Zero Trust in the IoT/OT Space

by Roger Halbheer on May 11, 2020

Zero Trust is definitely not new but around for something like 16 years if you look at it. This is, when the Jericho Forum was formally established and Network Access Control architectures started to get deployed (or at least designed). It definitely got some tailwind 10 years later with Google’s work on BeyondCorp (as a response to Operation Aurora ins 2009).

But only recently we saw more and more companies really starting to work on it and it came up in our discussions with customers. In my opinion, the concepts were brilliant and helped to drive the technology development in the right direction but only recently were the product like Conditional Access ready to really make Zero Trust happen.

At Microsoft IT we are on the Zero Trust (and in this motion the passwordless) journey since a while. We document what we learn internally and with customers on the Zero Trust page.

Especially when I talk to the manufacturing industry I get some push-back. Not because they do not understand the concepts but because the classical question about “That, all good but what about OT?“, “”What about my shop floor?“.

These questions are very valid and unfortunately not simple to answer. The concepts as such, that you only trust if you can explicitly and continuously verify obviously apply to OT as well. But as we are often talking of 20-year-old technology the underlying tools are not that simple to implement.

Now I came across a blog post (thank you Jung-Uh) by CyberX addressing this question in a very comprehensive way – or better they are addressing six questions: Six Questions to Ask During Your Network Segmentation Project. Let me try to pick the most important parts from my point of view.

A lot of companies I know, are still basing their security approach (especially in OT) on the network and the network perimeter. To quote:

Broadly, organizations are coming to the obvious conclusion: in the age of digitization and Industry 4.0, true “air gaps” no longer exist, and it’s naive to think that relying on perimeter security is a viable option for protecting IoT/ICS networks.

Or the way I put it: There is not such thing as an airgap… Stuxnet has proven this in a dramatic but for a lot of people eye-opening way. But still the network will play an important role in Zero Trust for OT as we most often cannot touch the device.

And in the case of IoT/ICS networks, a key part of a Zero Trust initiative is network segmentation.

These are the six questions you need to answer and they need to be answered by people who understand OT:

Can I use my existing IT networking tools?
What devices, exactly, am I segmenting?
How are these devices really communicating?
Am I certain that nothing is going to break when I configure firewall policies?
Which of my devices are contacting the internet, and do they need to be? What other devices are they communicating with?
Is my planned network segmentation topology enough to protect my crown jewels?

It feels to me that this is kind of a journey to embark on but a needed one. Zero Trust is conceptually the basis for it.