Forrester Research first introduced the concept of “Zero Trust” in 2010. This concept emphasizes the need for a security framework that does not automatically trust any user or device inside or outside the network. This approach prioritizes continuous verification and stringent access controls to safeguard sensitive information.
In April 2021, the Department of Energy (DOE) issued a request for information (RFI) regarding the continued security of critical infrastructure. The goal of the RFI was to replace an existing executive order by introducing Zero-Trust Architecture (ZTA) – a security model that seeks to eliminate the concept of trusted and untrusted networks. Although it is technically possible to implement zero-trust principles without using a software-defined network (SDN), managing and deploying would be more complex. ZTA consists of three key concepts:
- All resources are accessed securely regardless of physical or network location or ownership
- Adoption of the least privileges and enforced access control
- Inspection and logging of all traffic
Zero Trust challenges the assumptions of traditional perimeter network defenses by enforcing adaptive controls and continuously verifying trust. This proactive approach empowers organizations to prevent unauthorized access, contain security breaches, and limit an attacker’s lateral movements, including addressing the insider threat.
Purdue Enterprise Reference Architecture (PERA)
At a high level, an automation system can be divided into the following zones:
- The Public internet zone is the least trusted and corresponds to external users, or vendors, that require remote maintenance access through the public Internet.
- The Enterprise zone corresponds to the utility business network. All devices within this zone comply with corporate IT policies and meet baseline security requirements. Corporate IT will generally subdivide the enterprise network into additional zones based on geography or functions, such as accounting and engineering. Some of the enterprise-level users will require access to systems at the next, more secure level.
- The DMZ zone contains trusted systems that communicate with critical power plants and substation resources. This zone is often referred to as the demilitarized zone as it acts as a buffer between trusted and untrusted zones. This zone contains physical or virtualized servers, replicated services, access control systems, and monitoring systems. This zone would also contain servers acting as intermediate devices to provide access to the SCADA Zone
- The SCADA zone is the most trusted and contains assets, such as PLCs, data concentrators, and protective relays. Data processing capabilities are being added to reduce dependency on the network connection to the enterprise. It may now include authentication servers, event processing systems, data loggers, automated password management, configuration management software, database servers, and historians.
Zero-Trust Model
The Zero-Trust Model proposes a shift from a perimeter defense approach to an access-based defense. It assumes the network is always hostile, and each interaction needs to be thoroughly verified. The thoroughness of the ZTA model ensures a high level of security and includes three primary qualities:
- Role-based access: the concept of least privilege is adopted to restrict access to users who legitimately need access to a resource
- Micro-segmentation: a security technique that enables the application of security policies to the connected devices, applications, and data flow
- Adaptable trust: the constant monitoring of all transactions
The model described below is based on Google’s corporate ZTA [Osborn et al., 2016]. In contrast to the PERA model, it segregates every device and resource by level. The high-level data flow is illustrated in the figure below, which shows the data flow of a device attempting to access a resource.
Data Flow Example
Imagine a user is gearing up to enhance the system’s performance by changing the map on an intelligent electronic device (IED) in a bustling substation. This process opens the door to improved communication and more efficient operations, paving the way for a smarter, safer grid:
- The request is sent to the access proxy with the credentials, the MFA token, and the device certificate.
- The Access Control Engine uses the inventory databases to verify that the credentials are correct, and that the device is in an appropriate state.
- It verifies that the user/device pair is allowed access to the specific resource according to the Access Policy and that the request received a sufficient trust score.
- The request is finally forwarded to the correct gateway, and then the appropriate IED.
Note that in the above example, although the user may have the correct credentials and privileges to access a resource, access may be denied based on the access policy. This can happen if the device or application is not recognized or the access policy prevents access. Similarly, a technician who typically does not have permission to download firmware to the device may be granted access by the access policy under certain circumstances.
Zero-Trust Considerations for OT Systems
OT environments have unique challenges with regard to zero-trust implementation. Many organizations have strong justifications for operating legacy equipment. Upgrading older equipment may have unintended consequences, primarily when it uses unique protocols. This presents a significant challenge in securing communications and enforcing micro-segmentation.
Many legacy devices were designed for a single-user application. Within the OT environment are “zones of trust” – areas where multiple OT assets interact and must have implicit trust to perform their primary function. OT environments are static, purpose-built, and have predictable behavior. Typically, OT systems do not have access to the access policy, which normally resides in the cloud.
Planning for a Zero-Trust System
When planning to deploy a zero-trust system in an OT environment, consider the following steps:
- Understand the system’s functionality and how security controls may affect the system’s performance. Define the attack surface we want to protect. This includes, but is not limited to, mission critical assets, functions and services, personnel roles and skills, and how they interact with each other and the system.
- Determine zones of trust and identify communication flows between different zones of trust. Define data flow diagrams that include devices, users, and functions that interact with data.
- Select appropriate technology for your specific requirement.
- Enforce a trust policy based on the organization’s security policy.
- Continuously monitor and improve your system. This may include a SIEM (security information and event management) solution that will aggregate or understand logs from both enterprise and industrial assets, or IDS/ IPS capable of dissecting the payload of OT protocols.
Enhancing your security posture is a continuous journey after adopting Zero Trust. While you can’t control the cyber threat landscape, you can shape your response to effectively safeguard your assets.