ZTNA is Now Necessary for OT Security 

ZTNA for IoT and OT Security

Ever since the US government’s now-infamous Stuxnet campaign, cyber assets have represented a way for governmental and for-profit threat actors to worm their way into the defenses of essential operations. 

Nowadays, Operational Technology (OT) networks are bigger and better-connected than ever. 

As a result, attackers are seeking new ways in: whether via the programmable logic controller (PLC) or the graphical controls of a human machine interface (HMI), the zero-trust network access (ZTNA) approach now securing IT offers promising returns for OT and Internet of Things (IoT) security.

Quick Takeaways

  • Reconnaissance conducted against OT systems went up by 2,204% in 1 year between January and September 2021
  • Almost all victim systems have the same profile – connected to the internet, and with very limited authentication demands 
  • Primary challenges for securing devices include visibility and authentication – paving the way for Zero Trust Network Access (ZTNA) to action high security returns.

Internet Connection and International Conflict: IoT & OT Security Top Challenges

Throughout the development of IoT and OT, these devices have historically enjoyed greater safety simply by remaining air gapped and offline. 

In the last half decade or so, however, OT has evolved into cyber-physical systems; smart systems that make up an ever-interacting map of physical and compute devices. Across healthcare, smart factories, and city infrastructure, these highly-complex systems make the world go round. It’s in medical systems – supporting high-risk pregnancies with sensors that relay data back to the hospital in real-time – and city infrastructure – detecting structural changes within the electrical grid with fiber optic sensing. 

In the background of OT becoming internet-connected, another factor has become important: international conflict. With geopolitical tensions rising, governmental actors are now able to unleash attacks directly on critical infrastructure. 

This has been exemplified by a rash of recent attacks focusing on wastewater treatment facilities. November 2023 saw Iranian cyber group ‘CyberAv3ngers’ target a PLC-HMI system manufactured by Unitronics, an Israeli PLC manufacturer. By first obtaining visibility into internet-connected OT devices, these threat actors were then able to identify which of these were vulnerable, and which were critical to a water treatment’s facilities. 

Unitronics’ Popularity in OT Supply

Because of Unitronics’ popularity in OT supply, this essentially acted like a supply chain attack. So, several thousand miles from Iran, a water plant in Aliquippa, Pennsylvania, suddenly went down. 

In this case, the affected PLC-HMI had disrupted the pressure regulation pumps.  

The Aliquippa plant wasn’t the only one: at the same time, the industry reported similar outages across the world. As the targeted equipment had a graphic interface, the attackers had created a custom message to display upon attack completion: all equipment made in Israel is a target.

In early 2024, pro-Russian threat actors followed suit, unleashing their own versions of minor cyber nuisances. 

Maxing out setting values, turning off alarm processes, and changing admin passwords led to a few victims in the US seeing minor tank overflow events. The CISA publication identifies one key similarity between all targets: all of them were internet-connected and had weak sign-in settings.

ZTNA for IoT and OT Security

At its core, zero trust access is about knowing what’s on your enterprise network. On a basic level, a corporate network overview needs to include every OT and IoT device, alongside which private network they’re connected to. 

Asset discovery is achieved through two main techniques: 

  • Active
  • Passive 

The first approach demands a node or appliance that has secure access to all OT network areas and regularly queries all connected devices. Passive asset discovery, on the other hand, sets up nodes that listen to the communications occurring between OT components. 

Both of these approaches then funnel all information gained into a central database. Unlike IT, however, OT systems are often incredibly delicate, running on legacy and long-lifespan cycles. This means that active asset discovery may not be suitable for every single device. 

Furthermore, it’s often impossible to install agents or software directly onto OT devices. This is why network-based segmentation is so vital for protecting OT assets. 

Zero Trust Micro Segmentation

Rather than relying on basic credential input, ZTNA takes the entirety of a device’s posture into account before granting access. This device posture validation process is crucial to the idea of micro segmentation: rather than assuming trust from a user’s VPN login, any OT login attempt is funneled via a ZTNA solution that assesses whether a user’s device matches all expected aspects. 

This can include certificates, location, and behaviors. 

Alongside solving the authentication issue for OT, ZTNA tools make all network and application infrastructure invisible to the wider internet by creating outbound-only connections. This directly cuts off the attack MO seen in this year’s exploitation attempts, where attackers have discovered vulnerable ports through the public internet.

Bring Zero Trust Across the Board with Perimeter81

Zero Trust places the principle that users may not have good intentions or maintain proper security hygiene front and center. To support this, Perimeter 81 integrates with your pre-existing identity provider, and grants full visibility into activity monitoring and logging across all network-connected devices. 

Not only do administrators have access to network activity logs, but Perimeter81 further integrates with various SIEM cloud services like Amazon S3, Splunk, and Azure Sentinel for enhanced reporting and analysis.

Because of this, your IT and OT devices can be centralized across a single platform, drastically speeding up resolution times and maintenance. Day-to-day operations become faster as well, as remote workers are able to securely log on and verify their access with dedicated, global infrastructure. 

Get in touch with Perimeter 81, and reach new heights of network security in minutes.

FAQs

How does ZTNA benefit OT security?
In OT security, ZTNA minimizes the risk of cyber threats by ensuring that only verified users and devices can access critical systems, reducing the attack surface and enhancing overall security.
How does ZTNA differ from traditional network security models in the context of OT?
Traditional network security models typically rely on perimeter defenses, assuming that everything inside the network is trusted. In contrast, ZTNA assumes that no user or device, whether inside or outside the network, should be trusted by default. This approach is particularly beneficial for OT environments, where it is crucial to protect critical infrastructure from both external and internal threats by implementing strict access controls and continuous monitoring.
Can ZTNA be integrated with existing OT infrastructure?
Yes; by deploying ZTNA solutions that are compatible with the OT systems and devices. Typically, this includes implementing secure gateways, identity and access management (IAM) systems, and monitoring tools that work seamlessly with current OT operations. The key is to enhance security without disrupting fragile OT processes.
What are some common challenges in implementing ZTNA in OT?
Common challenges include ensuring compatibility with legacy OT systems, managing the diverse range of devices and protocols used in OT environments, and addressing the potential complexity of deploying and maintaining ZTNA solutions. Additionally, there may be resistance to change from stakeholders who are accustomed to traditional security models. 
How does ZTNA support compliance with OT industry regulations and standards?
By providing strict access controls, continuous monitoring, and detailed logging of all network activities, ZTNA helps organizations align with standards such as NERC CIP, and IEC 62443.

Get the latest from Perimeter 81