Blog / 6 min read
NIST’s National Cybersecurity Center of Excellence (NCCoE) has begun the journey toward codifying and standardizing zero-trust implementations. In early June, the NCCoE opened a comment period for Special Publication 1800-35A, "Implementing a Zero Trust Architecture" which is an initiative among vendors and NIST to demonstrate different approaches to zero trust that will ultimately result in the publication of a NIST Cybersecurity Practice Guide. The guide, according to NIST, will describe “the practical steps needed to implement the cybersecurity reference designs for zero trust.”
SP 1800-35A can be particularly pertinent to operational technology (OT) as more industrial assets are connected to the internet, managed via multiple cloud flavors, and data and process control is distributed among sites globally. However, for zero-trust architectures to become a staple of (OT) environments, there must be a uniform understanding of the technical and cultural implications of a new access control scheme across critical industries. While “Volume A” of SP 1800-35 is only the executive summary, we believe it’s critically important that the NCCoE take the unique characteristics of OT environments into account to ensure that zero trust architectures can reduce the inherent risk that exists from legacy assets.
Claroty has contributed its comments to the draft this week that we hope will help inform NIST as it crafts its zero-trust guidance.
Zero trust is based on the premise that there is no such thing as a trusted source. Meaning, cybersecurity teams must operate on the assumption that there are threats present both inside and outside of their networks. Therefore, no communication should be allowed until all users are properly authenticated and authorized. In the context of OT security, Zero Trust principles are applied the same way as they are in IT security. This involves implementing several security controls, including network segmentation, vulnerability and risk amplification, threat detection, secure remote access, and network protection. Although implementing a Zero Trust OT security model helps organizations protect their critical infrastructure, it also comes with several challenges due to technical, operational, and organizational factors.
Industrial enterprises have begun reaping the benefits of digital transformation in the form of predictive maintenance, improved analytics, operational efficiency, and better overall production. Within OT environments, however, connected industrial and IoT assets to the cloud also creates substantial risk that can have implications to national and economic security, and public well-being.
OT assets, unlike their IT counterparts, have much longer rip-and-replace cycles—often measured in decades rather than a handful of years. OT assets originally developed for functionality rapidly head toward obsolescence and new vulnerabilities are introduced that may be exploited by determined threat actors.
Risk is being introduced to legacy assets at a much faster rate than vulnerabilities may be remediated given industry’s intolerance for downtime and the need for reliable, safe systems. We’re also quickly learning through increased connectivity that most enterprises, whether they’re manufacturing, utilities, healthcare, or commercial entities, possess some brownfield OT assets that must be managed and secured.
Zero-trust architectures may significantly reduce those risks by wrapping compensating controls that address entire classes of attacks targeting vulnerable cyber-physical assets. Vendors must understand the comprehensive technology portfolios zero-trust implementations must address—including OT and industrial IoT—as they develop products and approaches toward effective implementations.
Change is understood and accounted for within IT. The culture of OT considers change a risk to availability, reliability, and safety. A zero-trust architecture that fails to take these cultural differences into account will fail.
OT is grounded in a culture of safety and machine-to-machine automation where the process is highly engineered, and any change is purposeful and planned. IT focuses elsewhere in the business, and largely away from direct interaction with production equipment. Short development cycles are expected and encouraged, else innovation is stifled. The implementation of a zero-trust architecture should take these cultural considerations into account to ensure acceptance by OT engineering teams.
OT environments are unique, and any zero trust guidance must understand the workflows and access requirements of engineers (and contractors), how processes are optimized, and the cybersecurity limitations of legacy systems that are engrained within industrial enterprises.
People: Zero-trust architectures must account for not only full-time automation engineers but also contractors and third-party vendors with access to process systems. We recommend the adoption of an identity lifecycle where access rights in the context of their long- or short-term assignments, as well as just-in-time identity provisioning capabilities to address the nature of third-parties whose employment and access rights are known only to the third-party employer.
Process: OT engineers optimize for mean-time-to-repair during outages, therefore, security controls must not impede on those cycles. Zero trust must take this into account, and must also understand that OT environments are locked down in order to manage risk. Any changes must take place only during approved windows of time.
Technology: Access controls are often rooted in commodity technology and protocols such as RDP or TeamViewer where known vulnerabilities have already been at the heart of numerous compromises and incidents. Zero-trust architectures can reduce these risks by wrapping modern cybersecurity technology that would help eliminate risky practices such as shared or hard-coded credentials, or the inability of some legacy technology to support retrofitting for cybersecurity.
ISA/IEC 62433 is a big source of cybersecurity truth for OT networks and industrial control system operators. The standard accounts for the technology, work processes, and countermeasures to ensure a holistic approach to secure control systems and take a risk-based approach to cybersecurity.
Within the standards are the concepts of zones and conduits. Zones are groupings of logical or physical assets according to their risk or criticality along with other characteristics such as location or access requirements. Conduits are logical groups of communication channels that share common security requirements connecting zones. We recommend that the SP specially call out the alignment of the zero-trust architecture with zones and conduits to optimize for alignment and understanding with IEC 62443.
As explained, there are limitations to making technology and architectural changes within OT. We ask that NCCoE consider a phased approach to zero-trust. OT asset owners and operators will reject strategies and recommendations for wholesale changes. By making pragmatic recommendations to a phased approach based on organizational maturity, we will maximize the adoption of zero-trust in OT environments.
Below, we summarize the five points we recommend that reflect the inherent cybersecurity risk found in asset-intensive enterprises, many of which are classified as critical infrastructure by the U.S. government. We do under the umbrella of understanding that a zero-trust architecture is crucial to reducing these risks.