How Viable is Zero Trust for OT/IoT Networks? Is it a Journey or a Destination?

How Viable is Zero Trust for OT/IoT Networks? Is it a Journey or a Destination?

On January 26, 2022, the Biden administration’s acting director of the Office of Management and Budget (OMB) issued a memorandum to Executive Branch department heads and agencies on moving the U.S. government toward Zero Trust cybersecurity principles. The memo laid out requirements for a Federal Zero Trust Architecture (ZTA) as a next-generation security framework to shore up America’s cyber defenses against increasingly sophisticated and persistent threat campaigns.

This pan-government guidance is further validation that ZTA needs to be considered as an important component of any cybersecurity and networking strategy and will require critical infrastructure organizations to reconsider key portions of their IT infrastructure and security processes going forward. Indeed, the January 26 OMB memo follows on guidance from the National Security Agency (NSA) in February 2021, in a document called “Embracing a Zero Trust Security Model,” which similarly outlines adopting a Zero Trust mindset and implementing a ZTA within government networks.

While ZTA is widely regarded as a significant security advancement over traditional security approaches and architectures, there are many unanswered questions, including varying definitions and requirements for ZTA by industries, experts and vendors. Zero Trust now currently appears to be a mindset or an approach rather than an explicit set of security features or capabilities. As a result, I advised caution to other governments in immediately following the U.S. government ZTA guidelines in earlier this month, as their objectives may be different.

What Do Organizations Need to Consider When Deploying a Zero Trust Architecture?

Zero Trust represents a significant change to network and security architectures to implement the necessary policies and enforcement throughout the organization. In general, a Zero Trust mindset assumes that every device and user in the network is potentially compromised or a potential threat and, in general, only explicitly allowed users, devices, communication and traffic should be allowed. While this will serve to slow or block malware propagation, unauthorized access and a wide variety of cyber threats, implementing such a design requires fundamental infrastructure and policy changes that could prove costly and very likely disruptive to existing operations and applications.

And while Zero Trust is making great inroads across IT organizations for a wide variety of specific security use cases and environments, the unique requirements of OT and IoT, combined with industrial processes and critical infrastructure, can hamper ZTA deployments with general-purpose Zero Trust solutions. Many OT and IoT devices are not easily positioned in a ZTA with microsegmentation (a common Zero Trust goal). Where Zero Trust is adopted in current OT networks, it is often limited to secure remote access scenarios, replacing increasingly suspect VPN access solutions, but not throughout the entire internal network between all devices.

In general, organizations need to assume Zero Trust is not a turnkey solution, it’s a change of mindset. It will likely require significant upgrades or policy and application changes across the infrastructure. The many definitions and use case scenarios should cause organizations to prioritize how and why a ZTA should be deployed, depending on current access and application requirements, and not look to any specific guidance or mandates, such as the above memo from the U.S. government. By the way, that memo requires implementing encryption for HTTP and DNS traffic by 2024, but not other services like email. These specific details may be completely irrelevant to other industries and organizations with other application security needs.

The Nozomi Networks Approach to Zero Trust

With no “one-size-fits-all” approach to Zero Trust, but recognizing it is likely to evolve into a cornerstone of many organizations’ security objectives in the coming years, Nozomi Networks is well-positioned to assist customers in this journey. In fact, many Zero Trust principles fall completely in line with our traditional focus on endpoint vulnerability management and verification, attack surface reduction, and always-on monitoring and threat detection.

First of all, our solutions have always been non-intrusive and non-disruptive to existing networks, a key requirement for critical OT systems and processes. We extend this same approach to Zero Trust services by monitoring network traffic and comparing observed behavior to specific allowed policies. Rather than blocking legitimate traffic that was unanticipated, we can either alert on the identified ZTA policy violations for further review or integrate with partners that can quarantine or block suspicious endpoints and users, as needed. Zero Trust Monitoring, comparing traffic patterns to stated policies, is going to be a key initial step for most ZTA deployments to identify all the required network flows and application traffic so when Zero Trust policies are enforced, critical services are not disrupted.

Gartner describes Zero Trust as an architecture that “never trusts, always verifies” connections and assumes a bad actor is active at all times, which leads to a highly resilient, highly flexible environment against modern attacks. Similarly, the Nozomi Networks focus on asset identification, continual verification of endpoint and user posture, vulnerability assessments of devices, and insight into legitimate established operational activity serves as an automated intelligent verification platform for every device in your organization 24×7. We also have deep asset intelligence that knows the expected and baseline behavior for a surveillance camera or a programmable logic controller. We can identify even when trusted devices may be compromised and evaluated for quarantine or restricted access.

What’s Next for Zero Trust?

At Nozomi Networks, our product vision and partner strategy will extend our traditional Vantage and Guardian capabilities to support the evolution to a Zero Trust mindset and a Zero Trust architecture. ZTA doesn’t need to be disruptive, and there is no drop-in solution to convert every environment to Zero Trust overnight. In your organization, your approach to Zero Trust may be very different than any industry guideline or vendor solution. You need a platform that provides the foundational services for a Zero Trust mindset and can adapt to define and implement your required policies going forward.

Zero Trust is clearly a journey and not a specific destination. Nozomi Networks can help you on a path that makes sense for your existing OT and IoT deployments without a rip and replace approach, installing agents on every endpoint, or suddenly encrypting and blocking most of your network traffic overnight. We can help with a commonsense approach to Zero Trust, which has long been part of our product DNA that secures many of the world’s largest OT organizations.