Zero Trust Architectures in OT environments
Hi there! My name is Ludwig, I am an OT security specialist at Combitech. I have been invited to speak about Zero-Trust Architectures at the SCADA-Säkerhet conference in Stockholm, November 8-9. In the following, I’m going to give you a sneak-peek at what the conference and my talk is about.
Written by Ludwig Seitz, OT Security Specialist @ Combitech
SCADA is an acronym for Supervisory Control and Data Acquisition, a class of systems used to monitor and control industrial processes such as industrial production, the power production, the power grid, water and wastewater processing, large ships, building automation and so forth. In practice, this means that SCADA systems control most of our critical infrastructure.
SCADA is part of a broader category called Industrial Control Systems (ICS), systems that control industrial processes. ICS in turn is part of a class of systems that control or monitor physical processes, called Operational Technology (OT). The following figure illustrates an example of the user interface of a SCADA system controlling a pumping station.
Traditionally OT systems used to be air-gapped (separated physically) from both internal IT systems and from the Internet, and therefore cybersecurity used to have a low priority. Over time this separation has gradually diminished, due to requirements such as remote access, IoT data collection and predictive maintenance. This process is known as the IT-OT convergence and has led to an increasing exposure of OT to the cybersecurity threats of the IT world.
In 2007 the industrial control system of the Iranian uranium enrichment plant in Natanz was attacked by advanced, specialized malware called Stuxnet. The goal of this attack was to reduce the lifetime of the centrifuges and thus harm the uranium enrichment process. Since then, it has become increasingly clear that OT, ICS, and SCADA are valuable targets for cyberattacks, both by foreign powers and by cybercriminals.
SCADA-Säkerhet is an annual conference about security in OT (not exclusively about SCADA systems despite the name), typically visited by people from the critical infrastructure sector (power and water) and OT security experts like me.
This year I have been invited to give a talk about Zero Trust Architectures in OT environments.
Zero Trust Architecture (ZTA) is a security concept that has gained a lot of traction in the IT world and that can be summarized by “never trust, always verify”. ZTA aims to replace perimeter protection, a concept where you place your IT resources in a protected network and implement controls at the entry points to this network. With perimeter protection, every entity that has successfully gained access to the network is implicitly trusted. This makes it easy to manage access to the IT resources but fails catastrophically if the perimeter is breached by an attacker. The following figure illustrates this concept.
In ZTA, the idea is to protect resources even against threats from inside the organizational network, as illustrated below.
This means that the organization deploys an access control service, that checks all access attempts to resources based on the identity of the accessing entity and other parameters, and then permits or denies access based on a previously defined policy.
In an OT environment, deploying the ZTA concept is a lot more challenging than in IT, since it is a very disruptive intervention both for the existing technology and for the established ways of working. The underlying reason is that OT equipment has typically a much longer lifetime, leading to an accumulation of legacy technology, which in turn makes modern security approaches difficult to support.
Furthermore, OT systems typically have very high availability requirements, since service interruptions usually carry a very high cost, making it hard to schedule the implementation of ZTA solutions.
However, deploying ZTA in OT should be part of any sound cybersecurity strategy since IT-OT convergence requires new ways of dealing with the challenges of IT threats in OT. ZTA provides reasonable answers and is a recommended preventative measure. Modern OT equipment is generally able to support the required security functions and some ZTA concepts are already part of the usual cybersecurity recommendations for OT (e.g., network segmentation).
Sadly, ZTA is currently subject to a very intensive hype, meaning that many products and services are sold as “ZTA” and ZTA is marketed as the be-all end-all solution to cybersecurity. My personal opinion is that ZTA is just a concept for your security architecture and processes. It doesn’t address all your security needs, instead it must be embedded in an overall cybersecurity strategy. It isn’t a one-off project and implementing it is at least as complicated as any other cybersecurity activity.