One question I get the most when meeting customers about zero trust cybersecurity is: “What is it?”
I answer them by mentioning some things that “zero trust” is not. For one, it’s not a new method of logging in, nor is it a specific technology. And it doesn’t mean to trust no one. Yes, it does incorporate bits and pieces of those things, but at its core, zero trust is a philosophy, and it boils down to these overriding principles:
- Know what your organization’s architecture is. Understand the devices your company uses and the data that is flowing through that architecture.
- Know who your users are. What do they do at the company, and what access do they need to your system to do that task?
- Know which services you need to run your business. Removing or limiting redundant services, apps, devices, etc. help to reduce points of entry into your system.
The premise of zero trust is built around identity access management. Access is denied to everything at first and then rolled out to those people or systems that need it to do a task or other operations. As technologies around the world advance, zero trust rapidly becomes a must. The reason is that cyber-attacks are becoming more pervasive, and gaps can be exploited in various electronic devices, from tablets to air conditioning units. Access points for hackers are increasing everywhere.
So, a zero-trust cybersecurity model identifies users and applications, as well as communication flows. Once the cybersecurity system recognizes someone as part of a user group, they are authenticated. The next part is authorization. When a user or application has been authenticated, they are then authorized for certain actions, which adds multiple levels to an organization’s cybersecurity perimeter.
No environment is 100% trustworthy, and zero trust cybersecurity understands that. This approach to cybersecurity permits certain privileges to specific users. (One way to think about it is the next time you open your web browser you might notice a padlock symbol; that padlock means that trust has been formed between your computer and the cloud or service you are accessing.)
Next, artificial intelligence detects anomalies related to access, whether it be an increase of privileges or abnormal access, like logging in from an unknown location. Zero trust becomes complex when you break down the multiple layers involved (like adding firewall policies), but the basis of it is to gain authentication certificates. Those employees are then permitted entry based on whatever limitations you’d like to implement.
This is where the real benefit of zero trust comes in: by defending an organization’s perimeter, you can then layer more cybersecurity protections across an OT/IT landscape.
Growing your operation securely
Zero trust is the best method today for cybersecurity. It helps protect your system architecture and your IP from ransomware attacks and any other cyber-attacks that may seriously disrupt or halt operations. It’s also an approach to cybersecurity that feels tailormade for any OT system – everything from hotel operations to plants utilizing open process automation.
Many OT systems are behind the curve thus more susceptible to hackers. This can especially be an issue for enterprise businesses who have more users which equates to more access to a system. By 2025, an estimated 80 billion devices will be connected to the internet; and about 95 percent of cyber-attacks begin with one malicious email. For example, according to a 2019 report from Symantec, 54 percent of the world’s mining and metal companies experienced a cybersecurity incident, and one in 258 emails in that sector were malicious.
Schneider Electric knows there is a greater need to build a collaborative, cyber defense ecosystem. Additionally, many industries with critical infrastructure, like water and wastewater or energy and chemical, are becoming required through government regulations to level up their operation’s cybersecurity to help protect federal networks and essential utilities. Fortunately, the convergence of IT and OT has opened the door to achieving a variety of cybersafe solutions under the global standards of IEC 62443.
Another major question I hear when talking to customers about zero trust cybersecurity is: “Where do we begin?”
While there is much complexity wrapped up in the technologies involved with zero trust, implementing strong cybersecurity perimeters is a matter of getting a full view of how your operation is organized. To learn that, we must take a multi-step approach to help assure a secure OT infrastructure.
- First, we assess the existing controls being implemented in your operation. We appraise your current cybersecurity position under current IEC 62443 standards, as well as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and any regulatory compliance that may be applicable.
- Next comes design and implementation by performing a series of consultations. Certified cybersecurity experts identify the gaps, risks, and vulnerabilities found during the initial assessment, and then create strategies to fill the gaps, providing layers to protect organizations (like segmentation) against vulnerabilities and mitigate risks.
- After that comes diligent monitoring of the perimeters. Things like continuous threat detection software improves network resilience. We help establish tools that learn how a network operates under normal situations (via dynamic endpoint modeling) and flag anomalies as they occur.
- The last step involves maintenance and training. Expert management services are also provided to patch and update solutions made during the previous step to evolve as hackers find different methods to penetrate a system.
So, to reiterate, assessing the potential threats and vulnerabilities will dictate how much protection is needed. With a firm understanding of your organization in place, you can take the next steps to create policies, authentication methods, and authorize access to every part of your business to the necessary people.
Security services focused on OT organizations
I’ve helped customers with implementing network segmentation, firewall policy management, anti-virus monitoring, and multi-factor authentication (providing a secondary verification) into their environment. Security perimeters are based on how large of a safeguard you want for your system and understanding the risks of not adding certain layers of protection.
The journey to zero trust is about working with a partner who understands OT and has advanced consultants and engineers who can offer you greater resiliency. Implementing an effective strategy, no matter what security level you need to obtain, is best done with experts with veteran experience in control systems automation and who know what IT-OT solutions will work best in your operation. Whether your architecture is greenfield or brownfield or a hotel or data center, cybersecure solutions are available at multiple levels.
For more information about Schneider Electric’s managed security services, visit our cybersecurity services page.