Industrial Control Systems and Zero Trust Architecture
Industrial Control Systems (ICS) and Operation Technology (OT) Control Systems are computer-based systems used to control physical…
Industrial Control Systems (ICS) and Operation Technology (OT) Control Systems are computer-based systems used to control physical processes such as manufacturing, product handling, production, and distribution. ICS include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.
Largely in industrial settings, ICS are the ones that control physical processes including electricity generation, oil and gas refining and pipelines, automated mining rigs, and factory automation. But OT control systems are actually present in a much broader range of use cases than that. It is crucial for operating warehousing and distribution systems, transportation lines, and even HVAC systems in data centers, large buildings, and campuses.
The business risks are different for OT, which operates with business continuity requirements that are orders of magnitude more stringent than IT, and an added element of physical safety considerations and regulatory obligations. It cannot be overstated that the safety of the external physical processes controlled by the ICS can have catastrophic results if not managed properly. Loss of life and damage to the environment are just two of the potential outcomes.
Attacks on ICS have increased in frequency and are more complex than ever before. Today, state-sponsored hackers can purchase an ICS, through the cloak of a government-sponsored “factory,” to study it and weaponize it. As such it is imperative to be more vigilant and plan cybersecurity and other security actions in a proactive way.
By Steag, Germany — Steag, Germany, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=398312
An ICS requires special attention because of the physical external processes that it controls. If we use IT-like solutions, then we get IT-like results, and the ICS will crash due to the sensitive requirements of the physical processes under control. We must modify the IT solutions to address the safety and security requirements of an ICS.
To protect the safety of the external physical processes of an ICS, we need to implement Defense-in-Depth strategies (made of one or more defense elements) such as a Zero Trust Architecture (ZTA) that helps isolate the ICS from other networks. An introduction to the ZTA for ICS is presented here.
Some of the rules of trust are listed below:
1. “Do not trust any network other than the ICS network itself.”
2. “Do not connect with any external network directly from endpoints or from existing internal devices.” Always go through a Demilitarized Zone (DMZ). This also means no email, FTP, or internet connection is allowed on the ICS network.
3. “Do not accept any domain to be its parent domain,” and “do not connect openly to another IT domain.”
4. “Design the ICS network following a modified Purdue Model.” The first and second layers of defense will be Zones and Conduits, and they will be established along with the segregated network for a better defense. The Purdue Model will provide a better handle on the different communications or external connections that might be trying to come into the ICS network (internal threats). Segregation, the third layer of defense after Zones and Conduits, should be achieved either by using a physical firewall at the top entry point of the ICS network, or by using Operational Technology Software-Defined Networking (OT-SDN) switches to prevent ingress into the ICS network.
5. Split data and information protections so that the ICS has no information on its network, and its data is used exclusively in protected levels of a modified Purdue Model.
6. More rules are derived in the architecture of the ICS network and the concepts from NIST SP 800–82 and ISA/IEC-62443 standards.
Other ZTA defenses are:
· Access trust is given to assets based on set conditions such as certificates, fixed IP addresses, MAC address, switch port and switch, Zones, Conduits and other network rules.
· Users’ trust is established by authentication and authorization that are not based on the ingress path, but rather on fixed personal authentications including separate credentials for the ICS and the enterprise networks, along with physical elements.
· No implicit trust is granted to assets or user accounts based solely on their physical or network location, such as local area networks versus the internet, or asset ownership such as enterprise or personally owned.
· Design a DMZ that is extremely strict on rules and access. In conjunction with a Modified Purdue Model implementation, it reduces the surface of attack and reduces the risk of a breach into the ICS, while allowing the transfer of specific data to the enterprise, where it can be infused with intelligence to make it usable information.
A common challenge for ICS owners and operators is the difficulty in maintaining the plethora of existing tools, systems, and vendors, as the typical lifespan of an ICS varies between 20 to 30 years (compared to an average IT system of two to three years) without breaking the ICS safety requirements. Another challenge is implementing new security features and controls across an ICS Architecture that was initially deployed many years prior and with limited security in the design stage.
ICS owners also have communication problems with CIO and IT people who have difficulty with the safety requirements of an ICS that overrides the “IT security” or “Information System” requirements. More cross-training is required at the high level of an enterprise as much as at the lower levels between IT and ICS team members, to highlight the convergence of IT and OT as much as the divergence of OT and IT, especially when it comes to safety. Safety of people, animals, environment, and company assets (including buildings, campuses, and other devices).
Even though the Zero Trust Architecture does not seem to be a new concept, it brings together different defense elements that, when combined, provide a stronger defense against threats to the ICS network. ZTA shares several concepts between IT and OT, that are implemented with different intended outcomes (e.g., the safety of physical processes versus the security of information).
If you’d like to know more about ICS and zero trust architecture, reach out to us via the methods below! We’d be happy to answer any questions or to discuss further.
Connect With Us
