The realization of secure 24/7 operation also requires a zero-trust approach in the OT environment, says Palo Alto Networks. According to the company, this is the only way to comprehensively and consistently protect networked OT environments in OT systems and at remote locations, remote operation and emerging 5G and cloud-connected OT and IoT systems.

• Zero Trust is based on the principle of "never trust, always verify" and helps to protect modern OT environments by utilizing three fundamental principles:
• Least privilege access control that uses contextual segmentation and minimal resource access policies.
• Continuous verification of the identity, behavior and risk structures of OT resources.

Continuous security inspections of all network traffic and OT processes, even when communication is allowed, to prevent zero-day threats.

Concept adapted to OT environments

The Zero Trust concept for OT environments.

© Palo Alto Networks

The Zero Trust concept is already being used in IT infrastructures. Palo Alto Networks has now implemented this in its Zero Trust OT Security solution, which uses these principles. They are based on unrestricted visibility of OT assets, OT remote applications and risk positions. This enables companies to achieve comprehensive visibility. According to the security expert, there are three types of OT and IoT resources in a typical OT environment:

• OT resources that are mission-critical, such as distributed control systems (DCS), industrial control systems (ICS), human-machine interfaces (HMI), programmable logic controllers (PLC), remote terminal units (RTU), supervisory control and data acquisition (SCADA) systems and legacy jump servers.
• Building management systems include heating, ventilation and air conditioning (HVAC) systems as well as lighting, sprinkler and fire alarm systems.
• Common IoT devices in businesses include security cameras, printers, VoIP phones and tablets.

A Zero Trust OT Security solution combines machine learning (ML) with crowdsourced telemetry to identify all IT and OT devices, applications and users. It recognizes more than 300 unique asset profiles and more than 1,000 OT/ICS applications. This helps organizations create a comprehensive inventory of OT assets and understand which assets are most critical to their business processes.

Risk assessment in the process

In addition, Zero Trust OT Security assesses the risk of OT assets by monitoring behavior, internal and external communication and alerts in the event of deviations from normal process behavior. Asset identification and risk assessment are performed passively and without interfering with OT processes.

Zero Trust security for OT assets and networks
The Zero Trust OT Security solution establishes and enforces Zero Trust based on ML-supported OT asset visibility and risk assessment. It secures the OT perimeter with effective segmentation of OT networks from enterprise IT and protects OT assets with further zoning and fine-grained segmentation based on OT asset risk, protocol context and process criticality. In this way, organizations can prevent threats from spreading from their IT network to their OT network. The solution automatically suggests access policies with the least privileges based on the risk analysis. Organizations can then enforce the policies natively on their next-generation firewall using the patented Device IDTM. The automated policies help protect outdated, vulnerable and hard-to-patch OT resources that communicate with external approved applications and networks. In addition, continuous security scanning strengthens OT network security by identifying more than 650 OT-specific threat signatures and preventing zero-day threats.

Zero Trust security for remote operations
The Zero Trust OT Security solution enables organizations to fully implement the principle of least privilege by identifying remote applications based on layer 7 app IDs and their interactions with the OT assets in their facility or location. It helps them secure remote access with consistent Zero Trust-Least Privilege access to OT environments for third parties, remote experts and production staff to support OT operations. Using App ID, Device ID and User ID, security managers can enforce policies consistently across applications, assets and users. The solution provides deep and continuous inspection of all traffic, even on permitted connections, to prevent all threats, including zero-day attacks such as C2C via DNS and malware payloads.

Zero-trust security for 5G connected assets and networks
Organizations can enforce zero-trust security with granular segmentation policies based on full visibility of 5G traffic. The solution identifies subscriber ID, device ID, applications and 5G services across all assets and remote sites running on Private Enterprise (CBRS/ LTE/ 5G) & MEC. This helps companies reduce their attack surface, prevent unauthorized access and stop lateral movement of threats. The Zero Trust OT Security solution continuously assesses the health of mobile OT assets and accelerates incident response by correlating, isolating and quarantining infected OT assets from your OT network.