Critical infrastructure, which historically have been isolated and unconnected from other networks, are becoming increasingly interconnected due to the ubiquity of the internet and the growth of the cloud and the Industrial Internet of Things (IIoT), putting them more solidly in the crosshairs of cybercriminals as targets for everything from financial gain to cyberespionage to operational disruptions.

The ongoing convergence of IT and operational technology (OT) is putting pressure to modernize cyber-protections for a critical infrastructure (CI) security environment that is seen as a decade or more old. In June, U.S. Homeland Security Secretary Alejandro Mayorkas outlined priorities for shoring up critical infrastructure and resiliency, writing in a memo that “the increasing interconnectivity of critical infrastructure systems and reliance upon global technologies and supply chains make these systems susceptible to a myriad of threats.”

The Cloud Security Alliance (CSA) this week released a report detailing a roadmap for implementing zero trust concepts in OT and industrial control systems (ICS) environments that come with a host of challenges, from legacy systems and protocols to closed systems that are difficult to upgrade or patch to complex networks. The steps outlined in the report are aimed at overcoming the challenges and putting zero-trust solutions in place.

Zero trust is a security environment where no person or application trying to access the network should be trusted by default. Instead, they need to be verified first.

“In an environment where security is paramount and also distinctly challenging, zero trust is not just a security upgrade but a necessity,” Joshua Woodruff, a lead author of the paper and a member of the CSA’s Zero Trust Working Group, said in a statement. “By delineating practical strategies and specific methodologies tailored for implementing a zero trust strategy into CI environments, we are helping to ensure resilience and security amidst a rapidly evolving digital technology and threat landscape.”

Critical Infrastructure Under Attack

Protecting critical infrastructure has been a key part of the Biden Administration’s cybersecurity efforts for the past three years – the government lists 16 critical infrastructure sectors, including energy, water, IT, healthcare, and financial services – and the growing threats of nation-state bad actors from adversaries like China, Russia, and Iran has put a sharp spotlight on the issue.

In April, the White House released a national security memorandum addressing critical infrastructure security, noting the rise of an interconnected and interdependent economy that includes such organizations. It also talked about an “era of strategic competition with nation-state actors who target American critical infrastructure and tolerate or enable malicious actions conducted by non-state actors.  Adversaries target our critical infrastructure using licit and illicit means.”

As an example, a number of U.S. federal agencies as well as counterparts from other countries issued an advisory earlier this year about the need to defend OT systems and devices in the United States and Europe against pro-Russian threat groups. There also have been reports about government-linked bad actors from China and Iran targeting critical infrastructure in the United States, including municipal water systems.

In the CSA’s 64-page “Zero Trust Guidance for Critical Infrastructure,” the report’s authors wrote that historically air-gapped OT networks are getting more difficult to find, with modern systems interconnected through embedded wireless systems, cloud, and software-as-a-service (SaaS) applications.

“Even legacy systems interface with maintenance laptops or removable media for backups, maintenance upgrades and patches, or data transfers,” they wrote. “This shift from air gapped systems to fully integrated networks, and the associated risk, must be accounted for when creating and applying security controls.”

Crawl, Walk, Run

The CSA is advocating a five-step “crawl, walk, run” strategy for implementing zero trust principles in OT and ICS environments, noting the harsh consequences of downtime and the ability to avoid waiting for the perfect time to launch such a project. It supports implementation steps outlined in a a National Security Telecommunications Advisory Committee (NSTAC) about zero trust given to Biden, which the CSA report authors wrote “provides an excellent background and overview and compares and contrasts different ZT references and approaches.”

The first step involves defining the protected surface through an organization-wide inventory of business and operational assets to help prioritize the implementation based on risk. The next four steps should be applied to each protected surface, starting with mapping the transaction flows by pulling in tools and technologies and documenting the work.

After that comes building a zero trust architecture, planning and designing where in the architecture zero trust policies can be enforced, and then creating those policies.

“Fine-tuning access permissions and regularly reviewing access rights ensure that users can access only the critical assets and functions required for their tasks,” the authors wrote. “Employing the principle of least privilege, access is restricted to the bare minimum required for designated tasks. This approach effectively minimizes potential attack vectors and unauthorized access.”

Once the architecture and policies are in place, the final step is ensuring continuous monitoring and real-time analysis of network traffic, user behavior, and device activity to quickly detect and respond to threats, the authors wrote.

A Growing Push

Others also are advocating for zero trust in critical infrastructure. In a blog post in June, Aria Cybersecurity Solutions said that modern network-based security protections only give a security baseline while next-generation antivirus tools don’t always prevent the increasingly sophisticated attacks launched by nation-state threat groups.

“While most current critical infrastructure cybersecurity defenses are based on solutions from the last decade, this zero-trust approach is designed to create a more generic approach to stopping the latest attacks without waiting for software updates from cyber vendors in an attempt to stop these attacks with little chance of success,” the company wrote.