Zero Trust is a security strategy requiring every user and device connected to a network to be authorized, authenticated and continuously validated to access a network and interact with data, services or other assets.
Zero Trust, in critical infrastructure organizations, is seen as essential to ensuring that their integrated mix of operational technology (OT) and IT systems are protected from malicious intruders, and that they are able to mitigate and recover from successful cyberattacks when they occur. Critical infrastructure in recent years has become a key target of threat actors, particularly those with ties to nation-states. Because of critical infrastructure’s importance, attacks have the potential to threaten a nation’s security, economy and even the health of people who depend on those services.
Zero Trust eliminates the implicit trust that was inherent in traditional networks, which assumed that every user or device inside the network perimeter was trustworthy. Instead, its “never trust, always verify” approach treats every user, device, application and service as a suspect, assuming each may have been compromised. It also requires constant validation of all access privileges to protect the organization if a valid credential later becomes compromised.
As ransomware and other attacks have increased in recent years, the focus of many attacks has been shifted to industry and critical infrastructure, including attacks involving industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. In 2021 alone, 649 organizations in 14 of 16 critical infrastructure sectors suffered ransomware attacks, according to the FBI’s 2021 Internet Crime Report.
Attacks such as those on the Colonial Pipeline and meat packer JBS (both attacks have been linked to groups in Russia) have had far-reaching impacts. For instance, the attack on the Colonial Pipeline shut down the pipeline’s operations for almost a week and had significant downstream impact. At the beginning of Russia’s invasion of Ukraine, the FBI and the Department of Homeland Security issued a warning to operators of critical infrastructure about the potential of cyberattacks, urging them to adopt a “shields up” defensive posture.
The Cybersecurity and Infrastructure Security Agency (CISA) identified 16 critical infrastructure sectors whose assets, systems and networks are considered so vital to the nation’s operations that attacks on them could threaten national security, economic security, or public health and safety. Those sectors include:
Zero Trust strategies grew out of the realization that traditional security methods, which focused on protecting the network perimeter, were no longer enough. Cloud computing and mobile computing extended beyond any physical or logical network perimeters all the way to systems at the edge. The focus of security has shifted to identities, whether human or non-human, that interact with an organization’s systems and data. Zero Trust applies continual verification of those identities throughout those interactions.
In critical infrastructure settings, the need for a Zero Trust approach is amplified by the convergence of IT systems with operational technology (OT) systems, many of which lack essential protections. ICS systems often use old, unsupported operating systems and software that doesn’t receive updates and security patches. The integration of IT and OT systems, which allows remote access to OT equipment, can leave the entire enterprise vulnerable. Access control methods often include outdated systems such as VPNs that weren’t built to manage access to critical systems and applications. VPNs also don’t isolate protocols and systems, and can allow lateral movement through a network.
A Zero Trust strategy includes several key elements that are necessary to control all interactions between users and data, and systems and applications.
Network Segmentation. In network segmentation, the network is broken down into distinct sub-networks, typically consisting of Virtual LANS, allowing teams to apply security controls specific to that subnet. It helps control access and restrict movement within the network.
Protocol Isolation. Unlike IT systems, which mostly have standardized on TCP/IP, OT systems use a wide variety of protocols, some of them specific to the equipment or function involved. Isolating those protocols limits their use to a specific location, such as a virtual machine. Protocol isolation allows protocols to be accessible on the ICS Network (trusted network) but unavailable (closed) to the external untrusted networks and users unless they are using a solution (e.g., secure user access platform) that translates the protocols from the trusted network to the untrusted network without exposing the native protocols. As a result, protocols that hackers could exploit traditionally are now closed due to protocol isolation which dramatically reduces the attack surface of the OT and ICS networks.
Multi-factor Authentication. MFA—which employs a combination of passwords, tokens and biometrics—is extremely effective in preventing identity compromise. It should be required for access to a network, including user sessions involving any data in transit.
Least Privilege. Any level of access should be guided by the principle of least privilege, under which users, devices, applications, APIs or any other network identity is given only the minimum privileges necessary to complete a specific job or task. Least privilege polices also can include role-based access, which limits access only for performing a specific job, and time-based access, which grants access for a set amount of time in which to perform the job. Location-based access allows users access only from a certain location.
Strong encryption. Any communication between the IT and OT systems, as well as to the internet, should have a high level of encryption.
Logging and Monitoring. Organizations need to log and record all user access session data to critical OT systems, including those involving vendors accessing their critical assets. Monitoring should be done in real-time, if possible, and should include monitoring the movement of any files.
Clear Assess Risk. No security strategy is perfect—the goal is to identify risks and reduce them to acceptable levels. Organizations can use a Zero Trust strategy to identify and verify an acceptable risk level for critical assets.