From IT to OT: Extending Zero Trust Principles for Greater Resiliency

A “Zero Trust” cybersecurity model has been one of the most important innovations in organizational risk management in recent years. It constitutes a fundamental shift in mitigating risk, but one that is still not widely adopted or even understood. This is why, throughout Cybersecurity Awareness Month in October, the Cybersecurity Tech Accord will be breaking down the core elements of “Zero Trust” architecture in a new blog series – Never Trust, Always Verify. The series will feature expert voices from across Cybersecurity Tech Accord signatories breaking down what Zero Trust is, what is isn’t, and how to have an informed conversation to ensure your organization is employing best practices for security.

The series will include entries on:

  1. Zero Trust in IT and OT systems – Schneider Electric
  2. Strong authentication for Zero Trust – Balasys
  3. Zero Trust access policies – Safe PC Solutions/Safe PC Cloud
  4. Micro-segmentation in Zero Trust
  5. Automation and leveraging AI for Zero Trust

Christophe Blassiau, SVP Cybersecurity & Global CISO – Schneider Electric

As our enterprise systems become increasingly interconnected, the surface area for cyberattacks on operational technology (OT) environments has expanded exponentially and will continue to do so.

Sophisticated cyber criminals understand the potential that can be reaped from targeting OT environments. As an example, hackers used Triton malware to infiltrate the critical safety systems of an industrial facility in Saudi Arabia back in 2018. The malware was designed for hackers to take control and monitor industrial facility processes.

The vulnerability of OT environments was highlighted in recent research from Gartner. The firm predicted that by 2025, cyber criminals will have weaponized OT environments to successfully harm or kill humans. According to the research, cyberattacks are evolving from simply causing immediate process disruptions, such as plant shutdowns, to ones that intentionally cause physical harm by compromising the integrity of industrial environments.

As many of Schneider Electric’s customers operate critical infrastructures, we are committed to helping manage cybersecurity threats to their OT environments of which we are part. Zero trust is at the core of our strategy, and in this blog, we share our approach and experience as to how we work with our customers to implement zero trust in OT environments.

Beyond IT: Implementing it in OT environments

The phrase “zero trust” often evokes uncertainty in cyber professionals as it lacks a single authoritative definition and universally accepted implementation guidelines and precedents. This is particularly true for OT environments, as there are extensive misconceptions of zero trust for these systems, to the point where there is a belief that zero trust and OT are simply not compatible.

However, Schneider Electric believes that an adaption of zero trust is as critical to OT environments as it is to IT systems.  To this extent, we recently contributed to a World Economic Forum community paper titled: The ‘Zero Trust’ Model in Cybersecurity: Towards understanding and deployment.” We firmly believe the insights in the paper can be applied to an OT environment, including this definition, which is a universal cybersecurity principle that can be applied to any vulnerable systems:

Zero trust is a principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an unknown – whether a human or a machine — to ensure trustworthy behavior.”

Schneider Electric’s own implementation of zero trust in both our IT and OT infrastructures aligns with this definition. As an example, we have developed seven Cyber Assurance Principles that are core to our cybersecurity posture, and as you can see below, we have woven zero trust into them as it applies to our company.

These principles embody a risk-centric approach which will continue to evolve as we mature our zero trust controls and capabilities. We are sharing them here to show other companies how they can begin to integrate zero trust into their security postures as well.

Principle 1: Continuous Verification, Visibility, and Validation

Visibility is vital, as you can not protect what you can’t see, and this is especially true in OT environments which are less mature regarding security than are IT environments.  We believe the systems and devices used in Schneider Electric’s and our customers’ IT and OT infrastructures should be inventoried and that their users be verified and authorized through relevant and timely data and risk management information. We have processes and tools which leverage data to verify and validate systems, devices, and users, and also identify potential compromises to critical data and systems.

Principle 2: Least-Privilege Access

Based on the concept of trusting nothing and no one and verifying everything, we believe it is critical to protect sensitive IT and OT systems, applications, and data through least-privilege access controls. We ensure that users and devices have secure access to only what is necessary to perform their functions without overprovisioning. As responsibilities and functions change, we ensure that access privileges are reprovisioned to prevent privilege creep. Also, users are assigned individual accounts where possible, and when it is not possible, generic or service accounts are secured through appropriate methods like smart card account logins for better traceability.

Principle 3: Logical and Physical Segmentation

Schneider Electric has segmentation capabilities that isolate and limit the impact of security threats through the logical and physical segmentation of data, applications, assets, and systems that are essential to critical IT (crown-jewels) and OT environments, such as shopfloors and R&D centers. This enables us to have defense-in-depth as we reduce the spread and impact of cyber incidents if and when they occur.

Principle 4: Continuous Supply-Chain Risk Awareness

Because we are part of a global supply chain, we have high security standards, but it is impossible for us to solely secure a worldwide value change. We believe that the companies we interact with must take responsibility in terms of security. Thus, using cohesively integrated security policies, processes, and controls, we collaborate with our suppliers upstream and our customers downstream to secure the entire supply chain. This includes proactive prevention and intelligence, and when necessary, reactive incident response.

Principle 5: Scale with Automation and Orchestration

Threat actors’ techniques and tactics, including the sophistication and “democratization” of attack tools, such as ransomware as a service, are much more powerful than any manual defense and response. We believe that the efficiency and scalability of our cyber defenses — including our zero trust efforts — can be enhanced through more automation and orchestration to reduce manual and time-consuming tasks that are prone to human error. 

Principle 6: Proactive Detection and Timely Response

Regardless of how strong Schneider Electric’s cybersecurity posture is, zero trust dictates that we adopt a breach mindset at all times. To protect our IT and OT assets, our strategy aligns people, process, and technology. Schneider Electric’s global cybersecurity site leaders are responsible for the application and execution of our security posture in their facilities through the use of vulnerability management as well as strong protection and threat detection capabilities that are combined with accurate and timely response. This builds incident response ownership into each risk area and ensures that it is not delegated externally.

Principle 7: Business Resilience Preparation

We cannot be only “breach ready.” We also need to be “breach resilient” which stems from a very simple philosophy:no matter how secure you think your defenses are, there is always the possibility that an attacker can infiltrate your business and take it down. At Schneider Electric, a Business and Operational Resilience Framework was established to cover both IT and OT resilience with contingency strategies, planning, and reality checks and we test these plans, when necessary, with our suppliers. We also transform each incident into a learning experience as we continuously improve our resilience framework. This helps us and our customers reconstitute mission-critical functions so we can continue operations of our IT and OT environments both during and after a disaster.

Conclusion

With the help of the zero trust definition from the World Economic Forum and the principles we have outlined here, we seek to support companies as they start to build their own zero trust strategy, not only within their IT environments, but also their OT ones as well.