In the field of IT, the concept of 'Zero Trust' revolves primarily around the continuous verification of users and their access authorizations. The main objective is to ensure that every access to connected network services is made by the right user identity at the right time from the expected location and via registered devices, among other things. This verification process is fundamentally human-centric, as people interact with various network services on a large scale and any compromised individual can pose a significant threat to the entire organization.

However, in the area of Operational Technology (OT), production devices and equipment are rarely tied to specific individuals. Although the potential for damage is similar to that in the IT world, the countermeasures employed differ significantly. TXOne Networks, as a provider of industrial cybersecurity solutions, advocates the implementation of the OT Zero Trust methodology - an approach that also involves continuous review, but takes a device-centric perspective that encompasses all phases of a device's lifecycle. Every device should be scanned for malware and other cyberthreats before it is deployed on a production line, and continuous monitoring and protection must be in place throughout its lifecycle. While IT staff may occasionally sacrifice productivity for security, OT professionals must prioritize system uptime, or consistently continuous manufacturing, above all else.

The OT Zero Trust methodology establishes a comprehensive framework in which each production device is protected by at least one of three different security measures throughout its lifecycle. This protection framework includes rigorous pre-commissioning inspections, endpoint protection and robust network defense.

Inspection before commissioning

An overview of the biggest challenges for companies in terms of cybersecurity.

© Source: Frost&Sullivan

Contrary to popular belief, a brand new production device does not necessarily offer optimal security. Industrial PCs, for example, often run outdated operating systems and may contain older components tailored to specific industrial applications. Their design focuses on functionality rather than security. Although these devices undergo rigorous testing before delivery, cybersecurity issues are often overlooked.

Conducting thorough digital inspections of newly launched production devices serves two critical purposes: first, it helps to detect any known malicious components inadvertently inserted by the manufacturer, ensuring the integrity of the device. Secondly, and perhaps more importantly, it addresses an often neglected aspect of inspections: the inventory of security measures. While OT managers are happy to provide an inventory list of production equipment, it rarely includes comprehensive security details. This lack of transparency is often a problem when updates to critical operating systems are released. In many cases, administrators choose to leave the affected production equipment untouched and not patch it, especially on closed networks that they consider secure. As a result, we are seeing the replay of old attacks like WannaCry in modern factory environments.

In the spirit of the OT Zero Trust methodology, security vendors take an approach of constant skepticism about the safety of each new device and monitor its subsequent use. As a result, providers like TXOne Networks are constantly conducting inspections to ensure security.

Endpoint protection

While IT environments usually have antivirus software installed on almost all computers, this is not the case for OT devices. There are certain factors that prevent OT managers from using IT-identical cybersecurity solutions.

Most endpoint protection programs are designed for increasingly sophisticated cyberattacks. Therefore, they use sophisticated techniques such as machine learning or 'Endpoint Detection and Responses' (EDR) to increase security. However, these measures also come with additional costs, such as high internet usage, consumption of system resources and increased false positives. The associated side effects often discourage OT managers from implementing such protection software for their endpoints.

Nevertheless, security breaches within OT systems often lead to significant losses. Therefore, several cybersecurity solution providers have started to develop endpoint protection solutions optimized for OT environments. These solutions are primarily deployed on-premises and also offer support for older, unpatchable operating systems, meeting the unique requirements of OT endpoint protection.

With the OT Zero Trust methodology, users remain cautious and skeptical about the safety of all other connected network devices. Therefore, they implement endpoint protection measures whenever possible to ensure comprehensive cyber security.

Improved network defense for OT security

Networks in production require very specific cyber security measures. The OT Zero Trust protection concept includes rigorous pre-commissioning inspections, endpoint protection and robust network defense.

© TXOne Networks

Network defense serves both as a complementary security measure to endpoint protection and as a critical step in mitigating undetected security vulnerabilities. However, in OT-based production facilities, several factors hinder the implementation of endpoint protection. Technical limitations, such as unsupported legacy operating systems and the lack of suitable operating systems for emerging IIoT devices or control units, pose a challenge to the implementation of suitable security software. Even when technically possible, many production devices continue to operate without endpoint protection as warranty terms prohibit OT managers from installing additional protection software beyond the initial implementation.

Network-related protection applications play an important role in meeting security requirements and include features such as firewalls and intrusion prevention systems (IPS). In most cases, they work just as well in OT environments as they do in IT. However, as modern attackers increasingly focus on industrial areas, the ability to analyze data packets transmitted in industrial protocols such as Modbus or other proprietary protocols is highly desirable. In addition to general cyber protection, network segmentation is a common practice to control and limit the extent of damage in the event of a cybersecurity incident.

According to the principles of the OT Zero Trust methodology, users should treat every production device in the network environment with a healthy distrust and always assume the possibility of a cyberattack. As a result, network defense measures must be consistently applied to supplement the existing level of security and control the potential extent of damage.

OT incidents: Collateral damage to IT

In a survey of C-level security managers in the OT sector, 94% of respondents stated that they were confronted with security incidents in 2022. Ransomware attacks were the most severe, ranging from traditional attacks to advanced variants such as LockBit. In many cases, OT-based production facilities remain unprotected, making it much more difficult to recover stolen or locked data. The various challenges are:

• The Service Level Agreements (SLA) in place for these production facilities prohibit the installation of additional software, including security measures.
• Operational equipment running on outdated operating systems is not adequately protected and patched.
• The network is planned without adequate segmentation, resulting in a flat architecture that allows cybercriminals unrestricted access within the OT environment.

The lack of adequate cyber protection is the main cause of OT systems falling victim to cyber attacks originating from the IT network or the employees themselves. With an increasing number of voices emphasizing the crucial role of patching in OT security and the emergence of directives such as the European Union's NIS (Network and Information Security) regulation, which highlight the importance of protecting OT networks and critical infrastructure, OT security is undoubtedly becoming a priority concern for businesses.

Practical implementation of the OT Zero Trust methodology

OT-native cyber defense solutions for ICS/OT environments enable companies to meet the numerous challenges in the area of cyber security. For example, comprehensive cyber security for critical OT infrastructures is guaranteed by endpoint protection measures.

© TXOne Networks

In TXOne's experience, the biggest challenge for OT security managers is the lack of qualified staff. This is not about budget constraints or insufficient cybersecurity expertise, but rather the lack of staff. As an example, consider a sprawling factory with thousands of production devices managed by just two OT security managers. In this scenario, it becomes clear that relying solely on sophisticated IT security functions is not a solution when manpower is literally lacking.

The true value of the OT Zero Trust approach becomes apparent when it is put into practice. Rather than raising more questions to solve an existing problem, it is crucial to provide users with clear guidance and a definitive solution path. The effectiveness of security solutions should not only be measured by small differences in cyber threat detection rates, but rather by their ability to adapt to OT-specific security requirements and conditions within the production environment.

To deepen this security concept, not only must an easily executable protection framework be created, but a range of user-friendly defense tools must also be deployed. While significant efforts have been made to address concerns about security visibility, the real goal should be to put concrete countermeasures in place. These measures must require minimal effort from already burdened employees while prioritizing operational continuity and production. Considering that a small team oversees thousands of production devices, an ideal combination of security tools should have the following characteristics:

• No disruption to manufacturing operations, regardless of the security implementations used.
• Accurate and reliable security measures without false alarms.
• Immediate implementation of measures instead of seeking further instructions or asking additional questions.
• Coverage of a wide range of production facilities, from legacy systems to modern equipment, as legacy systems often have security gaps.

What lies ahead

The professionalization of hackers is also accompanied by an increasing trend towards direct cyberattacks on OT environments. In response to this, the protection solutions used should be tailored to OT-specific attacks. This includes not only the seamless integration of security solutions, but also a comprehensive understanding of OT-specific applications, protocols and operational contexts. An example of this would be an OT-specific cyber attack that penetrates an IT network secured with robust security measures. Intercepting such an attack in the OT area with the same pattern-based filter approach as in IT is almost impossible. Detection mechanisms in production environments need to be redesigned using OT-specific contexts.

Here is another example to illustrate this concept: Traditional security solutions will not trigger an alarm in an IT network when a production device communicates with a new end device, as such interactions occur on a daily basis in an office environment. However, with sufficient background knowledge and in the right context, users can easily trigger a security event when an OT-based device communicates with an unknown production device, as this should not happen due to the operational design.

The author: Dmitri Belotchkine is Technical Director Europe at TXOne Networks.

© TXOne Networks

The next phase of the OT Zero Trust approach involves not only the continuous review of the security status of production devices, but also the introduction of an OT-centric mindset that incorporates operational contexts. This is the only way for companies and users to achieve true cyber hygiene for OT environments. Companies and organizations should dedicate themselves wholeheartedly to this project - it is worthwhile for everyone involved.