12 min Security

Zero Trust must be a pivotal part of OT security

Zero Trust must be a pivotal part of OT security

IT security is on the radar of many companies, who have implemented that quite well, argues Arjan Aelmans of Fortinet. That does not apply to OT security, though. Why is that? And how do you go about it properly? A conversation about ISA/IEC 62443, the Purdue model, Zero Trust, Fortinet’s Security Fabric and more.

We’ve been paying quite a bit of attention here at Techzine for quite some time to OT security, securing operational systems and environments. Think medical equipment, but also machines in factories and PDUs and coolers in data centers. We do this for a reason, because it is really necessary. Ransomware in particular is causing quite a few incidents these days. For example, we recently reported on a large port in Japan (with a vast OT infrastructure) that was completely shut down after such an attack.

All in all, it’s safe to say that OT security isn’t top of mind. The security industry has been very busy with IT security over the past few decades. That in itself was necessary, but it also meant that OT security remained in the background. That should really start to change, especially with the advent of NIS2.

Convergence between IT and OT: action is needed

IT and OT are moving closer and closer together, ever since the mid-1990s, notes Aelmans. He works at Fortinet as a Specialist Systems Engineer – Operational Technology and has been working in this industry in the Netherlands for some 23 years. Particularly in specific sectors such as the manufacturing industry, the distinction between IT and OT in terms of infrastructure design has virtually disappeared, he points out. This means that in that type of environment, OT is exposed to the same threats as IT.

However, Aelmans notes that this implication of convergence between OT and IT has long been off the radar of organizations. “I’m shocked when I look at OT security,” he points out. “Most companies are still at the beginning of their journey within OT security,” he continues. So that has to change. A security player like Fortinet obviously plays a role in this as well. As in other countries, a team is active in the Netherlands that has a 100% focus on OT-security. This should guide customers on the journey mentioned above.

There has long been an OT-security practice in EMEA and Fortinet as a whole has been working on this topic for more than a decade. Last year, the company designated OT-security as strategic. That means there will be even more focus on it than before. This is a good initiative, according to Aelmans. He is still amazed almost every day at how much is moving in this area within Fortinet. It’s good to hear, also from the market, that big players like Fortinet are taking this even more seriously.

Problem with multiple layers

OT environments, as indicated, are fundamentally different from IT environments. They will also be targets of ransomware attacks, for example, but for different reasons. Ransomware attacks on IT environments usually involve encrypting data and paying a ransom for it. However, monetary gain does not always play a role in ransomware attacks on OT environments. There, it is deployed as a cyber weapon, to shut down certain processes, Aelmans points out. If that is the goal, attackers look for the most efficient way. That is usually through the supply chain and OT environments.

The convergence between IT and OT has made it easier for attackers to target organizations through OT environments in at least two ways. First, there is what Aelmans calls the “massive explosion of remote access.” This remote access not infrequently takes place outside the IT environment. That is, you can communicate directly with OT equipment from the outside, without going through the security layers of the IT environment. You are then immediately at the process and control layers of the Purdue model. These two layers are the foundation of that model, where sensors, actuators, Programmable Logic Controllers (PLCs), as well as things like Human Machine Interfaces (HMI) and SCADA systems can be found. Above that come things like iDMZ (industrial Demilitarized Zone), as well as ERP and databases and ultimately the organization’s network as a whole.

If remote access on OT environments takes place outside of IT environments, then the security controls should actually be in place on the OT equipment. However, this is often not the case. Security has traditionally not been a focus for OT equipment manufacturers, Aelmans points out. On top of that, automation managers and process analysts within organizations, for example, who deal a lot with OT environments, also do not focus on security. “Those people are concerned with availability, not security,” he states.

So can IT security do nothing at all for OT security? “You very often hear a firm ‘no’ as an answer to this question, but in practice there is quite a lot of overlap,” Aelmans points out. You can do a lot above the bottom two layers of the Purdue model to improve the security of OT environments. For him, it stops behind the Ethernet port of a PLC or an HMI. That’s the world of the aforementioned automation managers and process analysts. Up to that point, however, it is very important to be able to look very deeply into the traffic and, where necessary and permitted, also intervene in the event of a cybersecurity incident.

ISA/IEC 62443 as a starting point

Aelmans indicates during our conversation that he had expected a greater sense of urgency, especially because of NIS2 coming up. That’s going to affect some 12,000 companies within the Netherlands and has quite an impact on OT security. Perhaps this is partly because the legislation isn’t there yet, so it’s basically impossible to work on compliance yet. On the other hand, however, Aelmans also sees that there is a great willingness in the market to cooperate and integrate with the Fortinet Security Fabric (read an extensive article about that here).

This particularly concerns security automation. For a long time, he indicates, there has been little talk about this, but that is changing. It has to. “I recently saw an example of an attack where there was no more than six seconds between breach and the first lateral,” he illustrates the need. Then you really need to have some form of automation in your security infrastructure. So looking carefully at the integration possibilities of products and solutions beforehand, including in the area of OT, is certainly advisable, according to Aelmans.

At the end of the day, however, buying good tooling is not enough. It is also important to set things up properly in a holistic way. This is usually done through certifications. In the OT world, the ISA/IEC 62443 standard is a benchmark in that regard. This is a standard specifically focused on cybersecurity in OT environments, commonly referred to as IACS (Industrial Automation & Control Systems). This is not just about the technology, but the human component also plays a role and, of course, things like policies and procedures. Note that this is a systematic and practical approach around cybersecurity, though. It’s not a guarantee that nothing can happen.

Important practical steps toward a secure OT landscape

A standard such as ISA/IEC 62443 and the schematic world of the Purdue model are in themselves good for putting things in perspective. In practice, however, many organizations would like to have something more concrete to hold on to. In that area, Aelmans also has the necessary advice.

If you take ISA/IEC 62443 as a starting point, it all starts with knowing which assets are connected to your OT infrastructure, and what their vulnerabilities are. If you don’t know that, you can never comply with the standard. So the key is to use tooling from parties such as Claroty or Nozomi Networks to gain this insight and overview. Then you can look at segmentation and micro-segmentation, because after all, you know exactly what you have. You can then also determine which assets are allowed to connect to each other and which are not. There is a lot of expertise in this from Fortinet, Aelmans points out.

The next step is to set up a robust iDMZ. This screens off IT from OT and migrates all remote access connections within the OT environment to a single point within the architecture. You can then manage and monitor these centrally. After mapping and segmenting the assets, Aelmans calls this “absolutely priority number three.” He is therefore very busy with this. “Companies also understand this very well,” he indicates, “we don’t have to persuade them to do this.” It’s not hugely complicated either, if you clearly define the project around it beforehand. After you set up this iDMZ, you can add an additional layer on top of it around access rights if necessary. Fortinet itself has FortiPAM for this so-called Privileged Access Management. If you’ve done this, then “you’re well on your way,” according to Aelmans.

Zero Trust for OT environments

When you talk about access management, you also quickly talk about identities. So that’s the next priority. Specifically, it then involves Zero Trust. “We really need to extend this to OT as well, because identity plays an important role here as well,” Aelmans explains. Zero Trust generally sounds like an overarching vision, but the concept plays out on multiple levels. Consider splitting authentication domains. That is, don’t use authentication servers for OT that you also use for IT. You also need to look at role-based access, to determine who can access what and when. Following on from that is MFA. Then you can also be sure that the roles being granted access are who they say they are. These components are all part of a Zero Trust strategy.

You have to be careful with MFA, though, Aelmans warns. Especially in OT environments, human lives can quickly be at stake if something goes wrong. He cites as an example the danger of a chlorine cloud, which can occur in an OT environment that deals with chlorine. Then MFA simply takes too long to intervene and you need an override capability.

At the end of the day, Zero Trust is not that complicated for Aelmans: “It’s removing implicit trust in the infrastructure.” To illustrate what he means by this, he gives the following example: “If I plug in a network cable somewhere, it shouldn’t be normal for that device to get an IP address right away.” For OT devices, which are not immediately developed with cybersecurity in mind, that would go a long way. At least then you don’t have devices on the network that really shouldn’t be connected, but accidentally are. You can only assign them an IP address when it is safe to do so, for example, as a result of a NAC (Network Access Control) process.

What role does Fortinet play within OT security?

We cited in part above what role Fortinet sees for itself when it comes to OT security. Of course, the Security Fabric already mentioned earlier plays an important role in this. That’s ultimately where the security market as a whole is moving. It would be crazy if OT security were not part of that. In addition, the Security Fabric is also fundamentally agnostic. “It allows you to use what you already have and makes it easier toward the future to add additional products without increasing the management burden,” Aelmans summarizes. Of course, he would prefer that you include as many Fortinet products as possible in the Security Fabric, but it is not necessary. It is important, however, if you are considering a solution from another vendor, to check in advance how it integrates.

A bit more at the product level, Aelmans obviously mentions Fortinet’s firewalls, the FortiGates. These play an important role in segmentation, but also in gaining deep insights into traffic. You can also manage FortiSwitch from FortiGate. This gives you insight from that central GUI into everything that’s happening, down to the MAC layer. So you can also use this to monitor traffic within VLANs. In the area of endpoint security, things are starting to pick up now as well, with FortiEDR. Fortinet also offers sandbox, NDR and deception solutions.

Aelmans also mentions FortiSIEM, which he says customers generally appreciate. They can plot alarms with FortiSIEM on business processes. This gives customers much more context around the alarms. In addition, they also map it onto the MITRE Att&ck framework for ICS (Industrial Control Systems). If a particular malware has six steps within the MITRE framework and they see through FortiSIEM that it’s on step two, it’s still possible to kick off specific playbooks.

It starts with understanding, especially the risks

Securing OT environments is quite a tricky issue. Despite the convergence between IT and OT in recent decades, they remain underlying rather separate worlds. Technically, however, it is becoming increasingly possible to gain insight into threats, even in the OT world. However, it is also important to gain insight into the risks that organizations face if they do nothing. That’s still quite a challenge. “You have IT budgets, OT budgets, but no OT security budgets yet,” Aelmans sums up.

To get the latter, investments must be defensible. People higher up in the organization have to understand what the risks are. That’s where ISA/IEC 62443 comes in. It makes it possible to get or give a risk-based assessment in the area of OT security. Only once that is in place can organizations start working on the technical part. NIS2 will undoubtedly play a role in this. Exactly what this will be remains to be seen. Organizations would do well not to wait for this, but to take steps now.