Zero trust is a paradigm shift, and not a disruptive technology. However, there are still many lingering questions about zero trust. For instance, does it imply decommissioning brownfield devices? Does it require field device updates? Does it require costly upgrades to field devices? Does it mean a quarantine colony for non-compliant devices like network admission controls? In this post, we’ll dive into what zero trust requires and discuss how zero trust is more of a paradigm shift than a costly technology.
There are several reasons organizations are resistant to implementing zero trust, including the economics, intellectual and political aspects of device transformation.
First, organizations are resistant to zero trust due to the economic aspect of device transformation. Zero trust in brownfield (legacy) devices will require a “zero cost” one-touch provisioning without hardware upgrades. With a low footprint (memory and storage) agent, this is technologically possible on resource-constrained field devices.
Second, the intellectual aspect of device transformation has slowed the adoption of zero trust. Security practitioners believe and agree with zero passwords and the need to digitally authenticate commands, and by extension responses, even if unencrypted because of real-time performance (low latency) considerations. There are NIST-approved cryptographic ciphers and network layer protocols to accomplish this without requiring reengineering of line of business (LOB) applications.
Third, the political aspect of device transformation makes some organizations resistant to zero trust. Device owners want original equipment manufacturers (OEM) to protect their devices. OEMs have no financial incentives or compliance mandates to do so on legacy (in-field) devices with a truck roll and field engineers. The network-based detection and prevention methods, software-defined edge (SD-Edge), and secure access service edge (SASE) solutions serve as a beginning on the CISO’s IT budget to optimize workflows across information technology and operational technology (OT) systems. However, CTOs and product security architects will have to transform devices for embedded trust in things to build out a horizontal platform for IT/OT/IoT/IIoT systems — the holy grail for digital transformation to empower machine learning and artificial intelligence applications.
Cyber insurance companies need to determine how to underwrite policies with infrastructure modernization (greenfield) and infrastructure hardening (brownfield) factored in before they pick up the tab on payouts after a cyberattack on a hybrid ecosystem with inadequate protection. The useful service lifetime of a brownfield device may ultimately determine premature retirement of the device from service with a rip-and-replace policy.
Zero trust is an explicit trust model, in contrast to an implicit trust model. While authoritative identification and mutual (two-way) authentication are core elements of foundational trust, attestable runtime operational integrity is essential for high assurance of trustworthiness. Possession of a driver’s license may suggest that the driver can be implicitly trusted, but unless the driver’s current state of mind is inspected (e.g., driving under the influence), explicit trustworthiness cannot be inferred.
Similarly, in a peer-to-peer connection, connected devices need to convey mutual trustworthiness. This may be accomplished using an immutable identity (from a hardware, firmware or software-based root of trust), and a certificate issued to the attested identity by a private, public or closed PKI system (i.e., certificate authority). Refer to this video for a compelling reason to use cryptographic keys and certificates correctly. X.509 certificates provide several benefits (with security attributes) and may be used in authentication ceremonies with the private key protected on embedded (headless) devices. This helps overcome the stigma of factory default and cached/persisted passwords being exploited to orchestrate sophisticated cyberattacks through unprotected supply chains.
Digitally signed messages help in tamper-resistant communications between authenticated peers over insecure media and/or transport protocols. Locks were intended to keep honest people honest; however, thieves break locks! Zero trust is an enhancement to blind trust in cyberspace, where nation-state and cybercrime syndicates are lurking. Traditional closed systems may also be breached through ingress points such as HMI (user) workstations, tablets, smart phones and portable media (e.g., USB). Today, insider threats are a reality (e.g., a disgruntled employee, malicious actor, espionage, social/political activism, etc.).
Whether systems are loosely coupled (open) or tightly coupled (closed/air gapped), to connect and communicate, establishing a reasonable level of trust provides cyber resilience in cyberspace, where hackers are in possession of sophisticated tools and methods to land (infect) and propagate laterally. In fact, with mutually verifiable trust, network-based intrusion detection and firewall policies could be fine-tuned to reduce false positives and true negatives.
Mocana’s TrustEdge CyberSec described in this video provides a solution without requiring any reengineering of LOB applications that may not be TLS/SSL-enabled, for interoperability and scalability in public/private or closed PKI systems (without requiring internet connectivity). It only requires a TCP/IP network stack on the target device. The keys are automatically renewed/rotated at configurable frequency. Certificates are auto-renewed (using the EST protocol – RFC 7030) before expiry or on-demand through Mocana TrustCenter.
Certificates can be used for identification and authentication, with support for use of pre-shared keys provided as an option. The strategy required is to protect the high-value assets that are on the attacker’s radar (e.g., Windows based HMI workstations, Linux controllers). Zero trust can be implemented to the grade and degree of desired safety and protection controls.
Zero trust is not an all-or-nothing value proposition. It is about identifying high/imminent risks and addressing them head on. Is there a supply chain risk exposure? Is there an insider threat that could exploit passwords? Is there an IT policy to rotate pre-shared keys (especially when administrators change)?
Every technology has its pros and cons. TCP/IP, TLS, blockchain, and certificates are not perfect solutions, but were designed with a specific purpose (and objective) in mind and provide reasonable benefits to relevant applications. Similarly, preserving status quo with “do nothing” also has its pros and cons. The real challenge in critical infrastructure and control systems is whether field device interoperability in a multi-vendor ecosystem is addressed through specifications as an industry standard for next-generation device security.
Cybersecurity is all too often an afterthought based on compliance drivers. In isolated and controlled environments, the focus is on physical and logical access controls, and not on the sophisticated tools and methods in the arsenal of determined adversaries. That is why cyberwars are asymmetric warfare: detection is not protection.
The solution to address current cyber risks and challenges is not the responsibility of just the device owner or device operator. The current recurring costs and effectiveness of network-based detection/prevention methods must be scrutinized for incremental value and sustainability. There needs to be a modernization plan on a timeline, even if it is based on a rip-and-replace policy rather than retrofitting protection controls to extend the service lifetime of brownfield devices (by another 10+ years). Ultimately, it is for the board of directors and cyber insurance companies to objectively define and implement the grade and degree of desired safety and protection.
If you’re interested in learning more about what zero trust requires and how to implement zero trust, read more about it in our zero trust blogs.