Updated August 17, 2022. Originally published November 23, 2021.
The convergence of OT and IT has created numerous benefits but also challenges that need to be overcome. As one example, while OT networks need to be air gapped, IT departments are required to enable remote access so vendors and OEMs can reach them to perform maintenance and other checks. This leads to security challenges that CISOs and other team members do not always know how to solve. Read on to see how zero trust access can answer modern security needs for these traditional systems, with five different capabilities.
To learn more about OT networks and their security challenges, check out our previous blog posts:
Zero trust is a security framework that requires continuous authorization and validation of all users before they are granted access to business assets and applications. Zero trust is founded on the premise that the traditional network border is obsolete. Users today access systems from remote locations, like their homes or even on the go. In addition, the modern network is dispersed so that business applications are located in (and accessed from) multiple locations. Therefore, securing the network is ineffective, expensive, and almost impossible.
OT (operational technology) networks are used in plants and factories to manage, control and monitor physical industrial devices and machines. Often, only a small number of highly skilled factory employees can access these networks. However, remote access is also required for OEM/vendor representatives, who must perform monitoring, support and preventative maintenance.
Since OT networks are usually air gapped and cannot be accessed externally, vendors connect to the OT network using a VPN. But VPNs typically do not have sufficient controls to meet regulations, and many CISOs do not feel safe using this method as an OT or SCADA entry point.
In 2021 alone, three water plants in the US were attacked by ransomware gangs. The perpetrators took over the SCADA systems through their remote monitoring capabilities. Fortunately, employees noticed the changes the attackers made in systems before serious damage was inflicted. But more proactive and comprehensive security measures are needed to prevent future attacks.
The zero trust model can deal with these types of modern attacks on traditional networks like OT and SCADA. This state-of-the-art security approach provides legacy systems with advanced tools, instead of their current security measures that were created decades ago.
By implementing zero trust as an extra layer of security on top of the existing VPN, factories and plants can ensure:
With the zero trust approach, CISOs can control and manage who accesses the OT network and for how long. Remote vendor users are only given access to the network after they are authorized, instead of tunneling them into the network like before. CISOs or other admins can also control which parts of the networks these users have access to. In addition, sessions are recorded and logged for auditing and compliance purposes.
Routing traffic through a VPN is a bulky and slow process that introduces high latency and stalls business activities. Cyolo’s zero trust solution, on the other hand, uses the HTTP/2 over TLS protocol to transport user payloads, reducing connectivity times and bloat. This method is especially efficient for RDP server connectivity, since Cyolo doesn’t require the RDP protocol to be open at all times, another factor that can slow down traffic.
Enforcing access policies and monitoring sessions through recordings enables CISOs to more fully understand, control and design their OT network security. This also gives them greater confidence in the security measures taken for OT network safety.
Now let’s take a closer look at the specific capabilities zero trust provides that address common security challenges in OT networks:
In traditional network architectures, users are validated at entry points and provided access to the entire network once they are authenticated. Similarly, in OT networks, the VPN authenticates OEM employees and tunnels them into the network. In certain cases, a firewall might be placed between the VPN and the OT network as an extra security layer that prevents access from certain users. However, once users are in, they can access the entire network.
Zero trust operates the opposite way. Instead of bringing users in, Cyolo’s IDAC (Identity Access Control) component transmits the required data externally to the users. The IDAC provides control for each application on a granular level, which means that users never have complete network access, or even full-blown application access. Instead, only required and authorized information is sent to the users.
According to the principle of least privilege, users are given the minimal level of access required to perform their jobs. This principle ensures that users do not intentionally or accidentally leak data, or make a vulnerability known to bad actors. If a user has been compromised, the principle of least privilege reduces the risk of lateral movement.
In OT networks, the principle of least privilege prevents vendors from accessing any part of the network other than what they need for support, predictive maintenance or other specific tasks. This ensures that any perpetrators who might have been tunneled in through a VPN with the vendor will not be able to progress laterally into sensitive areas of the network. As a result, attackers are prevented from shutting the OT network down, disrupting its activities, leaking data, or wreaking other damage. In the case of critical infrastructures, this capability becomes even more important.
The Cyolo zero trust solution provides monitoring and session recording capabilities, as well as a full audit trail and real-time supervised access. These capabilities help enforce policies and thwart attacks in real-time. In addition, they provide information for investigation in the aftermath of an attack.
Just-in-time (JIT) access is the recommended security model to provide timely and secure access to users and services. In JIT, users can access applications and assets when they need to, and only when they need to. At all other times, access is revoked. This mitigates the risk of a breach by limiting the time attackers have to perform reconnaissance or progress laterally.
In OT networks, JIT ensures vendors access OT applications only during coordinated supervised sessions. Before or after these sessions, OEMs (or attackers who have breached them) cannot see or use any part of the OT network.
MFA (multi-factor authentication) is an authentication method that relies on two or more factors before providing access to applications. The additional layer of protection MFA provides ensures password alone will not be enough for gaining access. Zero trust uses MFA as its source of user identification and authorization.
In OT networks, implementing MFA enables authorizing users in innovative ways that were not possible beforehand in such systems. In the past, weaker authentication was deemed sufficient to provide OEMs with access to sensitive systems. Now, MFA will help better ensure bad actors cannot access the network, even if they have one authentication factor.
As attacks become more sophisticated and capable of creating greater harm, CISOs at plants and factories need to rethink their security strategy. A zero trust framework is the best solution for allowing OEMs and vendors to access the network while simultaneously reducing the risk of breaches and attacks.
Read this case study to learn how Rapac Energy is saving weeks of work and hundreds of thousands of dollars by securing their OT systems with Cyolo.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.