The Industrial Internet of Things (IIoT) is pushing the control sphere to incorporate a wide range of data sources beyond traditional control system boundaries. Cloud computing, edge devices and mobile human-machine interfaces (HMIs), along with the more ‘traditional’ access via VPN and similar techniques for remote support by staff and/or suppliers continue to challenge the commonly accepted practice of separating information technology (IT) and operations technology (OT) networks with a demilitarized zone (DMZ).
Traditional network security is based on a concept known as castle-and-moat, where it's difficult to gain access from the outside, but there's default trust with everyone in the network. IEC 62443 breaks the network into smaller clusters called zones based on the role or functions of the devices in a zone, and then closely monitors and manages communications through the conduits connecting the zones. Zones can be considered somewhat analogous to the VLANs that are used in the IT space.
Moats around castles no longer suffice
Unfortunately, as we all know and history has shown, once you cross the moat (firewalls) the primary defense is compromised. Statistics from a wide variety of sources indicate that internally initiated cyberattacks—which includes infected USB sticks—represent roughly 43% of all cyber incidents. Despite awareness of this statistic, the number does not seem to be going down.
So, because a significant portion of cyber events start inside the moat and there are now numerous data sources that reside outside the moat, perhaps we should consider a new approach.
The “Zero Trust Network,” or “Zero Trust Architecture” (ZTA) model, was created in 2010 by John Kindervag, who was a principal analyst at Forrester Research Inc., as a response to the challenge of how to manage cybersecurity inside and outside the moat.
Zero Trust Networking is a security model that stops lateral movement within the corporate network. It uses micro-segmentation and adds granular perimeters at critical locations in the network. Zero Trust Networking also eliminates the drawback of the traditional perimeter-based security model by completely removing trust entitled to internal users and tightening security around valuable assets.
Zero Trust is not about making a system trusted, but instead about eliminating trust. In Zero Trust, you identify a “protect surface.” The protect surface is made up of the network’s most critical and valuable data, assets, applications and services (DAAS).
Every access point on the network is assigned access based on a Zero Trust policy based on who, what, when, where, why and how for the limited time they need to accomplish a specific task. This means you'll likely have different levels of trust if you access the network from the office, from your mobile device, from a hotel or coffee shop, or from home. Despite this statement, Zero Trust isn't dependent on a location. Users, devices and application workloads are everywhere, so Zero Trust must be proliferated across your entire environment.
Consider these statistics: the 2017 Annual Cybercrime Report from Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. IT and OT systems are relying on access to devices outside the firewall as inputs to real-time control and decision analysis, and this trend is only expected to increase as we further expand the use of edge devices, edge computing and cloud-based systems.
Google is a believer. It started implementing ZTA in its systems in 2014 as part of its BeyondCorp initiative, which is now rolled out as the basis for system access with proven results.
Though just gaining traction, Zero Trust with its granularity and real-time focus is consistent with core concepts of all the cybersecurity models in use today, while also forming the basis for the integrated systems of the future.
About the author: Ian Verhappen