More and more critical processes are also being digitized in Operation Technology (OT). In today's networks, an ever-increasing proportion of systems are managed by external manufacturers and service providers. This is leading to OT operators increasingly losing control over their own network. With zero-trust networking, OT operators can regain trust in their systems. Eight questions for IT security researcher Steffen Ullrich.
Interview: Martina Hafner
OT and IT are growing ever closer together. The problem is that while production networks used to be isolated, networking with IT is now making access from outside easier. What does this mean in concrete terms for OT security?
OT environments are more mission-critical than IT environments. Production outages or malfunctions typically have a more drastic impact than in IT. Accordingly, care is taken during operation. One consequence of this is that, compared to IT, the rate of change in OT is significantly lower, and therefore the age of the devices and software used is also significantly higher than in IT. Technologies and designs often date back to a time when cyber security was a low priority in development. The attack surface is correspondingly broad.
In addition, it must be assumed that IT environments are inadequately secure. This applies not only to office IT with the typical attack vectors of phishing, malware and ransomware. Cloud services or remote maintenance managed by a service provider also mean that operators have less and less control over their own networks.
Direct networking of OT and IT therefore exposes the broad attack surface of OT to potentially insecure IT. This not only leads to a threat to reliable production. In hazardous areas such as the chemical sector, for example, it can also endanger safety and therefore human lives.
How can manufacturing companies deal with these uncertainties?
Firstly, it is important to reduce the potential attack surface as much as possible. Based on a principle of minimization, where only what is really necessary should be possible, zero-trust concepts such as micro-segmentation or software-defined perimeters proactively restrict the possible communication channels and thus reduce the attack surface to a minimum. The first step is to specify which access and which communication should be permitted for whom. Only these are consistently permitted at both application and network level. It is also important to reduce complexity. The fewer features a software has and the clearer the interfaces are, the easier, simpler and more effective it is to secure.
Nevertheless, no security component is one hundred percent reliable. It is therefore important to build multi-layered security architectures, known as defense in depth. In practice, this means enforcing access restrictions on several levels, for example by restricting access to the network, restricting communication in the network and controlling access to the service or device. If an attacker then tries to penetrate a network, they will not get far.
In addition to proactive measures, reactive measures should also be implemented. Comprehensive monitoring is a prerequisite for early attack detection and a prompt response in the event of an attack. It is also important to sensitize employees and have functioning emergency plans.
What does the zero trust paradigm mean?
The traditional approach to securing business and production processes was based on the assumption that all devices, applications and the communication between them were under the company's control. The focus was therefore on securing the network at the perimeter. Within the network itself, mostly unrestricted communication was possible. This approach no longer fits reality. Today's infrastructures are much more complex and often extend across several networks. In addition, there are more and more externally managed systems such as cloud environments or remotely maintained machines. At the same time, more and more critical business processes are being digitized and networked. This increases the requirements for availability, reliability and data protection. The simple approach of network-focused security is becoming less and less scalable in today's world. The zero trust paradigm therefore focuses on securing individual processes instead of securing entire networks.
The zero-trust paradigm moves away from the idea that control at the network perimeter is sufficiently possible. Instead of securing the entire network, the focus is on securing the end devices, users and services involved in a business or production process as well as the communication paths between them.
What approaches are there to implementing Zero Trust Networking in the production world?
There are three main approaches, which differ primarily in terms of where the security rules are enforced. Zero Trust Networking Access (ZTNA) according to Forrester means micro-segmentation. This means that access controls and analyses are implemented at strategically sensible points in an existing network, which restrict and monitor communication within the network. This can be achieved using a Next Generation Firewall or our cognitix Threat Defender, for example. The latter makes it possible to segment the entire internal network into small sections, separate individual devices from one another and regulate and monitor communication paths according to the principle of minimization. Machine learning algorithms help to analyze network communication over a certain period of time during operation and thus create the appropriate rules.
The second ZTNA approach is the software-defined perimeter. Here, it is not an existing network that is secured, but external access to individual services. Conceptually, this is similar to a classic virtual private network, although a software-defined perimeter only allows access to specific services and not the entire network. This is important for remote maintenance, for example, which should only allow access to individual services or systems, but not to the entire production network.
The third ZTNA concept, which is probably less relevant in the industrial environment, is known as BeyondCorp or BeyondProd and was propagated by Google. The aim here is to secure access to a single service. BeyondCorp is primarily intended for web applications. It is less suitable for everything else. In an industrial context, for example, it can be used to connect an IIoT device to a cloud-based service.
How can micro-segments be defined according to Forrester?
There are various ways to do this, depending on how much you want to invest and where the attack surfaces and security problems lie. For example, you could isolate the clients, IoT devices and servers from each other. In OT, these could be externally controlled machines; for servers, they may be critical environments. The clients are the least vulnerable. If you separate these categories, you have already achieved a lot. But you can also go so far as to separate each device from each other. In general, the aim is to reduce the attack surfaces and control communication. In other words, the more vulnerable the software on a device is and the more critical the environment, the tighter and more granular the microperimeter around these devices and services should be.
How do users find the right Zero Trust approach for them?
This depends on the specific use case. If you want to better protect potentially vulnerable devices in an existing network, microsegmentation is the method of choice. If, for example, you want to make individual services in the local network or in the cloud accessible from outside, such as for remote maintenance, then the software-defined perimeter is suitable. However, if the aim is to protect the connection to individual web-based applications in a scalable manner, e.g. in the industrial IoT sector, then concepts such as BeyondCorp are well suited. What all ZTNA approaches have in common is that they use security policies based on identities. This concerns identities of devices, users and services. The performance of a ZTNA solution is heavily dependent on how flexible the so-called Identity Access Management is.
Several approaches can also be operated in parallel; for example, to secure a service in the internal network using micro-segmentation and also make it accessible from outside for remote maintenance via a software-defined perimeter. Several of these concepts can also be nested within one another in order to implement a defense-in-depth strategy.
A typical IT OT application is remote maintenance. How is the zero-trust procedure implemented here?
Our remote maintenance solution genubox, which implements a software-defined perimeter, is a good example of this. This means that one or more internal services should only be accessible from outside after correspondingly strong authentication. In the case of genubox remote maintenance, we have implemented this in such a way that highly secure encryption and authentication initially takes place using an SSH tunnel. This approach only enables dedicated access to explicitly defined services. This means that, in contrast to frequently used VPN solutions, no network coupling takes place here. In addition to access control, the activities on the remote desktop and the terminal session (SSH connection) are recorded via video and the transferred files are checked for viruses. And the employee in the production plant has the option of physically allowing or interrupting the relevant session at any time by turning the corresponding key switch. They therefore retain control over their system at all times.
How sustainable are zero trust concepts in view of the constantly evolving threat situation in cyber security?
The selective limitation of business and production processes using zero trust allows a significantly higher granularity and specificity of protection than securing the entire network in one piece. The use of organizational identities as the basis of security rules instead of IP addresses and ports leads to a better alignment of security and operational requirements, meaning that rules are more precise and thus offer greater protection. Proactive granular restriction of communication also increases the understanding of expected traffic, facilitating anomaly and attack detection. The accounting of accesses within Zero Trust also enables early detection of compromised accesses and allows damage to be contained quickly.
ZTNA therefore offers both greater proactive security, because only certain connections are permitted, and significantly better reactive security, because the damage can be assessed and contained much more easily and quickly. And if a new threat situation or security vulnerability arises in a device, the attack surface can be reduced promptly thanks to a narrow microperimeter, even if no patch exists yet. For example, you can ensure that only certain clients are allowed to access this device at certain times or only under certain conditions or at certain times of the day. Zero Trust offers a high degree of flexibility here.
Exemplary implementation of a software-defined perimeter for secure remote maintenance, implemented with the remote maintenance solution from genua. The remote maintainer authenticates himself via a rendezvous server and can then only access the required service in the operator network after approval. In contrast to VPN-based approaches, no network coupling takes place here
