Zero Trust Network Access for IT/OT Environments

Written by Mark Nairne, Head of Networks & Connectivity, North

IT/OT convergence brings with it new convenience, data and automation previously not possible in isolated networks, however, this evolution also brings the risk of new security threats and challenges. Operational Technology (OT) security must be considered in the planning and implementation of Zero Trust Network Access.

Zero Trust and IT cyber security more broadly is about protecting data to prevent rogue attackers from trying to delete, exfiltrate data or encrypt it for ransom or other perceived gain.

Zero Trust in the Operational Technology Space

Zero Trust in the Operational Technology space is about protecting physical processes or assets. OT attacks are trying to disrupt the ‘real world’ by damaging or manipulating sensors, CCTV systems, building systems, robotics, vehicles and other physical systems. To prevent this, organisations need to tailor their cyber security approach to suit the unique realities of OT environments, and especially those operating in a converged IT/OT world.

Some OT security strategies such as network segmentation and Network Access Control are applicable in IT and OT respectively. Others, like two-factor authentication, may only be relevant to very specific and complex OT services. Zero Trust for OT needs to consider factors that don’t need to be considered in IT networks, for example, the monitoring and detection of anomalies in process signals that might indicate a compromise.

Zero Trust Architecture

Few organisations have implemented a complete Zero Trust architecture today, let alone one which considers the unique challenges and risks OT on an IT network presents. True Zero Trust security strategies must deliver fine-tuned, context-aware cyber security policy monitoring and enforcement, including the ability to allow or block connections to OT systems based on conditions such as asset vulnerability, patch status, user profile, location, or time of day.

IT security is a journey, not a destination and implementing Zero Trust for OT will take time and will continually evolve to reflect a changing threat landscape.

Discovery & Monitoring

OT asset discovery and monitoring is the first step on the journey to Zero Trust, this may be done in a non-intrusive manner given the age and importance of many of the industrial OT devices still in operation and should consider industry-specific protocols, so vulnerabilities are not missed.

Discovery should be followed by a programme of patch management, network segmentation and OT aware Network Access Control. Ongoing monitoring and control should take a consistent security approach across IT and OT services.

Once an organisation has a clear picture of what is on their network and what should be happening within their environment it becomes possible to minimise and mitigate risks, for example, unexpected external connections, connections to unsafe assets, human error, unnecessary traffic flows and erroneous or malicious commands to control systems.

Discover more about North’s Networking & Connectivity services.