Insight by Booz Allen Hamilton

Applying zero trust to OT requires ‘common sense approach’

Operational technology suffers from a technical debt that renders infrastructure vulnerable to cyberattacks as it becomes further enmeshed with IT systems.

Operational technology (OT) has never been so intertwined with IT as it is now. That comes with a plethora of benefits, like the ability to remotely operate control systems, and gather data on them to improve their efficiency. But it comes with challenges as well — chief among them is the increased vulnerability to cyberattacks. That’s why the demand for a zero trust strategy for OT is on the rise.

“Because there’s so much integration of OT and IT systems, we’re starting to see an increased threat landscape and more sophisticated attacks, things like the disruptive Colonial Pipeline attack that happened a few years ago,” said Imran Umar, vice president for zero trust for Booz Allen. “

The challenge is that OT systems — often installed as part of national security or manufacturing infrastructure, as well as critical infrastructure like water and electricity — were never designed to be secure. Most OT systems are legacy, with 20-to-30-year lifecycles. Yet they are now just as vulnerable to cyberattacks as they are crucial to the daily operations of much of the country’s infrastructure. By infiltrating one OT system, an adversary can create an outsized disruption to national critical functions without firing a single shot. And attackers are getting at the OT through the IT it’s linked to.

That’s why agencies, especially those within the Defense Department, and critical infrastructure organizations need to put in place a zero trust strategy for their OT as quickly as possible. Much like with IT, Umar said, organizations won’t be able to create everything they need in a single day, but they can achieve progress over time step by step. It will require a significant investment, starting with a robust assessment of every OT system that’s already integrated with IT systems.

The challenge is also the opportunity

Oftentimes, we see commonality in operational technology components and vendors regardless of where they’re deployed, said Dave Forbes, director of cyber physical defense at Booz Allen. That includes processors, pumps, motors, programmable logic controllers, and other control systems. What’s different is the operational environment and architecture.

Every DOD base, for example, has a unique mission. It could have different weapon systems and platforms that have to be taken into account from a security perspective. That means the armed services and often individual defense agencies have their own approaches to OT. While there are best practices, processes, and governance frameworks for the OT security problem, all require specific tailoring based on site, system, components, and mission.  “Even though that’s a challenge, I think it’s an opportunity as well, and creates even more of a need for those specific things that zero trust practices bring to securing an enterprise,” Forbes said. “First, you can create commonality across some of those installations and agencies. But also, where vulnerabilities can exist because of this sort of decentralized approach to securing OT, zero trust can bring that added layer of visibility, best practices and security across networks, systems and processes.”

Start with the basics

The first order of business for any organization trying to implement zero trust controls for OT needs to be visibility, Umar said. Much like enterprise IT, OT systems need to ensure continuous, validated access. That means starting with a baseline assessment to see where things stand now. That will allow that organization to build out a roadmap for their zero trust implementation.

“It’s a mindset change,” Umar said. “For the longest time, the perception was that visibility and analytics across OT system are not needed, because they’re local. So there wasn’t a lot of focus on putting a strong visibility for OT devices, especially at the local level. Now that you start integrating with IT systems, all of a sudden, you’re increasing your attack surface.”

But that perception has to change with the technology, Forbes said. For example, not only is OT more vulnerable than it’s ever been, but it’s also more distributed than it’s ever been. The OT for any installation could be provided from outside that installation, like electricity and water. Much like IT endpoints are now outside traditional network boundaries, OT systems now extend beyond the fence line, to say nothing of maintenance, third-party vendors and the supply chain. That’s why it requires a deliberate strategy for implementing zero trust.

“OT systems need maximum uptime and are often fragile, so we take a common-sense approach to applying zero trust solutions in OT environments,” Forbes said. “It’s extremely important, but it needs to be done the right way.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    The State Department seal is seen on the briefing room lectern ahead of a briefing by State Department spokesperson Ned Price at the State Department in Washington, DC, on January 31, 2022. (Photo by MANDEL NGAN / POOL / AFP) (Photo by MANDEL NGAN/POOL/AFP via Getty Images)

    ‘Resources are going to shrink.’ Expect State Dept cuts under Trump, formers say

    Read more
    Getty Images/iStockphoto/scyther5best places to work in the federal government, small business, VBA

    OPM’s Shriver sees skills-based assessments, shared certificates as federal hiring strategies ripe for expansion

    Read more
    Getty Images/iStockphoto/Who_I_amCloud computing technology internet storage concept with circuit board. Internet data services. Vector illustration

    Two senators look to reign in big tech’s influence in defense AI, cloud contracts

    Read more