The ISA Global Cybersecurity Alliance (ISAGCA) held a webinar on 24 October 2024 to provide insights into the application of the ISA/IEC 62443 series of standards and their significance in achieving a robust zero trust framework. Attendees were able to gain an understanding of zero trust as a strategic concept, review operational technology (OT) systems' essential functions, explore an overview of cost/benefit considerations for zero trust in OT and learn perspectives for security practitioners and business leaders.
The webinar's featured speakers are highly regarded industry experts who are also some of the writers of ISAGCA's recent whitepaper, Zero Trust Outcomes Using ISA/IEC 62443 Standards:
In information technology (IT), the realization that risk is internally and externally inherent has led to a review of trust and a move toward removing implicit trust and increasing verification. In OT, the concept of zero trust is becoming more relevant, and hybrid approaches can incorporate zero trust principles when appropriate.
This blog post is intended to provide a brief, high-level introduction to a small sample of topics covered in the recent ISAGCA webinar. To take a deep dive into these experts' insights around zero trust, including cost/benefit considerations and high-level implementation strategy, you may listen to the full webinar recording here.
In a future post, we will share more highlights with the goal of continuing the conversation around zero trust in OT.
Many people refer to zero trust as essentially "defense-in-depth in new clothing." It is an idea that has taken on a life of its own. Zero trust is not the only philosophy for cybersecurity, but it is a great compliment to other standards and frameworks.
Danielle Jablanksi cited a definition of zero trust included in a U.S. Air Force guidance document around zero trust: "Zero trust is a data and application access strategy that assumes all connections, regardless of network origin, come from untrusted sources. Access to each resource is only granted after explicitly requesting, establishing and continuously re-verifying confidence in the requester's identity, device and context of each connection."
As Andy Kling also stated in the webinar, "Zero trust brings a base philosophy that allows you to start to organize cyber strategy." The speakers presented a chart with their thoughts on what zero trust is — and is not — in relation to OT and industrial control systems (ICS).
Rather, zero trust can be described as a conceptual framework for strategically building defensible architectures and a mechanism for setting a required level of verification and authentication for devices, systems, components and users. It is a way to enforce accurate, least-privileged, per-request access decisions in information systems, and — as the speakers emphasized — zero trust is applicable to OT/ICS.
The focus for OT cybersecurity is the ability to operate under compromise, maintaining mission-critical systems, processes, resources and facilities. Importantly, zero trust does not disrupt essential functions. The ISA/IEC 62443 series of standards delineates essential functions — the functions or capabilities required to maintain health, safety, the environment and availability of the equipment under control, including safety instrumented functions, other safety systems, control operability and the ability of the operator to view and manipulate the equipment under control.
"I see this as extremely important in understanding where to deploy zero trust implementation throughout your policy," Jablanski said in the webinar. "It is also a really important part of your continuous operations, operating under compromise, your IR [incident response] planning, as well as some manual operations plans that have to consider essential functions and all of the components that go into that."
Zero trust implementation can begin with a "crown jewels analysis," identifying critical services and components, then determining what to do regarding authentication, design of zones and conduits, rearchitecting to rip and replace and/or introducing/re-introducing tools and adding security controls to extend as compensating controls.
Jablanski proposed five steps to applying zero trust in OT. (This five-step methodology was also addressed in the whitepaper.)
As Jablanski outlined in the webinar, network connectivity has evolved from on-premise "air gapped" scenarios to connectivity among sites for distributed operations to more connected configurations and more interoperability between IT and OT, as well as cloud adoption to manage SCADA systems. The diversity of access points has grown, and so has the diversity of attack patterns. These factors are complicated by the addition of more devices to the network, including personal devices like phones and tablets and transient devices that engineers may need, such as laptops.
"Zero trust is a logical evolution and application of trusted security controls," Bob Pingel commented via email after the webinar. "Our peers in IT recognized this a number of years ago and are seeing success. The same patterns can and should be applied in OT. In fact, in support of IT/OT integration, many of the same control fundamentals can be directly leveraged or used with minimal tailoring."
Zero trust definitions and adoption strategies are constantly evolving, and the speakers emphasized the importance of continuing the conversation.
Those interested in learning more about the speakers' thoughts and recommendations around zero trust in OT are encouraged to listen to the full webinar recording and download the ISAGCA whitepaper they helped to author.