CDSA

In cybersecurity, there is a significant shift happening in which organisations are going from an implied trust to a Zero Trust (ZT) model.

As a result, many IT teams are struggling with how ZT can be implemented seamlessly across and within their organisations’ critical infrastructures.

Experts from Fortinet and research company Forrester tackled the subject on 4th Oct., during the webinar “Is Zero Trust Right for OT, Right Now?”

Brian Wrozek, principal analyst at Forrester, provided his perspective on ZT trends.

Other topics of discussion by Wrozek and Eric Schwake, director of product marketing at Fortinet, included: common misconceptions of ZT in OT, key criteria for approaching ZT implementation and aspects of successfully deploying ZT in OT environments.

What we are seeing now is a “sort of a paradigm shift with how security needs to be implemented across both IoT and OT networks, where trust is never implicitly granted for users or devices,” according to Schwake.

He told viewers:  “That trust, once it is granted, it should be continually evaluated in some fashion or another. We don’t want to just assume trust is always there. Once it’s first established, we want to have some kind of continuous validation around that trust as well.” It is a “broader approach that organisations need to take on,” he said.

He went on to ask rhetorically: “What kind of changes architecturally need to take place to start implementing some of these zero trust principles to allow for better security within an OT environment?…. What are some of the initiatives around productising this Zero Trust initiative?”

He added: “One of the first ones we often see with Zero Trust is a Zero Trust network access approach. How are we going to implement Zero Trust network access to accessing applications or other resources? It could also be some kind of segmentation or micro segmentation, which, in an OT environment, might make a lot of sense. And then also identity and authentication [have] to go into ensuring you know who the users are and establishing trust around that user themselves before they’re granted access to various systems within your organisation.”

He went on to say:  “We understand that users are going to work at a variety of locations. They’re going to work at your office or at your headquarters or at the plant where there’s OT devices. They also might be working at smaller branches or remotely. So, regardless of where the user is actually trying to connect to or what application or resource they’re trying to access … there needs to be some kind of control point in the middle of that functioning.”

One “step forward into actually providing … controls within an OT environment, I think, is a solution we have called FortiPAN…. There’s a few key capabilities from a FortiPAN perspective that I think are important to call out that might be important for your OT environment. The first is around credential management. So, if your OT environment really has devices with various credentials, perhaps those credentials aren’t changed. You don’t necessarily want to give out the credentials, to users.”

Earlier, Wrozek provided some research information. “I could probably create two or three slides when it comes to challenges in OT environments,” he said, adding: “Probably the biggest one is dealing with all the legacy technology.”

Richard Springer, director of marketing, OT Solutions at Fortinet, moderated the webinar.