After years in which the U.S. military has primarily focused its “zero trust” approach to cybersecurity on protecting information technology systems from attack, it is now expanding focus to include protecting operational technology (OT) systems.
The DoD is working with the Operational Technology Cybersecurity Coalition (OTCC), a diverse group of leading industrial control systems and OT cybersecurity vendors, to solicit input from the industry for recommendations on how to apply zero trust to the department’s OT systems. These include energy management systems supporting military installations and infrastructure control systems supporting DoD water treatment facilities.
Zero trust cybersecurity helps safeguard DoD networks and operations by dramatically decreasing risks, improving network visibility and implementing a strict “never trust, always verify” posture.
In a letter last year to the Senate Armed Services Committee, the OTCC executive director applauded the committee’s legislation directing the DoD to address these issues and noted the importance of private and public collaboration..
With the DoD expected to share its zero trust strategy for OT later this year, the department has an opportunity to rethink its traditional approach to protecting OT through a “build a moat” strategy, virtually separating OT systems from other infrastructure. It also needs to leverage cloud and artificial intelligence (AI) capabilities to increase protection while cutting costs. Any strategy for maximizing the defense of OT networks while managing and cutting costs requires the integration of AI and machine learning capabilities and cloud computing.
The threat to operational technologies
The OT threat isn’t new. In 2010, the highly publicized Stuxnet attack on equipment associated with the Iranian nuclear program showed how devastating these attacks can be.
Despite the damage reported as a result of Stuxnet, the U.S. government and other organizations continue to focus on IT-related threats due to more pressing concerns about data theft and compromise. Companies often put off upgrading OT security because of the expense of full rip-and-replace solutions, opting instead to wait to upgrade security when the systems’ lifecycle ends.
Recent attacks on targets like oil pipelines and water treatment facilities have changed that mindset, forcing more attention on OT. The emergence and growth of technology solutions leveraging AI and the cloud have also contributed to a reassessment of OT protection.
The U.S. has experienced repeated examples of the “build a moat” model failing, as hackers have found ways “around the moat” by accessing external, unprotected OT devices. But AI and cloud capabilities provide unprecedented opportunities for the DoD to keep pace with attacks by adversaries.
An approach to better cyber protection
The DoD must move away from the false sense of security presented by the traditional approach of isolating networks to a converged approach in which IT and OT assets are combined onto the same software-defined networks. This improves the organization’s security posture by giving personnel access to a range of cloud-based security tools delivered as a service.
By leveraging the cloud, organizations can increase the amount of storage and compute capabilities available to users as well as access to commercial cyber intelligence resources. In addition, administrators enjoy the added benefit of centralized security updates that happen virtually and transparently to users.
This approach also allows for access to cutting-edge AI cybersecurity tools. Because AI tools are only as good as the data used to educate them, cloud-based AI cyber tools are infinitely more effective than those that reside within isolated environments. One of the lessons from the Stuxnet attack is that the levels of cyber protection gained through a converged approach outweigh the risks of securely connecting to external sources.
How the DoD addresses this topic will reverberate across the industry.
A strong endorsement for leveraging AI and the cloud in its zero trust strategy for OT will spur action across the cybersecurity industry to dedicate resources to building these capabilities into their solutions.
The good news is that it should not be difficult for the DoD to apply its existing zero trust framework for IT to new requirements for protecting OT.
A large portion of the DoD’s controls recommended for IT also apply to OT. The main difference is that IT is very user-based, so concerns are focused on the user population and the data those users store, while OT is more about how devices function. Still, there are many more commonalities than differences when applying these principles to IT and OT.
The increased focus on zero trust for OT signals a positive step forward. The DoD’s zero trust strategy for OT needs to leverage the capabilities of cloud and AI to ensure the strongest defenses possible to stay ahead of adversaries.
