Examining the Role of Zero Trust Access in OT Security

By: Rick Peters, CISO Operational Technology, North America, Fortinet

This is a summary of an article written for Automation.com by Rick Peters, CISO, Operational Technology North America at Fortinet. The entire article can be accessed here

As operational technology (OT) networks become increasingly connected to the rest of an organization’s network infrastructure, they become a growing target for increasingly sophisticated cyber criminals. In fact, Fortinet’s 2020 State of Operational Technology Cybersecurity Report indicates that nine out of 10 OT leaders had at least one intrusion in the past year, with 72% having experienced three or more.

OT infrastructures can no longer rely on an air gap as a primary defense mechanism. Instead, OT security strategies should center on Zero Trust Access (ZTA), which doesn’t allow access to any user, device, or application without proper credentials (identification and permissions). This helps neutralize  threats from both inside and outside the network and ultimately prevent data breaches.

Understanding the Critical Nature of OT System Cybersecurity

OT systems typically integrate physical, network-connected devices serving domains such as manufacturing, energy and utilities, transportation, and digitally connected buildings, campuses, and cities. These systems have been historically isolated via air gaps, meaning that they had no direct network lines of connection to the outside world and thereby expose vulnerabilities. With the growth in dependence on Industrial Internet of Things (IIoT) devices, OT systems experience digital connectivity to accomplish the transaction of high volumes of data. The advent of this IT/OT digital transformation has resulted in an expanded attack surface and certainly amplified the necessity of cybersecurity best practices to achieve timely situational awareness.

Many organizations address these challenges with an array of point solutions, but this strategy isn’t sustainable in the long run. In many instances, dependence on multiple integrated point solutions fall well short of delivering true visibility and control across the entire network and can lead to security gaps and response latency. OT networks must be able to rapidly recognize and neutralize security threats to avoid critical service outages, especially since a breach could lead to industrial sabotage and even loss of life.

The OT ZTA Process and Next-generation Firewalls

Zero Trust Access begins with applying a consistent policy of “never trust, always verify” for every wired and wireless network node. This is not always straightforward to accomplish across a complex landscape, but implementing known best practices can enable significant progress. For example, practicing the principle of least privilege across internal and external network communications limits threats by providing users and devices with only the minimum access they require and no more.

Integrating an internal segmentation firewall at multiple points within the network protects against an array of attack vectors while providing both network visibility and least privilege enforcement. Containment strategies also prevent vertical or horizontal movement within the OT environment.

Next-generation Firewall (NGFW) technology that employs an internal segmentation configuration and intelligent switching can also provide a ZTA foundation across IT/OT networks. Configuring the NGFW with secure and scalable Ethernet switches allows micro-segmentation and policy enforcement that prohibits any unapproved east-west or north-south network movement, making network security more granular while improving attack resistance.

How Multi-factor Authentication Can Help

Heightened protection is achieved with multi-factor authentication (MFA), which only grants access after the user has successfully presented two or more factors to an authentication mechanism. These factors may include the following:

  • Possessions: Items that only the user possesses, such as a badge or a smartphone.
  • Unique identifiers: This includes biometrics, such as a fingerprint or voice recognition.
  • Knowledge: Information known only to the user, such as a password or PIN number.

Requiring several of these factors or pieces of evidence is how MFA makes network breaches much more challenging for bad actors.

Balancing Secure OT with Sustained Operations

Digital transformation and the convergence of IT/OT present many inherent risks, requiring proportional cybersecurity investment. However, security perfection is not the goal. Instead, the focus should be on protecting the most important assets as much as possible while still enabling safe and continuous operations that prioritize speed, scale, and solution longevity of the OT system.

We can expect cyber adversaries to remain committed to developing sophisticated tradecraft as part of delivering cyber campaign toolkits that present newer attack methods. While the implementation of ZTA strategy significantly raises the cybersecurity bar for the protection of highly valued cyber physical assets, there remains a need to achieve comprehensive protection employing a broad spectrum defensive strategy. For example, ZTA doesn’t protect against distributed denial of service (DDoS) attacks.is also not practical when it comes to inspection of encrypted payloads, such as virtual private networks (VPNs), due to the overhead and delays.

As cybersecurity best practices are adopted to proactively defend OT systems, it is equally important to be committed to execution such that latency of event or anomaly detection is latency is avoided or minimized. Elements of an OT security strategy should always be considered in relation to the larger ecosystem. Internal behavioral analysis and ZTA enable greater situational awareness and create a more proactive security posture for OT systems. But the return on OT security investment should be valued in proportion with safe, trusted, and sustained operations.


Join Secure Sense partner, Fortinet, for their Operational Technology Symposium 2021 Energy day on August 31st! Industry experts lead the conversation on the future of security for the cyber-physical environments within manufacturing, energy, power, and utilities. Register here.

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.