Use Case 6 - Secure Operational Technology and Internet of Things Devices
Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC) and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.
- Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
- Identity governance is focused on uniquely identified people or things requesting access.
- Application micro-segmentation is focused on network segmentation but also relies on identity governance.
CURRENT STATE APPROACH
- IT and OT networks are traditionally separate network infrastructure (air-gapped). With the advent of IoT devices, the lines between IT and OT blur where many organizations leverage shared infrastructure, creating security challenges.
- Devices may not have default settings for strong encryption and authentication.
- OT may not always be segmented from networked equipment.
ZERO TRUST OBJECTIVE
- A growing number of attacks happening today are accomplished through unguarded backdoors and highly exposed critical infrastructure.
- ZT principles need to apply to non-traditional systems (e.g. IoT, ICS, and OT)
- User/admin access to these systems and the communications between these systems need to adopt the same ZT principles as seen in overuse cases to include least privilege/ context-aware – conditional based access, micro-segmentation, traffic analysis, and integration into other operational and management technologies.
VALUE PROPOSITION FROM ZERO TRUST APPROACH
- Zero Trust isolates critical systems without Re-IP addressing the devices or fragmenting networks with VLANs.
- Zero Trust protects the data in motion with FIPS certified encryption.
- Enforce conditional based least privilege with Zero Trust policies.
- ZT technologies that are agnostic to underlying infrastructure will give organizations the flexibility to secure IoT, ICS, and SCADA systems regardless of where they are hosted.
- Applying ZT principles to IoT, ICS, and SCADA systems mitigate multiple vulnerabilities that are often overlooked because of the typical separation of innovative IT security and OT technologies.
WHERE TO GET STARTED
- Identify the environment to conduct Proof of Concept or Pilot.
- Capture and document the security and compliance requirements for micro-segmentation; NIST S.P. 800-53 and 800-82.
- Capture and document success criteria for implementing Z.T. enabled micro-segmentation architecture, as applied to IoT, O.T., and SCADA.
- Create a Test Plan with success criteria for each requirement and use case.
- Collect existing information of users and components in the security boundary leveraging Hardware and Software Asset Management Tools.
- Conduct discovery to understand the system dependencies and flows in the environment.
- Create Design and Architecture documentation and implementation plan integration.
- Deploy the micro-segmentation solution.
- Execute Test Plan and Capture Results.