Zero Trust for ICS / SCADA Systems | How Does it Work?

Society today is heavily dependent on critical infrastructure that mostly works behind the scenes such as power stations, oil refineries, agriculture operations, mining, water treatment, green energy, transportation, and manufacturing operations. These systems help deliver electricity to power our homes, recharge our phones and vehicles, deliver goods using just-in-time (JIT) manufacturing processes or simply provide clean water.

We live our lives mostly unaware of how critical they are until they stop working. This was demonstrated when cybercriminals shut down the Colonial Pipeline. Over the past decades, many of our critical operations have been automated so that operators can run them as efficiently as possible, enabling them to control and monitor much of their daily tasks. The technology and infrastructure that has helped make all this possible, keep these critical systems running, and provide visibility to engineers fall under the categories of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.

Industrial Control Systems enable operators to monitor sensors on systems such as, for example, in a power station that controls the water pressure, increases or decreases lubricant, opens and closes valves, and ensures the facility is operating as efficiently as possible. On large-scale systems, ICS can also include SCADA systems and programmable logic controllers (PLC) which provide the ability to interact with ICS systems and deliver commands that modify the configurations.

Many so-called air-gapped networks that are no longer air-gapped and the traditional silos known as IT and OT have converged

For many years, most of these critical operations were considered air-gapped, which is a term that indicates that these systems were not connected to the public internet. This means you would not be able to reach them directly without connecting to a dedicated ICS network first or by having to be physically on the same network. However, in recent years, many of these organizations have been accelerating their digital transformations and introducing faster mobile networks and cloud infrastructure. This major shift has resulted in many of these so-called air-gapped networks that are no longer air-gapped and the traditional silos known as IT and OT have converged.

Your vacuum cleaner could be sharing your home floor plan with the manufacturer

Many manufacturers have also forced some of these systems to be connected to the public internet so that data flows can be analyzed to improve services. For example, if you purchase an IoT device today, such as a smart vacuum cleaner, or a power station purchases a diesel engine, you own the physical device. But contracts are changing for those devices whereby the manufacturer owns the data generated by the device. That means your vacuum could be sharing your home floor plan and usage with the manufacturer and the same goes for the diesel engine at the power station. All these changes mean that critical infrastructure is now at increased risk from cyberattacks.

This is probably not news to you since several major critical infrastructure operators have become victims of cyberattacks. These attacks include ransomware victims, such as oil pipelines—which may result in panic buying of petrol—or food manufacturers getting hacked which disrupts the food supply. For years, most have paid little attention to critical infrastructure working behind the scenes. However, now that we see higher risks from cyberattacks,  the vulnerabilities of our critical infrastructure become more visible and impactful in our daily lives.

The focus on critical infrastructure physical security in the past must now adapt by making cybersecurity a top priority.  Recent attacks on critical infrastructure have received the attention at the highest levels of several governments. In May 2021, after several major ransomware attacks on critical infrastructure, the President of the United States Joe Biden issued an Executive Order on improving the nation’s cybersecurity with a clear focus on critical infrastructure. The EO stated, “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT))”.

The Executive Order highlighted the following priorities, demonstrating the importance of ISC and SCADA cybersecurity

• Remove Barriers to Threat Information Sharing Between Government and the Private Sector
• Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
• Improve Software Supply Chain Security
• Establish a Cybersecurity Safety Review Board
• Create a Standard Playbook for Responding to Cyber Incidents
• Improve Detection of Cybersecurity Incidents on Federal Government Networks
• Improve Investigative and Remediation Capabilities

Download the whitepaper: Federal Agencies Meet Executive Order 14028 with Delinea PAM 

Zero trust and least privilege principles guide to cybersecurity

In traditional IT and Cloud systems, the move to a Zero Trust Framework has been a top trend in the industry since it was introduced by Forester in 2010. When I think about zero trust, I automatically hone in on the principle of least privilege, which is an important foundation for a zero trust strategy. For example, the principle of least privilege ensures that the user has the minimum privileges needed to perform a specific task. Combined with continuous verification, enforcing least privilege is essential to building a trust framework that is an integral part of a zero trust strategy. Keep in mind that zero trust is not a product or a solution, but a methodology to building digital trust based on risk.

To its credit, the Executive Order focused heavily on zero trust, and I really like the NSA Guidance on Zero-Trust model as a pathway to achieving a zero trust strategy. That’s because it provides a security model and methodology, not just a checkbox. The NSA model incorporates a maturity model that makes zero trust a continuous journey grounded in a mindset, design principles, processes, and risks.

Download the PDF: NSA Guidance on Zero-Trust – Embracing a Zero-Trust Security Model

Zero trust and ICS/SCADA Systems

The zero trust model in practical terms works great with traditional IT and cloud computing where many systems and applications can work independently. Trust can be established via various protocols such as authentication and authorization standards to determine whether a user is valid and has authorized access to the artifact.  

However, when we apply zero trust to critical infrastructures such as systems running ICS and SCADA controls there is a risk it may cause a major disruption to the services and systems. Many ICS and SCADA control systems are designed to be in production for years if not decades which means they tend to be running legacy operating systems, unpatched and vulnerable to cyberattacks. This is true for our transportation systems as well as plant operations and facilities. The priority of these systems is typically on safety above all others, and we need to start aligning cybersecurity to those same safety standards when it comes to critical infrastructure.

To properly integrate cybersecurity into the safety of services and systems we must take action immediately. Critical Infrastructure operates as an entire system typically made of up many components from multiple vendors, and this means trust is integral to the successful operations of critical infrastructure. Applying zero trust to ICS and SCADA controls could have an impact on the efficient operations of those systems. This means we must adopt a zero-trust approach that will work for critical infrastructure so that security can be more dynamic. The imperative is clear: we must put a zero trust security model around the ICS and SCADA systems or risk living in a world where continuous disruptions can happen anytime, anywhere…

Learn more about Zero Trust and the Principles of Least Privilege in the eBooks below: