Time to Treat Your OT Like IT, with Zero Trust Principles
Critical National Infrastructure often includes high levels of operational technology. Traditionally, these systems were physical devices and switches. Reliable and resilient, they are often still run on legacy systems and separate from the internet. Although not always deliberate, this isolation kept them secure.
These previously air-gapped systems are now often connected to critical networks. For example, cameras that monitor roads, rail and underground services are being digitalised. This gives the CNI organisation more connected data and information about their systems. But the operational technology does not have the same security measures as the critical network. So these largely unmonitored, dumb end-points are becoming an increasing cyber security risk.
OT needs to be made as resilient as IT. Without proper security operational tech is an easy target. Access to a valve could switch it off, shutting down the UK’s water, or rapidly reducing the water company’s ability to service its customers.
The principles of zero trust can help secure legacy operational tech. The challenge for CNI organisations is that they rely on traditional operational technology and now need to retro-fit it into a modern IT network. The size of this project can often lead to security being an afterthought. There are issues like costly downtime and the need to keep operations functioning, that make implementing security measures more challenging. However, a resilient OT system should incorporate some zero trust ideas
For example:
Least privilege access. Limiting access to or from OT system based on operational need, and then segmenting that access to prevent unnecessary exposure.
Continuous Validation. Security should be dynamic, with the ability to revoke trust at anytime. To do this, access needs to be constantly evaluated, checking on user behaviour.
Micro-segmentation. Threats can be contained by dividing an OT network into zones (control systems, sensors, switches etc.) to contain threats.
Critical National Infrastructure organisations need to assume a breach mentality. When M&S and Jaguar Land Rover are shut down from cyber incidents, the government takes notice. These are not essential services, but they can have a national impact because of the effect on the supply chain and the associated jobs. Similar breaches at a transport organisation or a utilities company could cause a devastating shock. To avoid this, organisations can assume a breach mentality and reconfigure OT systems with the assumption that compromise is inevitable. Then implement access, validation and segmentation strategics to limit impact. Finally run regular cyber incident exercises to ensure the team is prepared for a breach.
Operational technology has been left behind in the digital revolution. It’s time to bring it into the network; securely.
Author: Shannon Simpson
NEED SUPPORT? Enquire Now
One of our experts will be in touch shortly to better understand your requirements and challenges.
