The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application of zero trust in operational technology (OT) and the significance of the ISA/IEC 62443 series of standards — the world’s leading consensus-based standards for control systems cybersecurity — in achieving a robust zero trust framework.
Titled Zero Trust Outcomes Using ISA/IEC 62443 Standards, this white paper was authored by highly regarded industry experts, three of whom also held a webinar on 24 October 2024 to continue the conversation:
We asked the speakers for their insights into the creation of the white paper as well as the shifting definitions and adoption strategies around zero trust in OT. Anyone interested in a brief, high-level introduction to a few topics covered in the webinar may refer to this recent blog post. A full recording of the webinar is also available here.
Note: The following responses have been lightly edited to conform to editorial guidelines.
"The effort behind this white paper was to help professionals across automation and OT industries think through key responsibilities and decision points in considering where and how to implement zero trust priorities across their security programs and policies. This was the driver for the sections being outlined as 'cost/benefit considerations' where mission, criticality, infrastructure, tools and reliability are all considered in the reasoning, implementation and management of security controls and procedures. There is no one-size-fits-all or commercial off-the-shelf deployment of 'zero trust,' and we hope that the five steps to applying zero trust written in the paper will help asset owners to scope their implementations in a useful and pragmatic way."
"The world of OT security is changing rapidly. Regulations in many geographies demand the adoption of security and, in some cases, specifically zero trust. This greater adoption will drive innovation and smooth out some of the speed bumps to success we see today. Of those speed bumps, one of the the biggest is production downtime in brownfield environments due to remediation and control deployment. Innovative security solutions will allow bumpless deployment with near-zero downtime, resulting in dramatically shorter time to value."
"As I mentioned in the webinar, one key takeaway from developing a zero trust implementation is the ability to construct multiple levels of validation for users, systems and access across your networks. This type of strategic implementation provides organizations with the potential to identify or irradicate malicious actors/activities before lateral movement and privilege escalation, leading to a reduction in dwell time for threat actors and a reduction in the potential severity of cyber incidents. While that is a shared goal of many tools and capabilities in the security domain, it must also be extended across environments and networks in a more strategic effort than many point solutions in cybersecurity may offer."
The following remarks were made in response to an audience question from the webinar.
"Zero trust brings a base philosophy that allows you to start to organize your cyber strategy. You can say, 'We're going to start from not trusting anything, and from there, we're going to build up our cyber strategy.'"
Citing statistics released by Mandiant the week of 22 October 2024, the speakers asserted that cybersecurity postures are strengthening. In 2018, the average time to execute on CVEs disclosed was estimated to be about 63 days. By 2023, however, the average time to execute on known vulnerabilities had fallen to just five days.
The speakers emphasized that they welcome feedback, and they are interested in continuing the conversation around zero trust in OT. To learn more about the speakers' thoughts and recommendations around zero trust in OT, listen to the full webinar recording and download the ISAGCA whitepaper they helped to author.