Why the government needs zero trust to secure its operational technology
In the immediate wake of the ransomware attack last year on the Colonial Pipeline, the federal government launched a concerted effort to secure critical infrastructure systems, including operational technology (OT) at its core. And while much of the attention, understandably, has been focused on sectors such as energy, transportation and healthcare, the government itself has a glaring need to secure its own OT.
Government agencies operate the widest range of OT in the nation, ranging from hydroelectric power systems at the Hoover Dam and electric substations at military bases to medical equipment at VA hospitals and any number of systems in the 9,600 buildings the General Services Administration owns and operates. The Navy operates power control systems on ships, the Energy Department operates critical OT systems, including those involving nuclear power, and city and municipal governments have a hand in operating power, water and transportation systems.
Amid the increase in the frequency and scope of critical infrastructure attacks—many of them, like Colonial, linked to Russian groups or other foreign entities—the need has never been greater for federal, state and municipal government agencies to secure their OT. And at the center of those efforts is establishing a Zero Trust Architecture (ZTA).
All paths lead to zero trust
Earlier this year, the federal government launched a strong push to implement ZTAs in defense and civilian agencies in order to protect sensitive data. The release of that strategy followed the White House’s Executive Order on Improving the Nation’s Cybersecurity from May 2021 (shortly after the SolarWinds supply-chain attack), and a National Security Memorandum on protecting critical infrastructure, along with other measures.
The memorandum established the President’s Industrial Control System (ICS) Cybersecurity Initiative, and directed the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure. And earlier this year, the president signed the Cyber Incident Reporting for Critical Infrastructure Act into law.
A key component in every measure to shore up critical infrastructure defenses is a zero-trust strategy for OT, which will enable agencies to rapidly detect, isolate and respond to sophisticated cyberattacks. It’s the common thread for security strategies in cloud-connected computing environments in the face of an increasingly pernicious threat landscape.
OT’s vulnerabilities require a strong security response
Government agencies, from the municipal to the federal level, have the largest and most varied number of use cases that require a ZTA, because of the range of systems they operate and the weaknesses of OT security.
Most ICS and OT networks have antiquated computing systems that weren’t designed to protect critical information. Having traditionally been isolated from IT systems, they may still be running operating systems as old at Windows XP and other software programs that are no longer supported and can’t be patched or upgraded. They may use protocols specific to their function which inadvertently exposes critical endpoints. Many also employ outdated VPN technology. Now that most OT systems have been integrated with internet-connected IT systems, those systems leave agencies exposed to threat actors looking for a way into networks.
Zero-trust strategies evolved in response to the growth of distributed, cloud-based networks and the need to focus security on the continuous verification of network identities (both human and non-human) rather than defending a traditional network perimeter that doesn’t exist frequently anymore. In OT environments, those identities include employees, third parties and other stakeholders who may be working remotely, as well as a growing number of Internet of Things (IoT) devices.
A zero-trust approach to OT, including modern secure remote access technologies, would drastically reduce the attack surface for government agencies. Steps would include implementing (and enforcing) multi-factor authentication (MFA), least privilege policies, network segmentation and protocol isolation, as well as comprehensive logging and monitoring procedures. Strong encryption for any communications between OT and IT systems should also be deployed.
The threats are real, and the time is now to adopt zero trust for government OT
Agencies operating OT need clear visibility into their enterprises, a comprehensive understanding of their risks and an efficient, holistic approach to implementing and managing security. In connected environments, the vulnerabilities created by legacy OT devices and systems is glaring, and a zero-trust approach provides the best way to close those gaps.
As mentioned, the government operates a great variety of OT networks, from municipal utilities to nuclear facilities, with everything from building access controls to mail sorting machines and everything in between. The common denominator in securing any of them is ZTA. And the time to implement it is now. Otherwise, catastrophe is a hack away.