Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwide, being frequently referenced in architectures, solutions and public discourse. To illustrate how pervasive it has become and its rate of adoption, earlier this year Gartner reported that 63% of organizations globally have at least partially implemented a zero-trust strategy. That is encouraging, but keep in mind that OT networks will make up a small portion of that percentage. The ISA Global Cybersecurity Alliance (ISAGCA)’s white paper on zero trust outcomes provides a breakdown of how zero trust concepts may manifest in OT environments. And for organizations attempting to achieve those outcomes, they’ll find legacy equipment with missing functionality, competing priorities and system complexity will hold them back.
With that said, the irreversibility of IT/OT convergence and the pervasiveness and effectiveness of zero trust in enterprise IT systems give clear signaling that OT networks will adopt it, eventually. So what, exactly, will zero trust look and feel like in the future? And when will it happen?
If history is an indicator of the future (it is), we can consider that modern IT technologies and approaches that are eventually adopted in OT do so later, at a more cautious pace and in different ways that accommodate the unique requirements of OT. Classic examples are cloud computing, industrial IoT and virtualization technologies. It is very reasonable to draw parallels from those examples to zero trust concepts and — considering true adoption and maturity of the concepts remains in-progress within enterprise IT systems — deduce those zero trust outcomes referenced earlier may be on a 10-20 year horizon. Solutions associated with zero trust concepts — already an established and growing market — will facilitate adoption, but just like in past examples, the extent to which zero trust philosophies are adopted and the rate at which they are adopted will be influenced by the long lifespan of those legacy systems and the complexity of implementation. And the way zero trust concepts will be adopted will be heavily modified to protect existing priorities in OT, chiefly, essential functions as defined in the ISA/IEC 62443 series of standards (which includes safety instrumented functions).
The Cybersecurity and Infrastructure Security Agency (CISA) has published and iterated on a Zero Trust Maturity Model for OT which helps to envision what the future might look like. Staples of optimal concepts from that model include:
The summation of that maturity description should feel akin to what we experience today in enterprise IT systems, reflecting both enhanced security and enhanced utility. Today, in enterprise IT systems, ongoing adoption of passkeys enable one-click biometric authentication. User access can be easily and dynamically centrally managed to individual applications and with appropriate least-privileges per-user, which permit the user access over public networks. And teams have accurate, real-time data and analytics available to administrate, operate and optimize.
Using history as a guide and extrapolating from technical guidance what future zero trust concepts in OT might look like, it is a future that brings both enhanced security and utility. It comes at a time when a younger generation — which expects (demands) technology to be intuitive and convenient — will be holding the reins of the world’s most critical and sensitive OT environments.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to thought leadership, research and other insights from the OT cybersecurity community.