Zero Trust: “Zero” Attack Surface and Maximum Security in OT Infrastructures

Author
Reinhold Zurfluh
Published
16. October 2023
OT security is rapidly gaining in importance as networked industrial facilities offer hackers a lucrative attack surface. Conventional detection methods fall short in the OT environment. Many IT and OT departments do not have the insight into the interconnection between networks, with the result that industrial companies are unable to adequately protect their OT environments. Deploying zero trust approaches can remedy this. Let us explain why.

In a recently published survey, the majority of industrial companies questioned said they had problems with their existing OT security solution. The biggest challenges are:

  • Automation of system visibility (30 %) can make it harder to identify potential vulnerabilities.
  • The flood of incident reports that can arise and a resulting alarm fatigue (20 %). Security teams can be overwhelmed by the number of alerts generated by security solutions and may be slow – or even too late – to respond to genuine threats.
  • Nearly one-fifth of respondents confirm that their current solution only enables security breaches to be detected but not the prioritisation of risk alerts by business impact.

Zero trust concept in OT infrastructures

Operators in industries such as manufacturing, energy supply and logistics tell us that industry-leading security solutions are required. Our customers are also keen to stress that the main thing they need – in addition to strong security – is uninterrupted availability. Any outage naturally affects their bottom line. Furthermore, outages of their OT systems endanger the safety of employees, customers and the entire population.

Decision-makers in industrial companies are thus faced with the difficult balancing act of maintaining availability, uptime and occupational safety while implementing and guaranteeing cyber security. Covering new attack surfaces, such as remote operations or OT systems connected to 5G and the cloud, adds to the challenge. Here, our experts recommend the zero trust approach.

Principles of zero trust

  1. Access control with privileges that uses contextual segmentation and minimal access policies for resources.
  2. Continuous review of the identity, behaviour and risk structures of OT resources.
  3. Continuous security inspections of network traffic and OT processes – even of permitted communication – to prevent zero day threats.

Types of OT and IoT resources

A zero trust OT security approach enables companies to achieve comprehensive visibility. A typical OT environment essentially features three types of OT and IoT resources:

  • OT resources that are mission critical, such as distributed control systems (DCS), industrial control systems (ICS), human-machine interfaces (HMI), programmable logic controllers (PLC), remote terminal units (RTU), supervisory control and data acquisition (SCADA) systems and jump servers.
  • Building management systems include heating, ventilation and air conditioning (HVAC) systems as well as lighting, sprinkler and fire alarm systems.
  • Common IoT devices in businesses include security cameras, printers, VoIP phones and tablets, etc.

Deployment of zero trust in OT using the example of Palo Alto Networks

Additionally, Palo Alto Networks’ Zero Trust OT Security solution, for example, assesses the risk of OT assets by monitoring behaviour, internal and external communications and alerts to deviations from normal process behaviour. Asset-identification and risk-assessment are performed passively and without affecting OT processes.

At the same time, this OT security solution secures the OT perimeter by segmenting OT networks from enterprise IT and protects OT assets with fine-grained segmentation based on OT asset risk, protocol context and process criticality. In this way, companies can prevent threats from spreading from their IT network to their OT network..

Zero trust for remote operation

Palo’s Zero Trust OT Security solution enables companies a full implementation of the least-privilege principle. This is done by identifying remote applications based on App IDs and their interactions with OT assets in the facility or on site. This helps to further secure remote access with consistent zero trust, least-privilege access to OT environments for third parties and manufacturing employees.

Zero trust for 5G connected assets

Enterprises can enforce granular segmentation policies based on visibility of 5G traffic with Palo Alto Networks’ Zero Trust OT Security. The solution identifies subscriber ID, device ID, applications and 5G services in all facilities and remote locations. This helps companies reduce their attack surface, prevent unauthorised access and stop the lateral movement of threats. The Zero Trust OT Security solution continuously assesses the health of mobile OT resources and accelerates incident response by correlating and isolating infected OT resources.

Zero Trust OT Security for “zero” downtime from Palo Alto Networks

With comprehensive visibility and security for OT assets, 5G networked assets and remote operations, Zero Trust OT Security from Palo Alto Networks supports consistent implementation of the zero trust principle wherever it is needed. Zero Trust OT Security provides industry-leading security and outstanding operational availability:

  • Comprehensive transparency as a starting point
    In a nutshell: you can’t protect what you can’t see. And OT assets are among the most difficult devices to detect. Zero Trust OT Security from Palo Alto Networks builds on its already industry-leading visibility and its Industrial OT Security adds thorough, broad OT device coverage.
  • Extending zero trust to all environments
    Enforcing the zero trust principle is often difficult for companies in their highly diverse environments. OT and IT devices are converging ever more closely in networks. Employees, partners and providers access their organisations remotely. At the same time, new technologies such as the increasing use of 5G networks are increasing the complexity of architectures. With Zero Trust OT Security, industrial companies can effortlessly protect any of these environments thanks to minimal access rights, continuous trustworthiness testing and security.
  • Simple operation
    Many companies have a heterogeneous infrastructure that is highly complex and full of security vulnerabilities, which places a heavy burden on the teams in charge of them as well as budgets. Against the backdrop of an increasingly unstable global economic situation, they need a consistent, user-friendly and affordable solution.

By implementing the three principles described above, Palo Alto Networks has developed a solution that provides exactly what OT managers need: zero trust security and 24/7 operation of the OT environments.

Your zero trust journey begins with our Zero Trust Readiness Assessment

The InfoGuard “Zero Trust Readiness Assessment” is exactly the right starting point for identifying risks and weaknesses in the current zero trust strategy or its implementation! Among other things, we will show you which good practices have not yet been sufficiently defined or implemented in your zero trust strategy. Discrepancies are assessed in terms of their risk-criticality. Prioritised recommendations for action are developed on this basis and presented in the form of a solution path. Interested? Then we look forward to receiving your enquiry:

Zero Trust Readiness Assessment

 

Share article