Is the Zero Trust model viable for OT/IoT networks? Is it a journey or a destination?

On January 26, 2022, the Acting Director of the Biden Administration’s Office of Management and Budget (OMB) released a memorandum on the United States Government’s progress toward Zero Trust cybersecurity principles. The memorandum sets out requirements for a Federal Zero Trust Architecture (ZTA) as a next-generation security framework to strengthen US cyber defenses against increasingly sophisticated and persistent threats.

These guidelines further confirm that the ZTA should be considered an important part of any network and cybersecurity strategy and will force critical infrastructure organizations to reconsider key elements of their IT infrastructure and security processes going forward.

Although ZTA is generally regarded as a significant advance in security over traditional security approaches and architectures, many questions remain unanswered such as the different definitions and requirements of ZTA for industries, experts and vendors . Currently, the Zero Trust model appears to be a mindset or approach rather than an explicit set of security features or capabilities.

The Zero Trust model represents a significant shift in network and security architectures to implement the necessary policies and enforce them across the organization. In general, a Zero Trust mindset assumes that all network devices and users are potentially compromised or pose a potential threat, and generally only explicitly authorized users, devices, communications, and traffic should be authorized. While this will serve to slow or block the spread of malware, unauthorized access, and a wide variety of cyber threats, implementing this design requires fundamental infrastructure and policy changes that could be costly. and, most likely, disrupt the operations and security of existing applications.

And while the Zero Trust model makes its way into IT organizations for a wide variety of use cases and specific security environments, the unique requirements of OT and IoT, combined with critical infrastructures and industrial processes, can get in the way. General purpose Zero Trust solutions. Many OT and IoT devices are not easy to place in an ATZ with micro-segmentation (a common Zero Trust goal). When the Zero Trust model is adopted in today’s OT networks, it is often limited to secure remote access scenarios, replacing increasingly suspect VPN access solutions, but not on the whole internal network between all devices.

In fact, the level of adoption of Zero Trust principles is very uneven. This is confirmed by data from the IDG Research study, which reveals that only 5% of companies have implemented a Zero Trust strategy across the organization, even though a large proportion of the companies surveyed are in the process of implement it (24%) or already implement it, it has been deployed in some environments (19%), while 38% are in the evaluation phase and 14% do not consider it necessary.

Looking at deployment priorities, the same report indicates that companies are committed to implementing Zero Trust measures in the network (71%), user (67%) and in data, applications and confidentiality (62%).

In general, organizations should assume that the Zero Trust model is not a turnkey solution. This will likely require significant upgrades or policy and application changes across the entire infrastructure. The many definitions and usage scenarios should encourage organizations to prioritize how and why an ATZ should be deployed, based on current application and access requirements, and not look to guidelines or mandates. specific like the previous USG memo. Incidentally, this memo calls for implementing encryption for HTTP and DNS traffic by 2024, but not for other services like email. These specific details may not be relevant to other industries and organizations with different application security needs.

From IDG, they also highlight the challenges companies face in applying this model. The biggest obstacle is the limitations imposed by legacy infrastructures (57%), followed by the conflict between security and performance (38%) and user resistance (35%). They also mention that the most relevant factors for organizations in implementing Zero Trust are those related to government and access and use policy (65%), operating scenarios (56%) and employee experience (54%).

At Nozomi Networks, we don’t believe there is a one-size-fits-all solution for Zero Trust, but we believe it will become a cornerstone of many organizations’ security goals in the years to come.

We believe enterprises should opt for solutions that are neither intrusive nor disruptive to existing networks, a key requirement for mission-critical OT systems and processes. And this same approach should be extended to Zero Trust services by monitoring network traffic and comparing observed behavior to specific authorized policies. Instead of blocking legitimate traffic that was not intended, we can flag identified ZTA policy violations for further investigation or onboard partners who can quarantine or block suspicious endpoints and users as needed. Zero Trust monitoring, which compares traffic patterns to established policies, will be a key initial step for most ZTA implementations to identify all required network flows and application traffic, so that when enforced Zero Trust policies, critical services are not interrupted.

The Gartner group describes Zero Trust as an architecture that never trusts, always verifies connections, and assumes a malicious actor is active at all times, leading to a highly resilient and flexible environment against modern attacks. Likewise, Nozomi Networks’ focus on asset identification, device vulnerability assessment, and continuous anomaly and threat monitoring, as well as insight into operational activity, serves as a platform for form of automated smart verification for every device in your organization 24/7.

ZTA doesn’t have to be disruptive, and there’s no easy-to-implement solution to make all environments Zero Trust overnight. In your organization, your approach to the Zero Trust model may be very different from any industry guideline or vendor solution. You need a platform that provides the basic services for a Zero Trust mindset and that can be scaled to define and implement your required policies in the future.

Find a trusted partner who can help you down a path that makes sense for your existing OT and IoT deployments, without a remove and replace approach, installing agents on every endpoint or suddenly encrypting and blocking the major part of your network traffic overnight. Zero Trust is clearly a journey and not a specific destination.

Leave a Comment