Zero-trust security is essential to enterprises that are converging operational technology (OT) with IT infrastructure. New research from Enterprise Management Associates (EMA) identified how this convergence influences zero-trust strategy and implementation.
Companies have historically secured OT systems – which include physical security controls, HVAC systems, industrial control systems like factory automation equipment, and medical scanning equipment – by air-gapping them. Physical isolation from IT networks protects OT systems against threats, but it also prevents companies from driving more automation, efficiency, and intelligence into business operations.
Why IT/OT convergence is happening
Companies want flexibility in how end users and business applications access and interact with OT systems. For instance, air-gapped medical imaging equipment in a hospital requires a doctor to interact physically with the equipment to access their patient’s imagery. IT/OT convergence allows those doctors to access medical imagery from anywhere.
Enterprises also want to extract data from OT systems, which requires network connectivity. For example, manufacturers can pull real-time data from their assembly lines so that specialized analytics applications can identify opportunities for efficiency and predict disruptions to production.
While converging OT onto IT networks can drive innovation, it exposes OT systems to the threats that proliferate the digital world. Companies often need new security solutions to protect OT. EMA’s latest research report, “Zero Trust Networking: How Network Teams Support Cybersecurity,” revealed that IT/OT convergence drives 38% of enterprise zero-trust security strategies.
Zero-trust security is the application of granular authentication, authorization, and segmentation policies and controls to ensure least privilege access to networks. Zero trust often involves continuous verification of authorized access by analyzing behavior and challenging devices and users to reauthenticate themselves. Zero trust is especially valuable to OT convergence because it can authenticate access based on factors other than user identity, and it can apply granular network segmentation to restrict what kinds of communications OT devices can have on an IT network.
Strategic principles of zero trust for OT
EMA’s new zero-trust research, based on a survey of 270 IT professionals, found that IT/OT convergence correlates with a different approach to this security model. For instance, the top two guiding principles of zero-trust initiatives in general are (1) preventing unauthorized access and (2) preventing zero trust from negatively impacting network performance and user experience.
With OT-focused zero trust, enterprises are less concerned about network performance impacts. Instead, they place a greater premium on management simplicity. OT convergence adds network complexity by expanding the number of devices that need to connect and increasing the amount of segmentation needed to isolate those devices. Zero-trust architectures that are built for management simplicity can mitigate these issues.
OT requirements for zero trust
IT/OT convergence leads enterprises to set different priorities for zero-trust solution requirements. When modernizing secure remote access solutions for zero trust, OT-focused companies have a stronger need for granular policy management capabilities. These companies are more likely to have a secure remote access solution that can cut off network access in response to anomalous behavior or changes in the state of a device.
When implementing zero-trust network segmentation, OT-focused companies are more likely to seek a solution with dynamic and adaptive segmentation controls. These companies also perceive a greater need for a network observability tool that can support zero trust. Typically, they want an observability tool that can facilitate access policy design.
OT challenges to zero trust
EMA’s research asked respondents to identify various challenges to their zero-trust projects. Our analysis found that OT-driven projects had a few unique issues. First, we found that these companies are more likely to struggle with adapting legacy secure remote access technologies like VPNs to zero-trust requirements.
Moreover, OT-focused companies were more likely to perceive an overall lack of effective zero-trust products on the market. Apparently, most zero-trust solution providers are focused on traditional IT use cases, rather than OT. These companies were also more likely to tell EMA that their network observability tools are failing to support zero trust, suggesting that they need new monitoring tools that can extend their visibility into OT systems.
To learn more about EMA’s new zero-trust networking research, check out this free on-demand webinar, which highlights our key findings.
Source:: Network World