Zero Trust for OT Cybersecurity | Zero Trust Implementation

Adopting a Proper Strategy for Zero Trust Cybersecurity

By Luc A. Papillon, Chief Technology Officer, Mangan Incorporated and Mangan Cybersecurity

We have read and heard many times from multiple sources that Information Technology (IT) and Operational Technology (OT) are not the same. While this has become an accepted statement, it has only been truly recognized in limited circles. The methods applied to address IT and OT processes have not always followed suit with what has been spoken aloud or read in multiple books and articles. This may be partially due to the limited knowledge of OT environments or simply to get past questions when asked.

Unfortunately, unless IT and OT are understood and universally accepted as different processes requiring adapted methodologies, assumptions can lead many to putting in place incomplete or invalid solutions for the systems impacted. This is especially true when trying to repurpose cybersecurity practices that leverage IT philosophies in an OT world. It is further exemplified when attempting to fit the traditional zero trust cybersecurity strategy model into areas where operations, control and manufacturing are at the forefront. Different considerations must be addressed before a zero trust implementation strategy begins and thereafter lest we create situations that cause greater challenges than the protections intended.

Since 1990, Mangan Incorporated has worked with clients throughout Oil and Gas, Biopharmaceutical and Chemical industries to meet the needs of operational controls and safety needs. What began with just a few people in a job trailer onsite has grown to over 300 personnel in 10 locations nationally.

How did we get here?

The evolution of The Advanced Research Projects Agency Network (ARPANET) in the 1970’s, introduced computer vulnerabilities that were not previously well understood. The simple words, “I’m the creeper: catch me if you can,” moving through systems before the official rollout of the internet created both angst and opportunities. Eight or nine words in the days of ARPANET may seem inconsequential today, at least on the surface. Nonetheless, there is no such thing as inconsequential when speaking about cybersecurity threats and vulnerabilities. All are important and all risks matter. The superficially mischievous attempt of the 1970’s did expose to both developers and opportunists what could be achieved as computers connectivity continued to grow. For the first time, experts in their field had witnessed what would become the birth of cybersecurity. Much has happened since then in two camps; that is cyber attackers, and those who wish to protect their cyber assets. A game of cat and mouse had been introduced and has not stopped since. Over time, innovations from both groups added complexity, risks and an entirely new business unit requiring attention like never before. In an attempt to address the perceived greatest vulnerabilities, cybersecurity experts initially placed their attention on data confidentiality, financial exposure, or business interruptions. The banking industry and healthcare systems became a primary focus. Other IT centered protections were also identified, managed, and implemented, some more successfully than others. This worked well until about 2005 when work began to target systems outside the bounds of what had been the focus until then. By 2010, Stuxnet had breached operational controls in a nuclear facility, something believed secure until then. The terms Supervisory Control and Data Acquisition (SCADA) or Programmable Logic Controllers (PLCs) joined the ranks requiring cyber protection and attention, but this was unchartered territory for cybersecurity experts. Few knew the intricacies of systems that Stuxnet had targeted. A country’s critical infrastructure, an operational environment had been breached. IT Cybersecurity professionals added the likes of SCADA, PLCs, and operational controls to their list of systems requiring cyber protection. This worked for a while but did not place enough attention on the fundamental differences and risks that exist between Information Technology and Operational Technology. The OT world would require a different focus.

Mangan recognized early on that the approach to addressing operational controls requires attention that differs from information technology. With experts in SCADA, PLC controls, and DCS environments, the company understands well the unusual circumstances and considerations necessary when protecting the nation’s critical infrastructure. By 2015, with its roots deep into operations since the company’s inception, Mangan Cybersecurity identified its business focus to be the Operational Technology environment.

Differences in IT and OT landscapes

After the attack of 2010, business leaders were awakened to a new reality. They had inherited additional cybersecurity concerns, protections and expectations for business continuity and safety. Inasmuch as the experts of the day rose to the occasion and did the best they could to adapt, the transition was not an easy one. IT cyber professionals were expected to recognize the difference between IT and OT environments, a steep learning curve for many that could compromise their ability to react appropriately when faced with a control based cyber threat. This gave way to new opportunities and growth for cyber professionals both in the IT and OT sectors.

Although IT and OT cybersecurity personnel both require basic cybersecurity understanding and approaches be followed, there are also key consequential differences that must be accepted and understood.

IT based environments primarily generate and manage information. Consequences of a cyber breach are primarily financial due to business interruptions, data losses or reputation impacts. Operational environments on the other hand, also utilize information for decision making but, additionally monitor and control physical devices and operations. The impacts associated with a cyberattack in the OT realm therefore moves beyond strictly financial but also includes physical risks. The reputation hits experienced can pale in comparison to the potential for injury or death, environmental impacts, or property damage experienced. These differences therefore mandate that priorities and attention to confidentiality, integrity, and availability be realigned.

Critical controls and operations are not foreign to Mangan Cybersecurity. Our ability to merge operational and safety controls with security requirements found specifically in OT environments provides insight that could otherwise be overlooked by traditional system integrators or IT centered organizations.

The inversion of the CIA Triad provides context

It was the cumulative wisdom of cybersecurity experts that identified the three primary elements to achieve the protections expected. Confidentiality, Integrity, and Availability became the foundational components of any well-developed cybersecurity program.

Today, the three elements are combined into what is commonly called the CIA Triad. Typically represented in a triangular fashion, the concept lives by the premise that all three must be considered when developing a secure approach to cyber vulnerabilities, threats, and risks. Each must be prioritized in the manner that maximizes the potential for the protection of assets while mitigating safety concerns. In IT circles, this means that priorities are confidentiality first, followed by data integrity and finally, data availability. This has in the past become the source of intentional system shutdowns, limited availability, or the lack of functional access to the desired data. Following

To address OT risks that go beyond those anticipated in IT systems, the original CIA triad has been redefined to place availability as the greatest priority, followed by integrity, then confidentiality. It might be said that the CIA Triad has been inverted to maximize control, safety, and operations (see Figure 1 for a comparison of the IT and OT Triad application). This may seem small, but this inversion can often prevent unwanted shutdowns, loss of control or far reaching consequences.

Mission critical systems and controls are not foreign to Mangan. Safety, security, and operational controls are hallmarks of the company’s success. The introduction of the Industrial Control Systems Secure by Design (ICSSbDTM) Evaluation Toolkit in 2015 has yielded a process that emphasizes OT cybersecurity protections and availability requirements first.

Enhancing threat protection with a new, ‘old,’ model

The attention placed on protecting both information and controls as well as proper prioritization has become part of our lifeblood. Furthermore, the recognition that IT and OT cybersecurity needs are not the same, goes a long way to acceptance that two related but dissimilar approaches be implemented. This does not however mean that everything IT or OT immediately moves from buzzword to reality. The term ‘Zero Trust’ is a perfect example of this phenomenon. Coined in 2009 by John Kindervag, this think tank employee theorized that the prior methods to prevent cyberattacks were inadequate. He therefore recommended the “Never trust, always verify” strategy (aka, Zero Trust.) Unfortunately, and not unlike other great ideas, it remained as words on a page for some time.

The term was promoted from buzzword to an actionable approach between 2018 and 2020. Ironically, had this move been adopted when it was first introduced, we may be having a vastly different discussion about the isolation of cyberattacks today. All is not lost, however. Embracing a Zero Trust philosophy today may help to create a more secure world tomorrow.

The Zero-Trust Cybersecurity Model, generically speaking

Understanding this Zero Trust Security Model (ZT) is the first step in proper and effective implementation. Founded on the belief that threats exist not only outside of the network but inside network boundaries as well, zero trust aims at limiting access at the lowest levels of operations. Assuming this is true, it is imperative to continually question the implied philosophy that users and systems are who they claim to be. Computers and systems on the network must continually be authenticated. We must have assurance that the information stored on the systems in question is safe, secure, and protected from compromise and malicious attack.

The Zero Trust Model further assumes that the methods previously applied to verify identities and proper access levels only touch the surface of true cybersecurity protection. It is no longer enough to presume a single identity is valid across all systems. Adoption of the Zero Trust mindset therefore requires both parties execute with the following considerations in mind:

Do not trust but always verify
Consider confidential and restricted information
Expect monitoring as well as rapid damage control and recovery

Cybersecurity and Zero Trust Expectations are Universal

Both baseline cybersecurity philosophies and the Zero Trust mindset must become cultural (or at least commonly accepted) at the highest levels of an organization if it is to succeed in its implementation whether IT or OT based. There cannot be any ambiguity in its adoption since implementing its approaches mandates that certain rules be applied. Some may even require major modifications from previously accepted cyber protection methodologies.

Certain building blocks become universal truths for any complete cybersecurity protection strategy or zero trust model. While some of the elements can be incremental and implemented over time, a clear path to their philosophies must be adhered to. These include:

Acceptance and adoption at the highest levels of the organization – As stated earlier, general acceptance and buy-in to the planned cybersecurity approach including zero trust is key to its success.
All is suspect – It can never be assumed that what was checked previously still applies in new environments or for a different request.
Understand the criticality of your information in the wrong hands – Not all data is created equal. Any well prioritized zero trust implementation begins with a clear understanding of the risks involved and what an organization is trying to protect.
Consider business impact and business continuity objectives – Different organizations place focus on different priorities and have varying views on risk. While safety must never be compromised, the approach and tolerance for risk and recovery may be quite distinct and must be considered in the model.
Implement secure and individual Password, MFA, and Physical security protections – Knowing that threats exist both internally and externally, a carefully planned access control approach reduces risks and vulnerabilities incurred.
Accept the need to protect Confidentiality, Integrity, and Availability – Whether prioritized for confidentiality in an IT environment or for availability in OT circles, all three elements of the CIA Triad must be considered.
Understand your protection and recovery priorities – Comprehensive business continuity and disaster recovery plans will assist to recover should the zero trust strategies be compromised or prove insufficient.
Network segmentation may provide an easy button – Proper segmentations of networks is a straightforward way to isolate and reduce the footprint should an attack occur. This includes segmentation between IT and OT networks as well as between systems and process boundaries.

While full adoption of Zero-Trust for OT cybersecurity circles has only begun to gain speed over the past few years, Mangan has followed a trust but verify, then reverify philosophy for much longer. This is because we have from the beginning, accepted the inherent risks associated within safety systems, critical infrastructure controls requirements, the demands of the Oil and Gas industry as well as the strict protocols necessary within the biopharm sector. Mangan Cybersecurity has embraced the lessons learned of the past to ensure that zero trust recommendations made meet or exceed the demands of the systems being monitored and protected.

Adapting the Zero Trust Strategy for OT Environments

Much as universal truths are building blocks for both IT and OT environments, there exist other considerations that are additional to safely protect and secure operational systems and controls. Again, some of these may be implemented over an extended period of time, however, doing so could create vulnerabilities that do not meet the primary business or security objectives. This is because simply omitting any of them could create safety concerns that should never be compromised. Therefore, additional prioritization of the elements of zero trust strategy for OT environments become key to its success when focusing on OT processes and systems. This evaluation can begin with one universal truth, ‘Understand the criticality of your information in the wrong hands.’

OT specific adaptations of the zero trust security model include:

Understand systems operations – All critical processes and systems must be clearly understood with mitigation strategies before a cyberattack is experienced to ensure safe and effective recovery.
Remain in control – While some control may be lost, overall protection of the equipment, safety devices, and peripheral controls necessary for safe operation must never be lost.
Consider latency results in the selected approach – The zero trust model adopted must consider system latencies generated by the protections or actions taken. At no point shall these create unsafe conditions.
Develop an adaptive strategy – The zero trust and cybersecurity strategy must be adaptable to adverse conditions as cyber attackers change their approach and as technology introduces new vulnerabilities or risks.
Maximize Availability – The zero trust security model must come as close as possible to guarantee uninterrupted availability of critical processes and controls.
Test and validate prior to implementation – Any new strategy implemented must consider the previous five bullet points and validate their understanding and intended operation prior to full implementation.

Mangan Cybersecurity has placed its entire focus on OT protections and services including additional necessities that arise with zero trust. Mangan understands well the demands of zero trust operational technology strategies that divert from information technology demands. ICSSbDTM processes have been developed, enhanced, and implemented with OT cybersecurity needs in mind ensuring that availability takes precedence over confidentiality when protecting your environments.

Adoption by Evolution or by Revolution

There’s no doubt that we are better prepared today to address cybersecurity threats and vulnerabilities than in prior years. We have systems and devices that are much more advanced. Unfortunately, bad actors all over the world have also evolved and are seeing nefarious opportunities that exist simply because of data availability, interconnectivity, and access. This is precisely why the security protocols adopted in yesteryears with simple passwords, limited access, and ‘trust’ are no longer enough to protect critical systems.

The digital transformation that began some time ago is here to stay; we must adopt methodologies that address these concerns head on. Embracing a zero-trust security model can put us on the right track. While it may not provide the complete solution, zero-trust in OT environments can minimally add to the difficulties encountered by cyber attackers attempting to reach the critical systems and processes. Of course this can only be successfully accomplished if we understand what we are trying to protect, what must be prioritized, and what our recommended approach might be. Doing so further requires that personnel at all levels of the organization accept this responsibility and walk in step with one another. This can occur over time by evolution or quickly by revolution. Whichever approach is selected, the results and benefits will far outweigh the decision to do nothing.

TSA pipeline cybersecurity planning, testing and mitigation.

OT cybersecurity threat analysis services.

Cybersecurity tolerance profiles for your organization.

Specifically developed to meet your organization’s objectives.

Alignment of your business risk tolerance, continuity, and budgets.

Coordination, assessments, evaluations, and remediation strategies for cybersecurity.

Time to recovery from a cyberattack is of the essence.

The heart of cybersecurity preparedness and proactivity.

Training specifically addressing OT cybersecurity concerns and approaches.

Navigate and develop your OT cybersecurity documentation and compliance.

Putting your plan into action with OT cybersecurity remediation services.

Cybersecurity Origins to the Zero Trust Security Model