A major shift is happening in organizations with operational technology (OT) networks used in environments such as factories and critical infrastructure. Once-siloed "air-gapped" OT and information technology (IT) environments are increasingly connected to meet business requirements, support digital initiatives, and secure remote workers.

Although these connections can enhance production through data sharing and access to new cloud-based tools, this IT/OT convergence gives bad actors easier access to previously air-gapped OT environments, which exposes vulnerabilities and increases security and production risks.

Traditional perimeter-based security has become problematic as organizations move to the cloud, so more organizations are moving from an implied trust to a zero-trust security model. However, many OT organizations struggle to implement zero trust seamlessly across and within their critical infrastructures because OT environments have several unique challenges:

• They often include legacy technology deployed long before cybersecurity was a consideration. Some equipment was designed for years of operation and can be 20-30 years old.
• Whereas IT budgets are optimized to prioritize user access and experience, OT budgets focus on reliability and uptime.
• Lack of standardization leads to OT complexity and a wide range of technology, often operating in less than ideal conditions with a large attack surface.
• Any downtime can result in production loss or interruption of critical infrastructure that may lead to serious health and safety risks.

Even with these challenges, interest in moving to zero trust is high because attacks are increasing. The 2023 Fortinet State of Operational Technology and Cybersecurity Report found that three-fourths of OT organizations reported at least one intrusion in the last year, and nearly one-third of respondents reported being victims of a ransomware attack. Zero trust is also an imperative for U.S. federal government agencies, which must achieve a set of standards based on zero trust by 2024.

Adopting a Zero-Trust Mindset

At a conceptual level, zero trust shifts the security mindset from an implied trusted model to an assumed breached state, where nothing is trusted without verifying. In more practical terms, zero trust refers to a security model in which users and devices are no longer automatically granted access based on their network location. Instead, zero trust focuses on evaluating trust on a per-transaction basis. The degrees of access can be granted to verified users and devices based on the contextual factors surrounding the request, and re-verification or re-evaluation of permissions occurs frequently.

The approaches to implementing a zero-trust model vary, and it can be difficult to evaluate solutions because the common solution acronyms often aren't defined well.

• A zero-trust access (ZTA) solution focuses on identifying and overseeing which users and devices are accessing the network. As more users work remotely and Industrial-Internet-of-Things (IIoT) devices proliferate in OT environments, organizations should continuously verify all users and devices as they access applications and data.
• A zero-trust network access (ZTNA) solution refers to application access in which no user or device is trusted to access an application unless they prove their credentials. Zero-trust network access is often cited as a natural evolution from traditional virtual private network (VPN) tunnels, which assume anything that passes network perimeter controls can be trusted. Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.

To effectively implement zero-trust in an OT environment, CISOs, plant managers, and other security leaders may need to consider how their industrial automation and control systems operate within the OT environment and any safety-related aspects. For example, in some cases, the warranty language of automation vendors may restrict or limit what can happen on the network. It's also important to verify that the zero-trust technology is compatible with the legacy technology in the OT environments. In many cases, certain OT components, such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs), don't support the technologies or protocols required to fully integrate with a zero-trust implementation. For some OT devices and systems, zero trust may not be practical.

Moving OT to Zero Trust

As IT/OT convergence continues to accelerate, security leaders should evolve into a zero-trust model to keep their OT environments safe from disruptions due to internal or external security events. At a high level, moving OT to zero trust falls into three main categories:

• People:Start raising awareness about IT/OT convergence risks with users and training them on how zero-trust solutions can help secure the organization against opportunist threats.
• Process:Organizations need complete and continuous control over who and what is on the network, including automation vendors and service providers.
• Technology:Evaluate zero-trust solutions for OT environments and be mindful that they may also impact the broader supply chain. Look for a zero-trust security vendor with strong partnerships across the technology ecosystem.

The Fortinet OT Security Platform

To effectively embrace zero-trust, organizations need solutions capable of converged security operations. The Fortinet OT Security platform is an extension of the Fortinet Security Fabric, a broad, integrated, and automated platform that includes secure networking, zero trust, network operations, and security operations solutions. The platform comprises OT-specific solutions ranging from edge products to NOC and SOC tools, along with services to ensure effective and efficient networking and cybersecurity performance and AI-powered OT threat intelligence protects against the latest threats.

Learn about Demystifying Zero Trust in OT,  the OT Security platform, and how Fortinet can help you meet OT security challenges.