'Zero Trust' within OT, can this ever work?

Zero trust is a security framework that focuses on the concept that no entity should ever receive automatic access to a network, instead, each entity must verify itself to be granted privileges, this understanding is true for entities inside and outside of a network. The Zero Trust Network (ZTN), or Zero Trust Architecture (ZTA) was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research, while this concept is nothing new within the IT world, it’s not something we often see on the plant floor.

What Exactly is Zero Trust?

Zero trust means many different things to many different people. This is an evolving approach to network design and also part of a wider mind-set to remove inherent trust from the network, treat connections and assets as hostile and gain confidence based on defined factors.

The principles as advised by the National Cyber Security Centre (NCSC) sum these up as ten principles:

  • Know your architecture including users, devices, and services
  • Create a single strong user identity
  • Create a strong device identity
  • Authenticate everywhere
  • Know the health of your devices and services
  • Focus your monitoring on devices and services
  • Set policies according to value of the service or data
  • Control access to your services and data
  • Don’t trust the network, including the local network
  • Choose services designed for zero trust

 

For the purposes of this paper I will focus on identity and situational awareness which is of importance with the wider adoption of remote working we’re currently faced with.

Is a Device a User?

The concept of what a ‘user’ is comes under review with zero trust. This definition has become even more complex with the Industrial Internet of Things (IIoT) and Operational Technology (OT) devices. It’s reasonably simple to identify devices by their Media Access Control (MAC) address and other unique fingerprints and the user by a unique, username, password or certificate. In truth, both of these are users, and both can be spoofed or compromised which eroded the foundation of Zero Trust Architecture (ZTA). Assuming network monitoring is in place using a solution such as Claroty Continuous Threat Detection (CTD), each device can be consistently validated, after all visibility is the backbone of security, but how can you consistently validate a user account?


One Time Trust

Authentication is validated at the point of access, the user is presented with a challenge response in the form of a unique username and password, sometimes a second factor is required (2FA) if this is through an external gateway. Once access has been granted you’re good to go, only being asked to revalidate once you log out or perhaps if your screen saver is password protected.

On the plant floor, we often see OT systems having shared passwords, therefore the Identity of a user cannot be truly established. If a connection is generated from the outside, can you be sure that it’s the person you expect to be on the device or is this someone else?

Homeworking brings yet another challenge, you’ve only got to leave your machine at home to make a cup of tea to find an inquisitive child moving those highly coloured sliders on your screen up and down because they just want to be like their parents. Usernames, passwords and two factor authentication all play a part within security, however these controls alone are not wholly suitable for the challenges faced today, therefore the approach of ‘authenticate once’ needs to be reviewed.

Trust No One

Our partners at BlackBerry have introduced Persona, an Artificial Intelligence (AI) driven continuous authentication and behaviour analytic solution designed to identify suspicious users in real time to prevent security incidents. Persona works in a fully or partially connected environments as well as an offline mode and fully integrates with Blackberry Protect and Optics which SolutionsPT advises is the best end point protection for OT. By adding continual authentication your business can be protected from malware as well as user threats.

Key features of Persona include:

  • Protection from misuse of stolen credentials using both behaviour analysis and conduct analysis engines
  • Protection from insider threats through malicious conduct analysis engines
  • Real-time mitigation actions at the endpoint such as 2FA challenges, network removal, and user account suspension
  • A near real-time view of endpoint events and user trust scores, all from a single, familiar, intuitive console
  • Integrations with third-party providers such as Ping and OKTA to provide continuous authentication for web apps. Organisations seeking to employ a Zero Trust approach to their cybersecurity policy are finding BlackBerry Persona to be a foundational element

 

Persona uses a range of other factors to decide what level of access should be granted to an user profile at any given moment to provide situational awareness, including:

  • Behavioural Analytics: Evaluates a user’s input characteristics to determine a behavioural analytic standard from which a determination on user credential authenticity is made
  • Behavioural Location: Looks at the frequency and patterns of users, based on predictive analysis of anonymised location data to determine a location-based risk score
  • Network Trust: Determines the frequency of network use and adjusts security dynamically based on that profile. Accessing a public Wi-Fi for the first time would adjust the risk score accordingly
  • Usage Anomalies: Assesses the application usage and gauges acceptable usage from anomalous usage to determine trust of the user’s credentials

 

Continuous Validation

Zero Trust is necessary in today's threat landscape; does your endpoint protection suite include continuous identity validation with situational awareness? BlackBerry cyber suite achieves unprecedented level of protection by utilising 100% artificial intelligence (AI), threats are identified often years before they are released into the wild, see our paper on why we believe BlackBerry PROTECT to be ideally suited to OT deployment. With the introduction of BlackBerry Persona this has made the value proposition for reviewing your legacy security suite much greater and it could also save you money from day one.

At SolutionsPT we closely follow security trends, monitor industry challenges and review innovations, selecting best in class solutions which are suitable for OT environments. If you’re ready to see what your legacy protection products may be missing or just want to break free of the constant upgrade cycle associated with legacy solutions, we can provide a no obligation 30-day proof of concept. Why not let the technology speak for itself and identify what others may be missing?