this is risky
With regards to enforcement of a Zero Trust policy, even in OT-IoT, sometimes it is justified to automate interventions by blocking traffic. The suite of tools that form the cyber defence mechanism should play nice and exchange information to act as fast as possible, so that each function can be fulfilled effectively.
Understanding what you are trying to protect is where it all starts
Pair all of this with digital transformation in OT-IoT and we have the perfect storm on our hands, which a Zero-Trust approach can help to mitigate.
A Zero Trust architecture, prior to allowing a machine or user to connect to the network, should verify whether that connection can be made safely.