System design engineers today are faced with two competing requirements: providing remote access to data, and ensuring system security. Zero trust requirements that have become common in the IT world are starting to be applied to OT systems. A recent white paper from the ISA Global Security Alliance titled “Zero Trust Outcomes Using ISA/IEC 62443 Standards” gives an overview of what’s involved. How can you best comply?
Among others, the paper identifies these controls as necessary for securing OT/ICS networks:
- Network segmentation
- Software-defined networks
- Application layer gateways
- Secure remote access
- Secure protocols
- Endpoint protection
- Enhanced identity access management
Meeting these zero-trust standards works on two levels: network and nodes.
For Networks: Secure Tunnel/Mirroring
Secure tunnel/mirroring creates a software-defined network that connects OT to IT and cloud services for one-way or bidirectional data flow. Ideally, such a solution would ensure network segmentation by keeping all inbound firewalls closed and operating seamlessly across DMZs. SSL support is typically available. You should also look for data diode hardware support, or at least some kind of software data diode mode as a flexible alternative.
For Nodes: Secure Endpoints
Each endpoint in an OT network must be secure. A good zero-trust solution should fully support the security features of OPC UA and MQTT protocols. Additionally, for zero trust, each endpoint should provide multi-factor authentication (MFA), including time-based one-time passwords (TOTP). To keep things simple and ensure user buy-in and support, look for the ability to import user accounts from an external LDAP (Lightweight Directory Access Protocol) server or local Windows machine. And for maximum flexibility, check that user access permissions can be configured by connection source (i.e., IP address, CIDR), protocol, or data set.
Implementing zero trust standards when accessing OT data can be done using the right software.