The importance of protecting industrial control systems (ICS) is not a new recognition, but the emphasis on it has hit a recent surge. Alongside a string of actual attacks and emerging threats, urgency is building. So, how do we address it? It takes adopting tactics and a mindset.
The State of Cybersecurity
For its report titled “The State of Industrial Security in 2022,” Barracuda Networks Inc. gathered insight from 800 “senior IT managers, senior IT security managers, and project managers responsible for industrial internet of things (IIoT)/operational technology (OT).” It came up with three major conclusions. For one, attacks are prominent. On top of that, geopolitical concerns are on the rise. The third finding was that breaches can cause lengthy recoveries. In fact, it can take a median of 29 days for manufacturing facilities to rebound, according to data from Tenable.
That is why it is so crucial that proactive cybersecurity strategies be implemented, especially considering the detrimental impact that could potentially unfold if a critical infrastructure operation is compromised. Although the Barracuda report stated that, of those surveyed, critical infrastructure organizations lead in this effort, the manufacturing and healthcare sectors are actually falling behind.
The Rise of Zero Trust
One of the ways other fields are catching up is through the adoption of zero-trust practices. Zero-trust has proven to be a viable security solution particularly for the public sector. As Craig McCullough points out at FedTech Magazine, it was even included in an executive order released by the Biden administration that requires federal agencies to activate a zero-trust framework within a certain amount of time.
Essentially, the concept behind zero-trust is “that no device, application or individual user should be assumed to be trustworthy, and that every user and system trying to access any resource within a secure network environment should be tested and validated,” McCullough writes.
However, that can be difficult to achieve. That’s where adopting the zero-trust mindset comes in.
Zero Trust and the Industrial Sector
Although zero-trust works for IT, it can be a bit more challenging to implement in industrial settings. First, the stakes can be even higher since ICS is responsible for connecting the physical and digital landscape. But it also comes down to structure. Edward Liebig explains at SC Media that, “…in these environments, every operator in the control room needs to see systems to orchestrate the overall process. The act of logging on and off subsystems with unique user IDs creates an unacceptable and unsafe blind spot. Similarly, machine-to-machine communication restrictions would also limit options in flexibility, functionality, and performance.”
Plus, the question remains – how do you put zero trust on an asset that is over a decade old? One method that can be applied to combat this issue is to narrow down the specific layers at which zero-trust tools can be built in. Liebig suggests that organizations can use the Purdue Enterprise Reference Architecture (PERA) Model for ICS Security as a starting point for understanding the various elements. They can also consider action at the switch level or segmentation of systems.
But also helpful is taking on that zero-trust mindset defined by an overall integration of cybersecurity into an operation’s culture. That includes setting up obtainable benchmarks. These can include developing an understanding of the attack surface that exists around an industry, creating a response plan, making sure that security is a key element of every role at the facility and investing in outside expertise that can help build relevant and realistic tactics.
To learn more about how to apply zero trust to your OT network, please contact us: https://veracity.io/contact/
- “New Research Reveals 93% of Organizations Surveyed Have Had Failed IIoT/OT Security Projects” – Dark Reading
- “A defense posture is not a cost center: Why OT security is critical” – Dick Bussiere, Express Computer
- “Zero Trust Isn’t Just a Goal, It’s a Mindset” – Craig McCullough, FedTech Magazine
- “Managers of industrial control systems need to start thinking about zero-trust” – Edward Liebig, SC Media
- “Planning a robust response to cyberthreats with a zero-trust mindset” – CyberScoop