By Jules Vos, Head OT cyber security services - NL at Applied Risk - Critical Infrastructure Made Secure
August 2021
We hosted a (CS)²AI Online™ seminar on August 26, 2021 that focused on Deciphering the Value of Zero Trust & CARTA in Operational Technology.
Here is a bit about the event:
IT and OT are increasingly becoming one and the same entity, and are approaching a common set of business goals and objectives for the future of many industries. Driven by the increase of Industrial Internet of Things (IIoT), Industry 4.0 and new business opportunities presented by digital transformation, many organizations in the energy sector are already entering the IT/OT integration journey and embracing the benefits as well as risks associated with such business models.
This integration introduces new dynamics especially for IT and OT cybersecurity teams and a consolidation of responsibility for strategy. The need for a proven and different security approach beyond traditional defense in depth is becoming a necessity for many organizations in light of emerging cyber threats. Modern concepts that have been gaining traction over the last few years are Forrester’s Zero Trust model and Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA).
• What is Zero trust and Continuous Adaptive Risk and Trust Assessment (CARTA) in OT?
• Why these models are game changer for OT?
• Where are key benefits and how to embrace this journey for your OT?
• Case Study: applying zero trust to include IIoT and OT at major energy company
Speaker:
A forward thinking industrial cyber security expert with over 30 years of outstanding experience in engineering, consulting and mastery in industrial automation.
With a hybrid skill-set in detailed control system engineering (DCS/SIS) and consultancy Jules Vos has been involved in a number of complex oil and gas production and power generation environments, in addition to cyber security and standardisation processes.
Jules is a ICSJWG panel member and has collaborated closely with EUROSCSI and the Dutch NICC cyber security initiatives.
As always, we encourage our audience to participate throughout the event by contributing feedback and questions for our speakers. We weren't able to answer all of your questions, so we have asked some of our speakers to answer a few of them. Below, are some answers to a few questions posed during the event.
Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.
*******************
To view the full recording of his talk, please visit https://www.cs2ai.org/sponsored-seminars.
Question:
You state OT monitoring is important. Do you have experience with these and how would connect that to the SOC?
Answer by Applied Risk:
Basically any feasible kind of monitoring should be considered. The more monitoring the better. Options are: 1) use of vulnerability management tools to catch anomalies like Nozomi, Claroty, CyberX, Forescout, Tenable etc. These tools can integrate (API level) with SIEM solutions (LogRhythm, Splunk, Arcsight etc.). 2) Collect syslog files form devices such as network devices (Firewall, routers) or none-windows machines like Linux. 3) collect windows log files using WMI/WEF/WEC type of solutions 4) use smart attack path vulnerability scanners, to find blind spots or network configuration weaknesses (Skybox, Tufin). These tools are not OT specific but are commonly used in IT. Because the path from internet to OT often uses IT networks they may be useful. These tools often utilize firewall monitoring consoles as well like Paolo Alto Panorama etc. 5) Virus scanner (McAfee, Symantec) orchestrators (e.g EPO) integrated with SIEM.
Question:
Thanks for hosting the event, if we are interested in learning more how would you reccomend we do so? Books, videos etc?
Answer by Applied Risk:
There is a lot on internet to be found about Zero Trust. Gartner CARTA, Forrester ZT, Microsoft ZT articles. Many solution providers also have insightful articles about the subject.
Question:
A key balance in cyber security is enabling ths business to continue to do business, Does 0t reduce the ability of a business to do business and if it does how do you limit that impact?
Answer by Applied Risk:
This is a very good and fundamental question. Cyber security must enable the business and help business continuity. So, all measures taken shall not be a blocker. Of course, measures like strict identity management, meaning giving up the commonly used ‘OT group accounts’ may be perceived as annoying or a blocker. But it shouldn’t be. Identity and access management shall be architected in such a way that it makes use if named users easy for the business. Next to that awareness sessions shall be held for the business to explain the rational behind zero trust, behind identity management. I haven’t come across a street where everybody is using the same front door key, so why would this approach be expectable critical production processes!
Question:
In what ways can a Zero Trust Architecture simultaneous improve security through more authentication/anuthorization/observerations/interventions, yet at same time potentially reduce security through then acceptance of riskier endpoints where underestimate risk of those endpoints?
Answer by Applied Risk:
One of the key elements of zero trust is strong segmentation. If riskier endpoints for example means obsolete (e.g., Windows XP), they will be put in a separate segment to manage access best. A fundamental part of any architecture is to understand the risks and design against business objectives, business criticality and technical capability of components in that architecture.
Question:
How do we ensure engineers agree to zero trust tactics, i.e. provide them enough comfort that it will not intervene with the essential or critical functions (Safety, loss of control, etc.)?
Answer by Applied Risk:
First and foremost: ZT doesn’t introduce new solutions in the OT perse. It improves the use existing features like identity management. Monitoring solutions are all proven in use so not new either. Engineers in general are lacking deep cyber security knowledge and cyber security risk understanding. So education is the first step to take. Next collaboratively solution designs have to be developed. OT engineers are very disciplined in how they design hardware (e.g. cabinets, auxiliary rooms), safety controls (although the safety system key switch is often not well managed) and sometimes also physical access. But in general, they are far too relaxed when it comes to digital access and controls because risks are not well understood. This needs to change.
Question:
Do you see Zero Trust as something you achive and done or is it a constant journey that will continue to change?
Answer by Applied Risk:
ZT will definitely be a journey. The principle will remain the same, however the solutions will develop rapidly. Maybe in future, based on these principles, we will move to self-controlling connections between devices, so network controllers (like firewalls) are becoming redundant. That would be the ideal world.
Question:
What are the unique challenges of the industrial segment regarding the adoption of zero trust and CARTA.
Answer by Applied Risk:
The introduction of stricter identity management in the OT and integration with the corporate identity management system (based on zero trust connection) will be the main challenge.
Question:
Can zero trust can be applied on existing legacy systems, if yes, can you share your best practices
Answer by Applied Risk:
Yes it definitely can. Applying network segmentation is one thing. Identity management can be applied by implementing named users in each and every system. So get rid as much as possible of group account. Next extract users ID’s from these systems (manual or in an automated way) to a central management system and manage identities from there. Preferably incorporate this data into the corporate identity system but if this is not yet feasible manage identities in the OT so if people move or leave the company the identity can be removed from OT systems. Next to that network vulnerability monitoring can already be applied (see earlier reply including potential solutions)
Question:
Do you think all the cloud providers in market today think about ZT and CARTA. Any examples you can share of those initiatives? I know of MIcrosoft working on Defender XDR. How about AWS and GCP?
Answer by Applied Risk:
Yes they are however I don’t have specific examples. Please keep in mind that ZT is very much how we as end users design our IT and OT. Basically all solutions are available however, as end users, we have to architect ZT to our needs.
Question:
Do you see a prioritized list of areas to start? Network segmentation vs. User Identity (ACL, Least Privs), etc.?
Answer by Applied Risk:
It may have become clear from my previous answers that my focus is very much on architecting strong identity management and network segmentation. Identity management is complex and requires a lot of time to design the right solution. So don’t underestimate this but it is fundamental and really needs to be protected against current cyber threats.
Question:
How often are the manufacturers devices checked for secuiry and spying
Answer by Applied Risk:
Manufacturers continuously update their vulnerability databases and check devices for new vulnerabilities. However it is up to end-users to ensure that continuous monitoring and remediation of vulnerabilities and measures against new threats are being executed. The governance and evergreening is the end-users accountability and contracts with suppliers need to be managed.
Question:
Does Zero Trust also apply to IoT, and more specifically to Edge Computing model?
Answer by Applied Risk:
Absolutely. If IoT is really used as IoT, meaning direct internet connection into the cloud, ZT and strict identity management is essential. Remember that an IoT device also is an identity that needs strict management.
Question:
Could Zero Trust be applied to brown field OT (given the rigid and conservative nature of it) or only is applicable to new deployments?
Answer by Applied Risk:
Definitely. Segmentation, strict identity management, vulnerability monitoring, logging and integration to SOC/SIEM as examples has been done in many brownfield cases. These activities are not easy and need comprehensive design and preparation but are critical and necessary.
Question:
Are you familiar with Open Process Automation alliance and how would you consider that to be suitable for Zero Trust implementation?
Answer by Applied Risk:
OPAF has adopted IEC-62443. So, I don’t see an issue with OPAF and Zero Trust. Remember Zero Trust is very much about architecting a ZT OT using existing technology. ZT is not a technical ‘solution’ but an architecture and a way of working and managing your OT.
Question:
Operationally, if the business does not have a SOC operation (as yuo mentioned already), how would operation staff react to cybersec issues even if monitoring tools generate an alert? Who on the shop floor can understand the alert and decide how to react? As a security tool developer, we need to understand our audience to develop appropriate tools.
Answer by Applied Risk:
Companies and OT management need to understand that investments in OT cyber security are inevitable. Incident and event management procedures and processes need to be developed amongst many other things. It could help to develop smart tools that help shop floor users or OT cyber security focal points, if no SOC is implemented, to run effectively through the incident/event management process, also providing guidance on what to do to reduce the impact as much as possible. So that you don’t need to be a specialist to be able to contain an incident as quickly as possible.
Question:
Is it possible to do threat evaluation by correlating OT environment risk with user risk? if yes,any recommendations?
Answer by Applied Risk:
This is something for the future I think I haven’t seen this yet implemented. But yes, CARTA for example is based on the adaptive risk principle, meaning that users in a certain environment or circumstances could be trusted more or less, so they get more or less privileges. This approach definitely will be further developed in future and may replace or enhance role-based access control (RBAC) or attributed based access control (ABAC) which are difficult to implement and maintain approaches.
Question:
Can the process opted during Zero trust strategy for IT be used or referred while defining it for OT?
Answer by Applied Risk:
I don’t fully understand this question. IT and OT must collaborate and further integrate. OT continuing to stay independent and ‘isolated’ will degrade security levels instead of protecting the OT. The digitalization is moving fast and so does the need for OT data and optimization. There is must in common between IT and OT despite the substantial differences. So combining effort and architecting an zero trust based integrated IT-OT is the way forward in our opinion.
Question:
Is it true that OT is changing fast with greater IOT Online and in the cloud. I think Colonial Pipeline (CP) was a perfect example of Why OT should attempt to maintain Some isolation! By isolation, I don't mean complete disconnection but isolation and zero trust operation seems to be key. We want access to monitor and do supervisory control But Not Alot of Onlining of IOT Operation in Clouds. And IMO the idea of Digital Twins hosted in Cloud is <xyzzy> :-p.
Answer by Applied Risk:
Colonial Pipeline clearly was not an OT issue but failing billing (office IT) systems forced to company to stop production. Zero Trust indeed is the way to go in my opinion when it comes to integrating IT and OT. It means that nothing is allowed unless explicitly approved. This applies to all OT elements including the inevitable cloud integration. IoT but also specific OT functions like advance process control as well as services like condition monitoring will more and more be cloud based.
Question:
Preventing lateral movement is important But we have to develop technology to prevent exfiltration in general. There are too many ways for botnets to do command/control from the Internet once a quorum of IOT devices has been co-opted. We've seen this especially with Router devices (some of which have been in operation way beyond expected lifetimes). Old hw/sw solutions are a concern when they've been networked but are not being updated against attacks.
Answer by Applied Risk:
Fully agree. So, this is why end user must develop a comprehensive governance framework and operating model to manage compliance and devices and keep the OT evergreen. Cyber security must be a part of daily operations.
ANSWERS PROVIDED BY:
