Implementing zero trust for IoT and OT networks

Implementing zero trust for IoT and OT networks
(Image credit: Shutterstock)

Zero trust is a security framework that centralizes around the idea that no entity should ever receive automatic access to a network - instead, each one must verify itself in order to be granted the privilege. Born out of the realization that both the outside and inside of a network can produce threats to cybersecurity, it replaces traditional authentication methods and helps to protect increasingly fragmented and diverse networks.

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

<a href="https://www.perimeter81.com/lp/ztna-vs-vpn?a_aid=2380&a_bid=1682633c&chan=code4&data1=db" data-link-merchant="perimeter81.com"">Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Ditch your legacy VPN hardware and automate your network security with ZTNA.  Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. <a href="https://www.perimeter81.com/lp/ztna-vs-vpn?a_aid=2380&a_bid=1682633c&chan=code4&data1=db" data-link-merchant="perimeter81.com"" data-link-merchant="perimeter81.com"">Download the report.

About the author

Rich Orange, VP of UK&I, Forescout.

When deploying the zero trust model, it is vital that organisations have a good understanding of every connected user, their devices and the data they’re attempting to access. This should be the foundation of any security framework already - after all, visibility is the backbone of security - but it is exceptionally important when trying to create appropriate enforcement policies and controls as part of a zero trust strategy. Ultimately, businesses need to know who and what is trying to access what before they can create the correct parameters and controls.

So, is a device a user?

The idea of what a ‘user’ comes under scrutiny when enforcing zero trust. This definition has become even more complex with the massive increase of devices connecting to the network including internet of things (IoT) and operational technology (OT) devices. With all these new technologies connecting to the network, the potential attack surface is greatly widened. This calls for businesses to determine an identity for everything coming into contact with the network - users, devices, virtual infrastructure and cloud computing assets.

An effective way to evaluate connections is to segment devices into device categories. With IoT devices, there is no need for human assistance to gather, access and share information, or to automate functions and improve efficiency. This technology is the fastest-growing category of devices. Industrial IoT is a common connection in industrial and manufacturing environments is machine-to-machine (M2M) communication. 

This has also been adopted by healthcare, business and insurance applications. OT is being bundled onto networks but requires the same level of security. According to Gartner, by 2021, 70% of OT security will be managed directly by the CIO or CISO, up from 35% today. Smart devices can be extremely problematic when it comes to security decisions. For example, when experiencing widespread DDoS attacks, Botnets such as Mirai can take control of unmanaged IoT devices with weak credentials, potentially directing millions of them to disrupt critical services.

Devices are always unique

To fully understand a device and therefore determine the access it should be allowed on the network, looking at its IP address is not enough. It needs to be verified by much more - granular detail and full situational awareness is key to keeping any network fully secure. This information might include the latest patch management the device has received as well as ts business context.

A good example of this in action is IP-connected cameras. The same type of camera can be used for multiple functions in a business, from video conferencing to video surveillance. In the financial sector, for example, video is used to monitor customers and built into cashpoints for scanning check deposits; however, that same model of camera might be used on an oil rig, where it is used for health and safety purposes. 

What this means is that the camera must be able to share communication paths with multiple data center applications and cloud services, and these pathways will be unique to the business that is using them and their desired function. This is why the foundation of the zero trust model must be grounded in device identity and context.

IoT and OT devices need special measures

Another core principle to consider when creating a zero trust ecosystem is that it must go beyond users and include non-user devices. Users how in a traditional setting would be guaranteed automatic access as they are apart of the network are now no longer granted that privilege - essentially making anything or anyone trying to gain access to be treated as if they are a non-user. 

To make this an efficient process it is important to use an agentless device visibility and a network monitoring solution for IoT and OT devices, as agent-based security products often are not compatible with these types of technologies. This, combined with a detailed understanding of every device on or attempting to access the network, traffic flow, as well as resource dependencies will help build an extremely robust zero trust architecture.

Finally, network segmentation should be used to maintain complete control of all the business’ systems. Segmentation can assist in addressing critical zero trust principles and risk management by the continuous network monitoring of user device access to protect critical business applications. It can also be used to limit the effect a breach could have on systems by locking down IoT and OT devices if they’re acting suspiciously, preventing lateral movement on the network. Segmentation can provide extra checks and precautions for devices that can’t be patched or updated by keeping them in separate zones, reducing the attack surface.

Zero trust can be difficult to achieve in full, but if the right measures are put into place - like extreme scrutiny of every device, and effective network segmentation - security teams can be assured that their likelihood of a full-blown breach at an absolute minimum.

Rich Orange

Rich Orange is the Regional Vice President for UK and Ireland at Forescout. He is an experienced Cyber Security Sales Leader with a history of working in and leading high growth sales teams across Reseller/SI, MSSP and Vendor environments. Rich is passionate about Cyber Security, being customer centric and delivering positive outcomes/experiences for clients. He work hard to create a high performance environment where people feel valued and can excel.