Zero Trust for ICS/SCADA Systems

Zero Trust for ICS/SCADA Systems

Society today is heavily dependent on critical infrastructure that mostly works behind the scenes such as power stations, oil refineries, agriculture operations, mining, water treatment, green energy, transportation, and manufacturing operations. These systems help deliver electricity to power our homes, recharge our phones and vehicles, deliver goods using just-in-time (JIT) manufacturing processes or simply provide clean water.

We live our lives mostly unaware of how critical they are until they stop working. This was demonstrated when cybercriminals shut down the Colonial Pipeline earlier this year. Over the past decades, many of our critical operations have been automated so that operators can run them as efficiently as possible, enabling them to control and monitor much of their daily tasks. The technology and infrastructure that has helped make all this possible, keep these critical systems running, and provide visibility to engineers falls under the categories of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.

Industrial Control Systems enable operators to monitor sensors on systems such as, for example, in a power station that controls the water pressure, increases or decreases lubricant, opens and closes valves, and ensures the facility is operating as efficiently as possible. On large-scale systems ICS can also include SCADA systems and programmable logic controllers (PLC) which provide the ability to interact with ICS systems and deliver commands that modify the configurations.

For many years, most of these critical operations were considered air-gapped, which is a term that indicates that these systems were not connected to the public internet. This means you would not be able to reach them directly without connecting to a dedicated ICS network first or by having to be physically on the same network. However, in recent years, many of these organizations have been accelerating their digital transformations and introducing faster mobile networks and cloud infrastructure. This major shift has resulted in many of these so-called air-gapped networks that are no longer air-gapped and the traditional silos known as IT and OT have converged.

Many manufacturers have also forced some of these systems to be connected to the public internet so that data flows can be analyzed to improve services. For example, if you purchase an IoT device today, such as a smart vacuum cleaner. or a power station purchases a diesel engine, you own the physical device. But contracts are changing for those devices whereby the manufacturer owns the data generated by the device. That means your vacuum will be sharing your home floor plan and usage with the manufacturer and the same goes for the diesel engine at the power station. All these changes mean that critical infrastructure is now at increased risk from cyberattacks.

The Executive Order highlighted the following priorities, demonstrating the importance of ISC and SCADA cyber security

• Remove Barriers to Threat Information Sharing Between Government and the Private Sector
• Modernize and Implement Stronger Cyber Security Standards in the Federal Government
• Improve Software Supply Chain Security
• Establish a Cyber Security Safety Review Board
• Create a Standard Playbook for Responding to Cyber Incidents
• Improve Detection of Cyber Security Incidents on Federal Government Networks
• Improve Investigative and Remediation Capabilities

Zero Trust and least privilege principles guide to cyber security

In traditional IT and Cloud systems, the move to a Zero Trust Framework has been a top trend in the industry since it was introduced by Forester in 2010. When I think about Zero Trust, I automatically hone in on the principle of least privilege, which is an important foundation for a Zero Trust strategy. For example, the principle of least privilege ensures that the user has the minimum privileges needed to perform a specific task. Combined with continuous verification, enforcing least privilege is essential to building a trust framework that is an integral part of a Zero Trust strategy. Keep in mind that Zero Trust is not a product or a solution, but a methodology to building digital trust based on risk.

To its credit, the Executive Order focused heavily on Zero Trust, and I really like the NSA Guidance on Zero-Trust model as a pathway to achieving a Zero Trust strategy. That’s because it provides a security model and methodology, not just a checkbox. The NSA model incorporates a maturity model that makes Zero Trust a continuous journey grounded in a mindset, design principles, processes, and risks.

Zero Trust and ICS/SCADA Systems

The Zero Trust model in practical terms works great with traditional IT and Cloud computing where many systems and applications can work independently. Trust can be established via various protocols such as authentication and authorization standards to determine whether a user is valid and has authorized access to the artifact.

However, when we apply Zero Trust to critical infrastructure such as systems running ICS and SCADA controls there is a risk it may cause a major disruption to the services and systems. Many ICS and SCADA control systems are designed to be in production for years if not decades which means they tend to be running legacy operating systems, unpatched and vulnerable to cyber attacks. This is true for our transportation systems as well as plant operations and facilities. The priority of these systems is typically on safety above all others, and we need to start aligning cyber security to those same safety standards when it comes to critical infrastructure.