Internet of things Security

Zero Trust, but verify: find the OT in Zero Trust

Zero Trust, but verify: find the OT in Zero Trust
Written by ga_dahmani
Zero Trust, but verify: find the OT in Zero Trust

Article by the director of APAC of Nozomi Networks, Diego Betancur.

The shift to cloud-based and remote technologies has changed the goals of cybersecurity. Now you need to cover multiple people, devices, platforms, and networks.

Each variable comes with a new set of vulnerabilities and unique security needs. Zero Trust has emerged as a response to this to ensure that IT systems adapt to each user in the age of mass remote work.

Gartner describes Zero Trust as an architecture that “never trusts, always verifies” connections and assumes a bad actor first. This creates highly resilient and highly flexible environments that are primed for modern attacks.

The Zero Trust approach personalizes access based on what resources are needed, where, and in what context. Ideally, this access is continuously tested without any additional time burden for real users.

Operational technology challenges

For many companies, Zero Trust is relatively easy to adopt. A company that only communicates internally and doesn’t use any automated processes will find it easy to implement Zero Trust user access: the security protocols won’t lock out a normal user with a consistent history.

But operational technology (OT) and information technology (IT) devices are different. User agents are often headless: the frontend is separate from the backend. These include controllers, sensors, robots, and smart glasses that may not have software installed.

This is especially the case if you’re dealing with single-purpose optimized processes that don’t even run a full operating system. These devices were often designed without security in mind, likely because OT and IT threats were not as well understood or differentiated.

Context Matters for Zero Trust Policies

To make better quality decisions about connectivity, organizations need better information. This starts with understanding what they are trying to protect.

The Zero Trust architecture checks before allowing access to the network and determines if this connection will be made securely. Once approved, the connection will only have access to the minimum number of resources that the user or machine needs. And these checks will be done for each session: there is no continuous access.

The system asks users questions: where are they located, what machine are they using and could it be compromised, is there a history between these systems? All of this informs better quality decision making in real time.

Zero Trust Architecture

Zero Trust is not a one-size-fits-all approach: they are easy to crack. Zero Trust requires fundamental changes in infrastructure and policies. Network and security architectures must undergo significant changes to implement the necessary policies and compliances throughout the organization.

This can be detrimental to operations and applications in the short term. When combined with industrial process and critical infrastructure automation, the unique requirements of OT and the Internet of Things (IoT) can make implementations difficult.

OT system owners need flexibility for a workforce that could now be located anywhere, working with different levels of security and even under a different data protection legislative framework.

OT and IoT devices are not positioned to easily adopt Zero Trust with micro-segmentation. When these networks adopt Zero Trust, it is usually to secure remote access scenarios and is not implemented throughout the internal network.

In OT, the choice is perceived to be between quick and easy access to systems and overly cautious security. In automated systems, automatically blocking users would seem like an unnecessary burden. If an OT provider believes that Zero Trust makes it difficult for workers to access systems, they will likely choose productivity over security.

This luxury may have been the case before COVID and remote work, but threats have changed faster than our work habits and security needs to keep up.

But Zero Trust is not intended to be a download-and-forget solution or a huge burden for genuine users. Organizations need a mindset shift, along with significant upgrades and infrastructure modifications to make Zero Trust work and embed cybersecurity hygiene at the heart of how their people work.

About the author


Leave a Comment