The recent string of ransomware attacks directed at industrial and supply-chain targets has sharpened the focus on industrial cybersecurity by business and political leaders. Faced with mounting threats of economic and operational disruption, the OT world is coming to grips with the fact that there’s no such thing as a completely “air-gapped” cell or network, and therefore we must double down on our defenses to secure industrial infrastructure against cyber attacks. Enter zero trust, the security model that assumes everything to be hostile and should not be inherently trusted.
To change the industrial cybersecurity paradigm, we must first understand the unique challenges of the cyber-physical world.
Navigating the complexity of the converging IT-OT worlds
IT and OT which have been, by and large, oblivious to the other’s existence are now becoming more interdependent and being forced to come together, thanks to the convergence of our digital and physical worlds. But the path to convergence can be steep due to significant cultural barriers.
IT primarily concerns itself with the confidentiality, integrity, and availability (also known as the CIA triad) of enterprise data and IT systems at any cost. Whereas OT primarily concerns itself with productivity, safety, and uptime of physical operations at any cost. One in three firms says that a single hour of downtime can cost anywhere from $1 million to $5 million in losses. Their worldviews are sometimes at odds, even if their convergence is driven by the same top-level business outcomes.
No, really, it’s complicated
What’s more, the technical and operational complexities of the factory floor are genuinely difficult to tackle in a number of unique ways:
- Complex, idiosyncratic environments. A typical plant can have hundreds of pieces of highly customized equipment from different OT vendors each with its own proprietary automation software and protocols - all designed to support specific processes. In contrast, enterprise IT widely uses SaaS and off-the-shelf software and hardware that can be easily deployed, managed, upgraded, and patched.
- Legacy machinery and equipment. The average lifespan for industrial assets often lasts into the decades—even as generations of more efficient and more secure technology is introduced— so it’s not uncommon to find aging machinery and equipment on the plant floor. IT systems, on the other hand, typically have lifespans of between four to six years.
- Limited security and third-party risks. Unlike IT, the proprietary nature of OT means companies rely on OEMs and boutique vendors to maintain and manage their equipment. The assets are kind of a black box to their owners who have limited visibility into their controls and vulnerabilities. Any security flaws in industrial equipment and communication protocols get compounded by poor security, increasing the attack surface.
Accelerated digitalization was only the beginning—set the stage for the next (cyber) frontier
The path forward calls for charting a new course. IT teams working alongside OT teams with a common goal of protecting critical processes, plants, automation, and workflows that go into creating a product. CISOs will be at the helm of this next frontier and it will be imperative for them to extend the principles of the zero trust security model that many in the IT world are now implementing to the OT world.
The National Institute of Standards and Technology (NIST) proposed the zero trust architecture for industrial and enterprise networks and stated, “perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.” A zero trust architecture can simplify security for industrial infrastructure and solve key challenges, such as secure remote access for industrial systems, without requiring complex physical segmentation at each layer of the hierarchical Purdue Model.
CISOs have a prime opportunity to improve the cyber resilience of their manufacturing environments and industrial assets while keeping production lines and processes running smoothly, safely, and reliably.
Knock down the barriers impeding OT-IT convergence. Start with zero today.
A zero trust-based approach can help you integrate OT with IT and unify cybersecurity controls across your industrial and enterprise networks. Zscaler helps companies truly embrace the zero trust mindset by providing visibility into what applications need to be protected and which users need to access them, making infrastructure completely invisible to attackers and accessible only by authorized users, and providing end users with an amazing experience.
OT personnel have traditionally connected to industrial equipment and systems using remote-access virtual private networks (VPNs), but these solutions inadvertently expand the organization’s attack surface and open the door for bad actors to exploit excessive implicit trust inherent with VPNs. Consider implementing zero trust network access for your industrial environments to make it faster, simpler, and more secure for employees and third-parties alike to connect to, troubleshoot/repair, and service assets from anywhere, maximizing uptime and productivity. Zscaler Private Access (ZPA) is a cloud service that provides zero trust network access to your private applications running in your OT network or IT network. ZPA protects your systems against cyber threats by only connecting users and devices to the specific applications they need without connecting them to your network directly.
What to read next