Adopting a zero-trust approach helps protect complex OT systems and helps manufacturing and critical infrastructure reduce potential risks to cybersecurity.
Ransomware and malware continue to wreak havoc on manufacturing and critical infrastructure. One of the key ways to defend against this threat is to adopt the zero-trust principle. Zero trust is a security framework that requires all users, whether inside or outside of an organization’s network, to be authenticated, authorized, and continuously verified before accessing applications and data.
The zero-trust approach helps protect the industry’s critical infrastructure. Ritesh Agrawal, CEO and co-founder of Airgap Networks says that while it’s not the only option, it’s an excellent solution for information technology (IT) and operational technology (OT).
Vulnerability Response for Critical Infrastructure
The recent spate of security incidents against water/wastewater utilities, food and beverage manufacturers, and the transport sector, has brought to light the fact that critical infrastructure seems to be more vulnerable than ever. One of the main reasons for this is that critical infrastructure is going through a transition phase that has been accelerated by the COVID-19 outbreak.
Says Agrawal, “The line between IT and OT has shrunk quite a bit as a result of the new crown outbreak. People have had to open up their critical infrastructure to allow remote access, which wasn’t possible before. This has completely changed connectivity and increased overall vulnerability. Traditionally, critical infrastructure has lagged behind IT infrastructure in terms of technology adoption, and rightfully so.IT organisations can spend a full weekend upgrading equipment or replacing anything, whereas 24/7 operational OT facilities may not have the luxury of downtime compared to that. These assets are also typically more expensive compared to IT laptops.”
A typical machine used for critical infrastructure can cost millions of dollars, weigh a tonne, and have been in operation for decades. Companies can’t easily upgrade this equipment. When it comes to OT, many companies rely on the concept of air gaps or physical security. Factors ranging from new crown epidemics to technological advances to the widespread adoption of the Internet of Things (IoT) have rendered previous security measures somewhat obsolete and led to an increase in the number of vulnerabilities in recent years.
When it comes to protecting critical networks, there are several areas that organizations’ security chiefs should focus on. Agrawal says it all starts with visibility. The industrial sector must know what they have, which boils down to asset inventory and management. Once they know which assets are vulnerable, they can understand the overall risk profile. It is then critical to separate these devices through segmentation. The idea is to control the sphere of influence so that IT vulnerabilities don’t spread to OT and vice versa.
Organizations then need to put in place some access control mechanisms to reduce the internal attack surface. One infected device should not infect another. Once you know which parts are more vulnerable to attack, you can limit access to those devices.
The next step is vulnerability management. Organizations should also focus on ongoing monitoring and detection. Security is not a one-time thing. Businesses need to be able to monitor regularly. Because no matter what you do, there is still the possibility of an attack.
That’s why every business should create a reliable incident response and management solution and work with a vendor. Attackers are getting smarter and using new tools such as ChatGPT to get into organizations and wreak havoc, so businesses need to take practical steps to help protect assets and train teams.
Zero Trust in Complex OT Environments
Why zero trust is a good way to combat these issues Agrawal says that when he was working with telcos, the question popped into his head, “Why aren’t we seeing these kinds of vulnerabilities on endpoints like mobile phones?” If something were to happen to a subscriber of AT&T or Verizon, the problem would never jump to another subscriber as it does with IT and OT vulnerabilities.
Says Agrawal, “The initial gut feeling is that the telecom subscriber network may be using a lot of security tools to protect the endpoints. But the reality is probably the opposite. They don’t buy security devices as enterprise IT organizations do. What I’ve found is that the reason all these endpoints are so secure is that each one is isolated in its network. It’s a perfect zero-trust environment.”
Zero trust is a great solution when dealing with complex OT environments such as critical infrastructure, but it is also much more difficult to implement. OT can be a decade behind IT in terms of modernization levels, which makes adding any new technology that much more difficult. Another factor that makes OT systems more complex is that they deal with regulated devices, so even when organizations want to make changes, they are usually not authorized to do so.
For these reasons, despite the complexity, zero trust is becoming increasingly important in OT environments. The goal should be to make zero trust more accessible to organizations that are lagging in technology adoption.
Attackers have realized that it is relatively easier to compromise critical infrastructure. This is because it is easier to reap the rewards from this older critical infrastructure. Some analysts report that the cost of plant downtime can be as high as $17,000 per minute. an IT organization may have a disaster recovery plan in place, but you’d be hard-pressed to have a disaster recovery plan for a hospital or an airport, and the impact of a critical facility system going down can be immeasurable in terms of damage.
Protecting critical infrastructure starts with awareness and ensuring that organizations are aware of the vulnerabilities that exist in their systems. With the adoption of new technologies such as artificial intelligence, attackers are becoming more dangerous. Complex OT networks need to adopt solutions such as zero trust to help secure the communities and end-users they serve.