Adopting a Proper Strategy for Zero Trust Cybersecurity
By Luc A. Papillon, Chief Technology Officer, Mangan Incorporated and Mangan Cybersecurity
We have read and heard many times from multiple sources that Information Technology (IT) and Operational Technology (OT) are not the same. While this has become an accepted statement, it has only been truly recognized in limited circles. The methods applied to address IT and OT processes have not always followed suit with what has been spoken aloud or read in multiple books and articles. This may be partially due to the limited knowledge of OT environments or simply to get past questions when asked.
Unfortunately, unless IT and OT are understood and universally accepted as different processes requiring adapted methodologies, assumptions can lead many to putting in place incomplete or invalid solutions for the systems impacted. This is especially true when trying to repurpose cybersecurity practices that leverage IT philosophies in an OT world. It is further exemplified when attempting to fit the traditional zero trust cybersecurity strategy model into areas where operations, control and manufacturing are at the forefront. Different considerations must be addressed before a zero trust implementation strategy begins and thereafter lest we create situations that cause greater challenges than the protections intended.
How did we get here?
Differences in IT and OT landscapes
After the attack of 2010, business leaders were awakened to a new reality. They had inherited additional cybersecurity concerns, protections and expectations for business continuity and safety. Inasmuch as the experts of the day rose to the occasion and did the best they could to adapt, the transition was not an easy one. IT cyber professionals were expected to recognize the difference between IT and OT environments, a steep learning curve for many that could compromise their ability to react appropriately when faced with a control based cyber threat. This gave way to new opportunities and growth for cyber professionals both in the IT and OT sectors.
Although IT and OT cybersecurity personnel both require basic cybersecurity understanding and approaches be followed, there are also key consequential differences that must be accepted and understood.
IT based environments primarily generate and manage information. Consequences of a cyber breach are primarily financial due to business interruptions, data losses or reputation impacts. Operational environments on the other hand, also utilize information for decision making but, additionally monitor and control physical devices and operations. The impacts associated with a cyberattack in the OT realm therefore moves beyond strictly financial but also includes physical risks. The reputation hits experienced can pale in comparison to the potential for injury or death, environmental impacts, or property damage experienced. These differences therefore mandate that priorities and attention to confidentiality, integrity, and availability be realigned.
The inversion of the CIA Triad provides context
It was the cumulative wisdom of cybersecurity experts that identified the three primary elements to achieve the protections expected. Confidentiality, Integrity, and Availability became the foundational components of any well-developed cybersecurity program.
Today, the three elements are combined into what is commonly called the CIA Triad. Typically represented in a triangular fashion, the concept lives by the premise that all three must be considered when developing a secure approach to cyber vulnerabilities, threats, and risks. Each must be prioritized in the manner that maximizes the potential for the protection of assets while mitigating safety concerns. In IT circles, this means that priorities are confidentiality first, followed by data integrity and finally, data availability. This has in the past become the source of intentional system shutdowns, limited availability, or the lack of functional access to the desired data. Following
To address OT risks that go beyond those anticipated in IT systems, the original CIA triad has been redefined to place availability as the greatest priority, followed by integrity, then confidentiality. It might be said that the CIA Triad has been inverted to maximize control, safety, and operations (see Figure 1 for a comparison of the IT and OT Triad application). This may seem small, but this inversion can often prevent unwanted shutdowns, loss of control or far reaching consequences.
Enhancing threat protection with a new, ‘old,’ model
The attention placed on protecting both information and controls as well as proper prioritization has become part of our lifeblood. Furthermore, the recognition that IT and OT cybersecurity needs are not the same, goes a long way to acceptance that two related but dissimilar approaches be implemented. This does not however mean that everything IT or OT immediately moves from buzzword to reality. The term ‘Zero Trust’ is a perfect example of this phenomenon. Coined in 2009 by John Kindervag, this think tank employee theorized that the prior methods to prevent cyberattacks were inadequate. He therefore recommended the “Never trust, always verify” strategy (aka, Zero Trust.) Unfortunately, and not unlike other great ideas, it remained as words on a page for some time.
The term was promoted from buzzword to an actionable approach between 2018 and 2020. Ironically, had this move been adopted when it was first introduced, we may be having a vastly different discussion about the isolation of cyberattacks today. All is not lost, however. Embracing a Zero Trust philosophy today may help to create a more secure world tomorrow.
The Zero-Trust Cybersecurity Model, generically speaking
Understanding this Zero Trust Security Model (ZT) is the first step in proper and effective implementation. Founded on the belief that threats exist not only outside of the network but inside network boundaries as well, zero trust aims at limiting access at the lowest levels of operations. Assuming this is true, it is imperative to continually question the implied philosophy that users and systems are who they claim to be. Computers and systems on the network must continually be authenticated. We must have assurance that the information stored on the systems in question is safe, secure, and protected from compromise and malicious attack.
The Zero Trust Model further assumes that the methods previously applied to verify identities and proper access levels only touch the surface of true cybersecurity protection. It is no longer enough to presume a single identity is valid across all systems. Adoption of the Zero Trust mindset therefore requires both parties execute with the following considerations in mind:
- Do not trust but always verify
- Consider confidential and restricted information
- Expect monitoring as well as rapid damage control and recovery
Cybersecurity and Zero Trust Expectations are Universal
Both baseline cybersecurity philosophies and the Zero Trust mindset must become cultural (or at least commonly accepted) at the highest levels of an organization if it is to succeed in its implementation whether IT or OT based. There cannot be any ambiguity in its adoption since implementing its approaches mandates that certain rules be applied. Some may even require major modifications from previously accepted cyber protection methodologies.
Certain building blocks become universal truths for any complete cybersecurity protection strategy or zero trust model. While some of the elements can be incremental and implemented over time, a clear path to their philosophies must be adhered to. These include:
- Acceptance and adoption at the highest levels of the organization – As stated earlier, general acceptance and buy-in to the planned cybersecurity approach including zero trust is key to its success.
- All is suspect – It can never be assumed that what was checked previously still applies in new environments or for a different request.
- Understand the criticality of your information in the wrong hands – Not all data is created equal. Any well prioritized zero trust implementation begins with a clear understanding of the risks involved and what an organization is trying to protect.
- Consider business impact and business continuity objectives – Different organizations place focus on different priorities and have varying views on risk. While safety must never be compromised, the approach and tolerance for risk and recovery may be quite distinct and must be considered in the model.
- Implement secure and individual Password, MFA, and Physical security protections – Knowing that threats exist both internally and externally, a carefully planned access control approach reduces risks and vulnerabilities incurred.
- Accept the need to protect Confidentiality, Integrity, and Availability – Whether prioritized for confidentiality in an IT environment or for availability in OT circles, all three elements of the CIA Triad must be considered.
- Understand your protection and recovery priorities – Comprehensive business continuity and disaster recovery plans will assist to recover should the zero trust strategies be compromised or prove insufficient.
- Network segmentation may provide an easy button – Proper segmentations of networks is a straightforward way to isolate and reduce the footprint should an attack occur. This includes segmentation between IT and OT networks as well as between systems and process boundaries.
Adapting the Zero Trust Strategy for OT Environments
Much as universal truths are building blocks for both IT and OT environments, there exist other considerations that are additional to safely protect and secure operational systems and controls. Again, some of these may be implemented over an extended period of time, however, doing so could create vulnerabilities that do not meet the primary business or security objectives. This is because simply omitting any of them could create safety concerns that should never be compromised. Therefore, additional prioritization of the elements of zero trust strategy for OT environments become key to its success when focusing on OT processes and systems. This evaluation can begin with one universal truth, ‘Understand the criticality of your information in the wrong hands.’
OT specific adaptations of the zero trust security model include:
- Understand systems operations – All critical processes and systems must be clearly understood with mitigation strategies before a cyberattack is experienced to ensure safe and effective recovery.
- Remain in control – While some control may be lost, overall protection of the equipment, safety devices, and peripheral controls necessary for safe operation must never be lost.
- Consider latency results in the selected approach – The zero trust model adopted must consider system latencies generated by the protections or actions taken. At no point shall these create unsafe conditions.
- Develop an adaptive strategy – The zero trust and cybersecurity strategy must be adaptable to adverse conditions as cyber attackers change their approach and as technology introduces new vulnerabilities or risks.
- Maximize Availability – The zero trust security model must come as close as possible to guarantee uninterrupted availability of critical processes and controls.
- Test and validate prior to implementation – Any new strategy implemented must consider the previous five bullet points and validate their understanding and intended operation prior to full implementation.
Adoption by Evolution or by Revolution
There’s no doubt that we are better prepared today to address cybersecurity threats and vulnerabilities than in prior years. We have systems and devices that are much more advanced. Unfortunately, bad actors all over the world have also evolved and are seeing nefarious opportunities that exist simply because of data availability, interconnectivity, and access. This is precisely why the security protocols adopted in yesteryears with simple passwords, limited access, and ‘trust’ are no longer enough to protect critical systems.
The digital transformation that began some time ago is here to stay; we must adopt methodologies that address these concerns head on. Embracing a zero-trust security model can put us on the right track. While it may not provide the complete solution, zero-trust in OT environments can minimally add to the difficulties encountered by cyber attackers attempting to reach the critical systems and processes. Of course this can only be successfully accomplished if we understand what we are trying to protect, what must be prioritized, and what our recommended approach might be. Doing so further requires that personnel at all levels of the organization accept this responsibility and walk in step with one another. This can occur over time by evolution or quickly by revolution. Whichever approach is selected, the results and benefits will far outweigh the decision to do nothing.