OT Zero Trust as a device-centric methodology

In the IT world, the core principle of Zero Trust is based on continuous checking and verification, which ensures that every access to interconnected services comes from an authorized identity, at the right time, from the expected source and via registered devices. "This is a very people-centric and contextual process," explains Terence Liu. "Because there is a high level of interaction between people across different services, any compromised employee can pose a threat to the entire organization."

In the OT world, on the other hand, devices and systems are rarely tied to specific people. Despite the similarities in the spread of damage with the IT world, OT defenses are completely different. "At TXOne Networks, we follow the OT Zero Trust methodology, which is also a process of continuous monitoring and verification," explains Terence Liu. "However, the focus is on the devices rather than the people, and all phases of the equipment lifecycle are covered. Every piece of equipment is checked before it gets to the production line and all equipment should be continuously monitored and protected during the manufacturing process." IT staff may well sacrifice some service availability for extra security in a given period. OT employees, on the other hand, would have to take the opposite approach, as system availability is the top priority in OT environments.

The OT Zero Trust methodology is a framework in which each installation is covered by at least one security measure throughout its lifecycle. The lifecycle of an installation includes pre-commissioning testing, endpoint protection and network defense.

The practical implementation of the OT Zero Trust method

"In our experience, the biggest hurdle for OT security managers is not limited budgets or a lack of cybersecurity expertise that prevents them from achieving a higher level of security," emphasizes Terence Liu. "It's a lack of manpower. Think of a factory plant with thousands of devices scattered over several acres and managed by only two professional OT security managers. That should paint a clear picture of why fancy IT security functions are not the solution."

According to Terence Liu, OT Zero Trust only makes sense if it is applied to practical security implementations. "You have to avoid raising more questions when trying to answer one question," he clarifies. "Instead, it is important to show the user the exact path to follow. The answer does not lie in the slightly different detection rates of unsuitable solutions, but in an environment that is tailored to the OT-specific security requirements and conditions."

An increased need for OT Zero Trust

In TXOne Networks' recent survey of 300 executives and OT security leaders, 94% of respondents said they had experienced OT incidents that originated in IT. "We see a clear trend that more and more ransomware-based attacks in the OT sector are targeted attacks," says Terence Liu. "If hackers are able to break through the multi-layered IT security measures and retrieve all credentials to spread ransomware in OT, it is unlikely that using the same solutions in OT will help intercept malicious acts. The only solution is comprehensive OT security awareness - a contextual, situational understanding that provides deep insight into OT activity."

In addition to checking the security level with OT-specific signature intelligence, Extended OT Zero Trust also responds to elements based on knowledge of everyday operational norms in OT. For example, Extended OT Zero Trust can reliably trigger an alarm when it sees an everyday command using common protocols when the operating context has never included such protocols.

"This contextual understanding goes beyond conventional security approaches and requires a high level of industry knowledge and technologies such as AI," explains Terence Liu. Achieving this awareness is the ultimate goal of OT Zero Trust: never trust, always verify - and in an industrial context.

"OT Zero Trust is a new but significant security paradigm that we need to adapt to," summarizes Terence Liu. "We are excited to see how it will unfold its potential."