Zero Trust is Good, Control is Better

Why IT/OT Convergence Requires Reliable Threat Detection

NDR and Zero Trust for reliable threat detection for IT/OT

OT networks in factories and critical infrastructures were previously securely shielded from the Internet. However, the digital transformation has connected these formerly isolated operational technology (OT) networks to information technology (IT), which brings both opportunities and new security challenges: integration means that OT systems are increasingly exposed to cyber threats, which requires robust security measures such as the Zero Trust approach.

Network Detection and Response (NDR) artificial intelligence detects and responds to threats in real time, protects OT environments, and improves Zero Trust security through continuous, intelligent monitoring.

In the good old days

Not so long ago, OT networks in environments such as factories and critical infrastructures were mostly isolated from the internet, i.e. air-gapped. With digital transformation and the need to support remote maintenance, for example, OT networks that were once isolated from the internet are now connected to your local cloud. Location-independent access to the production network (OT) is already used by two-thirds of companies. Improved connectivity boosts production by improving data usage for e.g., maintenance prediction, load balancing and cloud-based tools and open up new suppliers and sales markets. This exposes the OT network to increased threat potential. The application of the Zero Trust principle (“never trust, always verify”) increases OT security. The identity and integrity of an interacting identity has to be verified with every new access request to the OT network or the respective service.

Historic machines, new connections

This IT/OT convergence increases production and business value, but also exposes OT environments to growing cyber threats. In addition, industrial control systems (ICS) are typically designed for longevity. The technologies deployed can remain in operation for 20 years or more with the same engineering. There are often strong business justifications (as well as security and reliability requirements) for keeping older ICS equipment in service. At the same time, older OT devices are often unpatched and vulnerable, exposing to production disruptions and demonstrating that current security measures are not sufficient. Furthermore, several of these long living devices were never designed for a future where external connections to OT systems are a common necessity. Remember, the specification of SMB version 1 was made public to e.g., Samba developers in 2007.

OT Networks and Industrial Control Systems (ICS)

Convergence as opportunity and risk

As the threat of cyberattacks in industries such as manufacturing that rely on OT devices continues to increase due to ransomware's growing attack surface, more and more organizations are turning to the Zero Trust approach to minimize risk. Zero Trust is based on the principle that no network access is inherently trustworthy, requiring continuous identity verification, access restrictions, and risk-based adjustments. Effective OT security, as part of a Zero Trust strategy, must ensure visibility over OT assets, protection against sophisticated threats, and compliance with stringent operational requirements. To this end, this approach provides continuous monitoring, contextual segmentation and minimal access to secure OT assets and prevent downtime.

However, in environments where OT and IT converge, implementing Zero Trust becomes a particular challenge. In addition to the much larger threat surface, older and newer types of OT assets are connected to the IT network, the cloud, and the Internet, making them more vulnerable. And even in IT networks, a Zero Trust project takes years to implement.

At Exeon, we have made it our mission to close this gap by providing solutions that meet the unique security requirements of OT systems while adhering to the principles of Zero Trust. With our NDR solution, threats in converged IT and OT systems can be detected early, and risks can be minimized before they impact on business operations. Exeon closes the gap between Zero Trust and OT security and offers a future-proof solution for companies facing the challenges of IT/OT convergence.

Zero Trust and its core principles

A short reminder—Zero Trust assumes that no entity, device, or network is trustworthy per se. The strategy is based on the following principles:

• Identity verification: Every access request is authenticated to ensure that only verified entities can interact with the network.

• Access control: Permissions are minimized and only granted for necessary resources.

• Risk-based adjustments: Security measures are dynamically adjusted based on real-time risk assessments.

These principles are particularly important in the convergence of OT and IT, where sensitive industrial systems need to be protected without disrupting operations! Organizations should take every (!) opportunity to create and enforce Zero Trust security policies, e.g. through a Zero Trust IAM solution (IAM creates and implements policies, verifies identities and establishes trustworthiness) that monitors every micro-perimeter to verify the identity of all accounts requesting access and attempts to establish the trustworthiness of an account through methods such as two-factor authentication (2FA).

Implementing a Zero Trust model in OT environments comes with a number of challenges, as previously mentioned, including compatibility issues with legacy systems, potential conflicts with vendor warranties and the need to address specific issues such as static passwords. Integrating Zero Trust technologies without disrupting safety-critical functions and ensuring support for system integrators and OEMs that require remote access makes the transition even more complex.

The role of NDR

Zero Trust requires the identification and prioritization of business-critical assets, the mapping of transaction flows, the establishment of a Zero Trust structure around critical assets or areas, prioritization, the implementation of Zero Trust policies and, building on this, the continuous monitoring of systems for anomalous activity.

ExeonTrace for reliable threat detection in OT and IT

NDR plays a crucial role in conducting a Zero Trust strategy. It provides real-time visibility of IT and OT network traffic, enabling detection and response to threats as they occur. This is crucial for detecting security risks in the network. This could be an attacker enumerating the network, laterally moving within the critical OT zones or non-authorized communication within the OT environment among others. An NDR solution allows immediate response to these identified anomalies. NDR can be seamlessly integrated into OT environments, especially to secure converged IT and OT systems and as a basis for extending Zero Trust principles to OT infrastructures. Since a clear overview of OT assets, their communication patterns, and associated risks is crucial, and a lack of visibility leads to insufficient segmentation and security, the use of NDR makes it easier to ensure security measures tailored to asset classes and the implementation of customized security protocols for different types of OT assets, as well as proactive threat detection.

As many OT assets are unprotected in their default configuration, vulnerable, and difficult to patch, they are prime targets for attackers looking to exploit this situation. Early threat detection and pre-escalation risk mitigation are key areas where NDR uses artificial intelligence to ensure OT environments are secure without impacting business continuity and that defenses can keep pace with rapidly evolving and increasingly sophisticated threats.

Innovative technologies to optimize Zero Trust

  • Zero Trust ready: ExeonTrace supports the implementation of Zero Trust principles through continuous, agentless monitoring of network traffic.
  • Continuous Verification: Detection of malicious activity and verification of security policies regarding segmentation.
  • Real-Time Threat Response: AI and machine learning algorithms detect and respond to anomalies.
  • Continuous Visibility: Allows to monitor user and device communications for authenticated access.

• Critical Asset Management: Semi-automated identification and prioritization of critical assets.

• Automated Security Operations: AI allows to automatically alert (and react) to identified threats, based on criticality. An analyst receives additional information to triage anomalies.

• Scalable Zero Trust Solution: Efficient implementation for industrial and enterprise environments.

• Advanced Zoning and Micro-Segmentation: Protects OT processes based on risk and criticality. By achieving this visibility, the solution allows for a better understanding of communication and therefore supports implementation of additional zones.

Exeon's approach: Zero Trust is IT and OT security

Exeon extends Zero Trust with cutting-edge technologies such as AI to automate security operations. Continuous monitoring of application communication as part of the NDR framework ensures that only authorized applications are active. A basic behavior can be defined for OT resources, and an alarm can be generated in the event of deviations. Dashboards and APIs enable the SOC team to triage and respond quickly to threats and maintain real-time network visibility.

Exeon provides a scalable, efficient solution for implementing Zero Trust in industrial and enterprise environments, allowing organizations to protect their critical infrastructure while maintaining operational efficiency. Context-based segmentation enhances the Zero Trust capability of the OT environment by effectively isolating OT networks from enterprise IT and the Internet. Context-based segmentation also enables the segmentation of vulnerable OT networks and assets as well as critical OT processes based on risk prioritization and criticality.

For example, least privilege access can be used to control external communications for outdated and vulnerable OT assets that are difficult to patch. Advanced zoning and micro-segmentation protect OT processes, taking into account asset types, process criticality, and risk context.

  • Least Privilege Access Policies,
  • Device ID,
  • App ID,
  • and User ID can be defined for older and vulnerable OT assets that “suddenly” require external communication.

Continuous verification of trust in behavior also includes continuous verification of traffic security to detect and prevent malicious activity and protect the integrity of OT processes against attacks. By mapping and learning process and user behavior, AI can be used to detect previously unknown communication to identify Zero Day exploits while ensuring the integrity of OT processes through individual alerts and policy actions for events such as PLC stops and program downloads.

Resume

Formerly isolated OT networks are now connected to IT, increasing their vulnerability to cyber threats. This IT/OT convergence increases production and business value, but also exposes OT environments to growing cyber threats that require security measures. The Zero Trust principle, which requires continuous identity verification and minimal access, is critical to securing these converged environments.

Implementing Zero Trust in OT environments is challenging due to compatibility issues with legacy systems and the need for continuous monitoring and risk-based adaptation. NDR improves OT security through real-time visibility and early threat detection to ensure business continuity and protection against sophisticated attacks.

For additional insights on such threat detection and security for your IT/OT environments, download our Advanced Persistent Threats (APT) Guide here!

Philipp Lachberger

Author:

Philipp Lachberger

Head Information Security, Head Pre-Sales & Deployment

email:

philipp.lachberger@exeon.com

Share:

Published on:

17.09.2024