How to Secure Operational Technology with Zero Trust Network Access (ZTNA)

Industrial Enterprises in the Crosshairs

The fight against cybercrime rages on, with new fronts opening and new, more advanced techniques emerging on both the offensive and defensive sides. In recent years, critical infrastructure and other operational technology (OT) assets have become an increasingly frequent target of bad actors. Because the compromise or disruption of OT systems can go beyond financial consequences and lead to potential harm to human safety, today’s industrial organizations have no choice but to prioritize cybersecurity. 

With the stakes so high, it is no longer enough to simply deploy security solutions designed for the digital world of information technology (IT) and expect them to protect OT environments as well. A recent article in The Hacker News revealed five key reasons why security solutions created for IT are unable to satisfy the demands of OT and industrial realities. Beyond the insufficiency of IT-built tools, many if not most OT environments are subject to strict regulatory mandates that require specific controls to ensure secure access. 

All this said, one security framework originally created in an IT context actually is emerging as a game-changer in the OT world: Zero Trust Network Access (ZTNA). However, to effectively deploy a ZTNA solution in an OT setting, several notable requirements must be taken into account. 

A recently released white paper from leading analyst firm KuppingerCole explores, among other interesting topics, what is needed to successfully implement zero-trust access within an OT environment. In this blog, we will review the 10 requirements that white paper author John Tolbert deems necessary for enforcing zero-trust access to OT assets. 

Read the complete KuppingerCole white paper to learn more about the security threat landscape facing industrial enterprises, the tools needed to combat these threats, and the regulatory guidance emerging to better protect critical infrastructure. 

10 Requirements for Deploying ZTNA in an OT Environment 

1. Application-Level Segmentation: Beyond Network-Level Protection 

The shortcomings of the traditional network-based approach to security have been proven over and over again in recent years. Systems guarded by perimeter-focused security tools, such as most virtual private networks (VPNs), are now low-hanging fruit for cybercriminals and demonstrate that granting network-level access is simply too risky. 

The zero-trust model advocates for application-level segmentation, where access controls are implemented based on the specific applications that users or devices need to access. This granular approach reduces the risk of unauthorized access and limits the ability of potential attackers to move laterally, thereby reducing the organization’s attack surface. In a world that is both hyper-distributed and hyper-connected (including growing connections between IT and OT infrastructure), limiting access according to the principle of least privilege is essential.   

2. Separation of Control and Data Planes: Ensuring Optimal Security 

Another key aspect of ZTNA solutions for OT is the separation of the control and data planes. Such separation ensures a clear distinction between the decision-making process and the data transmission, reducing the likelihood of unauthorized access or tampering with critical data. This separation also ensures that even if one layer is compromised, the other remains secure, maintaining a robust defense against cyber threats. 

3. Support for Common OT Applications and Devices: Guaranteeing Compatibility 

Given the diverse range of OT applications and infrastructures, it is crucial to choose a ZTNA solution that supports industry-standard equipment and protocols. And, frankly, this is an area where many solutions fall short (and thus, where deployment can face significant complications).  

Most OT environments are built around legacy systems that are highly vulnerable to attack but cannot be disrupted long enough to patch, update, or replace. ZTNA tools that require a certain level of modernization simply cannot support such infrastructure. Similarly, solutions that only function with a cloud connection cannot extend protection to cloud-averse, offline or air-gapped OT systems.  

Finding a solution able to support offline systems and retrofit legacy architecture with a modern identity infrastructure is critical to ensuring a full and successful ZTNA deployment. Vendors should understand the unique security challenges of OT environments and provide compatible solutions that can be deployed without downtime or the disruption of operations.  

4. Scalable, Decentralized Architecture: Tackling Latency 

Real-time responses are critical in OT environments, and latency is therefore an important concern. To succeed in the OT realm, ZTNA solutions must adopt a scalable and decentralized architecture to ensure that security measures do not introduce unacceptable delays. By distributing security functions across the network, an effectively designed ZTNA tool can minimize latency and guarantee swift response times, even in high-traffic OT environments. 

5. Centralized, Unified Deployment and Policy Management: Simplifying Complexity 

Managing security and access policies across multiple OT assets can quickly become overwhelming. A centralized and unified approach to deployment and policy management streamlines operations, making it easier to enforce consistent security measures and policies throughout the environment. Centralized management also enables rapid response to emerging threats and policy updates, ensuring continuous protection. 

6. Device Posture Validation: Raising the Bar for Access  

Before granting access, ZTNA solutions should verify the security posture of devices seeking entry into the OT environment. By ensuring that only authorized and properly configured devices can connect, organizations significantly reduce the risk of compromised endpoints being used as entry points for attackers. 

7. Multi-Factor Authentication and Single Sign-On Support: Enhancing Access Controls 

Multi-factor authentication (MFA) and single sign-on (SSO) mechanisms bolster access controls, adding an extra layer of security to the authentication process. MFA requires users to provide multiple forms of verification, making it harder for unauthorized individuals to gain access. SSO streamlines the login process for legitimate users, improving the user experience without compromising security. 

Legacy systems may not natively support MFA and SSO so, again, it is crucial to choose a ZTNA solution that can retrofit them to support modern identity and access controls. 

8. Granular Authorization and Continuous Session Monitoring: Extending Control 

To meet the needs of OT environments, a ZTNA solution must support granular authorization per session, enabling organizations to control what resources users can access during each session. This fine-grained control minimizes the potential damage caused by compromised credentials. Continuous session monitoring and anomaly detection complement granular authorization, enabling real-time threat detection and swift response to suspicious activities. 

9. Additional Threat Protection Capabilities: Staying One Step Ahead 

ZTNA should not be limited to access controls alone. Advanced threat protection capabilities, such as behavior-based anomaly detection, fortify the security posture of OT environments. By keeping ahead of emerging threats, organizations can more effectively their safeguard critical assets. 

10. Built-in Reporting and Compliance Audit Functions: Maintaining Accountability 

Compliance with industry regulations and internal policies is crucial for organizations operating industrial control systems, critical infrastructure, and other OT systems. ZTNA solutions equipped with built-in reporting and compliance audit functions provide the necessary visibility and accountability to meet regulatory requirements and demonstrate adherence to security best practices.

Rising Threats Demand Stronger Security Solutions

Threats against critical infrastructure and OT systems are growing, and industrial enterprises need solutions that can satisfy their distinctive requirements and priorities. According to KuppingerCole analyst John Tolbert:

But, as we have seen, simply sticking any ZTNA tool inside your OT environment is not sufficient. To ensure efficient and reliable secure access to OT systems, choose a ZTNA solution that adheres to the 10 requirements outlined here. To learn more about the OT threat landscape, ZTNA and security architecture for OT environments, regulatory compliance, and how Cyolo ensures secure remote access, read the complete white paper from KuppingerCole.