From Silos to Synergy: How Zero Trust Bridges the IT/OT Security Gap
I spend quite a bit of time talking to security leaders about their operational technology (OT) security. I find that they usually fall into three categories:
- The pragmatist: They know their OT is at risk. Their job is on the line if a security incident halts operations, but their resources are slim. They’re overwhelmed by the needs of their IT/OT security and need help developing a clear path forward.
- The minimalist: They trust in tried-and-true methods like firewalls to manage their IT/OT security. Confident in their approach, they see no immediate need for more advanced strategies.
- The visionary: They acknowledge the challenges of securing their IT/OT as their organization scales. But they know what they need to prioritize. They’ve built a cross-functional security strategy and are working through the agreed-upon plan.
I understand all three groups’ perspectives and see merits in each approach. But one commonality between them is room for better communication and collaboration between their IT and OT teams. I think Zero Trust can fill this gap.
Industry 4.0: Smart everything
First, it’s important to understand the state of OT security. It’s evolved since just a few years ago.
Today, more and more businesses are building smart factories, smart grids, and even smart warehouses. Machines are connected to the cloud, data center, or even the internet. You have to worry about your supply chain’s security just as much as your own.
Industry 4.0 helps make processes more efficient, less hands-on, and faster. But as we connect more machines and processes, they start looking a lot like IT systems. With that comes all the vulnerabilities we already know about in IT – but in a space that hasn’t worked very closely with IT in the past.
It’s not enough to simply acknowledge that OT is going through a major evolution right now. You must pay attention to the ways it’s impacting your security and ultimately your bottom line.
Traditional OT security concerns
Traditionally, OT and IT teams worked separately. They each focused on securing their own environments.
But as systems get smarter, there’s a greater need for a single, coordinated security approach. It's crucial to develop a hybrid approach that meets the requirements of both IT and OT.
This also means rethinking traditional OT security tools. Interactive control systems that use a virtualized or containerized platform make legacy techniques like data diodes and DMZs (demilitarized zones) moot.
Also, the huge volume of interactions and the required availability of OT environments makes many existing IT tech like endpoint detection and response (EDR) no longer appropriate. Organizations now need a combination of non-intrusive host protection and network-based protection.
Also, many existing IT tech like antivirus or endpoint detection and response (EDR) don’t work with modern OT because they sit deep in the kernel. This slows down OT's huge volume of interactions and can risk availability issues. For today’s OT, organizations need a combination of non-intrusive host protection and network-based protection.
And it’s not something that needs to be put off. Criminal gangs and nation-state actors are using OT as a path to political and financial gains. In fact, last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that threat actors, including pro-Russian hacktivists, were actively exploiting internet-accessible OT and industrial control systems (ICS) devices.
It’s time to break down IT/OT siloes
What do I think is the answer? IT and OT should stop thinking that they’re two separate entities. They must see themselves as one team. This allows them to share knowledge and combine their cybersecurity efforts across the entire network.
IT and OT need one security strategy and one security plan. Anything else will lead to inconsistencies in visibility, operational overlap, and major security gaps.
Zero Trust is the key to merging IT and OT
This is where Zero Trust comes into play. It’s a great starting point to help you build a new approach to IT/OT security.
A Zero Trust strategy speaks to everyone, from executive leadership to practitioners and application owners across IT, OT, and the entire organization. It’s designed to be simple enough to execute at the highest scale.
By assuming that nothing — inside or outside the organization — is automatically trusted, Zero Trust helps you limit access to your most critical systems. This means attackers can’t spread through your network or your supply chain.
For example, a factory might have 20,000 sensors. Why leave all of them open when only a few need to communicate with each other? This is the kind of IT/OT security gap that attackers know about and use to their advantage. With Zero Trust, you can easily get visibility into these connections, allow necessary communication, and block everything else.
When your IT and OT teams are aligned and working towards a joint strategy, you’re prepared to reduce risk, build operational resilience, and protect your business.