Governance & Risk Management
,
Operational Technology (OT)
Zero Trust Is ‘Essential’ – But Who Pays for It?
New guidance from the U.S. Cybersecurity and Infrastructure Security Agency on adapting zero trust security principles for operational technology is fine as far as it goes, but is pretty high-level and ignores or fudges a couple of key questions, say executives and experts.
See Also: Airlines and Airports: Visibility Across OT, IoT, and IT
“This is a great guide that takes the right direction, but it dodges the hardest question, which is who pays for it?” said Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, an industry group that represents OT equipment makers, owners and operators and security vendors.
“The technical thinking is sound,” she told ISMG, “But the vast majority of critical infrastructure owners and operators like water utilities, rural [electricity] co-ops, or small ports simply can’t afford to implement.”
Zero trust is a based on the proposition that the perimeter will not hold. Systems must therefore be protected-through measures such as continuous security monitoring, network segmentation and limited user access.
Under a zero trust approach, “resilience comes not from assuming adversaries can be kept out, but from designing systems that can detect intrusions, continue to operate safely, contain disruptions and recover quickly,” explained Kate DiEmidio, vice president of public policy and government affairs for OT cyber security vendor Dragos.
All those measures can prove costly, Bolton pointed out, especially for organizations that are below the cyber poverty line, meaning the threats they face are beyond their resources to counter.
Unless the federal government is “actually going to resource owners and operators to make [Zero Trust] a reality, this [CISA guidance] risks being a very well-written document that sits on a shelf,” Bolton concluded.
CISA published the guidance Wednesday along with the departments of Defense, Energy, State as well as the FBI.
“CISA urges OT owners, operators, and integrators to use this resource to make informed decisions that reduce exposure and strengthen resilience-without,” said CISA acting executive assistant director for cybersecurity Chris Butera in a statement.
“It really does a good job of defining the problem, and lays out rational steps you can take. It’s very helpful for that,” Sean Tufts, field CTO at Claroty, an OT security vendor, told ISMG about the guidance.
The challenge, he said, is coordinating and prioritizing a set of changes which could take a decade to implement, given the length of equipment refresh cycles.
“I’d love to see a timeline they would propose, and guidance about what you’d prioritize first, because that whole list is something that is absolutely what we need to get done on a decade level,” he said.
The guidance also glosses over some important problems with the application of Zero Trust principles like continuous authentication to OT, said Chris Grove, director of cybersecurity strategy at OT security vendor Nozomi Networks.
“Take an emergency stop function [on a production line],” he said, “You can’t require authentication for that, because you can’t make someone login and enter a password, before they can hit the emergency stop button,” he said, explaining that alternative measures, like a physical key or access controls, might be more appropriate.
Nonetheless, he added, zero trust is “a valid approach,” and the guidance would help to break down some of the resistance from OT owners and operators. “IT and OT have got to be on the same page,” he said.
The document makes clear that while “zero trust in OT is not a product you can buy,” purchasing decisions, especially in sectors with long refresh cycles, are fundamental to security success, said Patrick Miller, CEO of Ampyx Cyber, an industrial security consulting firm.
“Procurement is a security control, not an accounting function,” he said. “Every purchase order is a security decision,” he added, calling that recognition, “The most important shift in this document.”
“You can’t patch your way out of legacy,” he concluded.
OT owners and operators can’t even patch their way to security, pointed out Alison King, vice president of government affairs at Forescout, a cybersecurity vendor. The most important elements in the guidance are those that will help operators deal with the accelerated threat environment they are already facing, in which the latest artificial intelligence large language models can find vulnerabilities and stitch them together into exploits in minutes or hours not days or weeks, she said.
“These zero trust principles are essential,” she said, “But I would double down even further. Which are the most essential? It is going to be the continuous [monitoring and] enforcement piece. This is going to systematically reduce your most serious risks.”
The OT sector would also have to get over its aversion to security automation, she said. “You cannot be fast enough, you cannot move at machine speed. These are the new fundamentals.” She added that “more robust governance structures” were needed to keep human judgments in the loop.
Ultimately, the guidance just doesn’t add much to the conversation, said Dale Peterson, CEO of OT cybersecurity consultancy Digital Bond. “The document is not bad or wrong, it’s just not that helpful. It’s overly broad, … It’s high level, and this information is well known by anyone looking.”