The security of our nation’s infrastructure has been a strong focus, with mandates coming from the White House in the form of executive orders and funding being allocated from the Infrastructure Investment and Jobs Act. This is due to utility organizations having become increasingly vulnerable to modern threats given the amount of legacy operational technology (OT) they employ.
OT and internet of things (IoT) technologies were initially designed to deliver speed and transaction efficiency first, with security as a secondary goal. This has made OT and IoT a favorite target for cybercriminals, with a 400% increase year over year, according to Zscaler ThreatLabz research. In fact, 61% of all breaches targeted operational technology-connected organizations.
Consequently, many official agency notifications have been issued, from CISA to the Department of Energy to the EPA. All of these guidelines include similar advice on the path forward:
Reduce exposure to public-facing internet
Develop and exercise cybersecurity incident response
Conduct inventory of OT/IT assets
Reduce exposure to vulnerabilities
To meet these goals, microsegmentation is widely held as the key to stopping the spread of threats from OT into IT. This approach also allows organizations to meet zero trust requirements, advancing this new standard for cybersecurity architecture.
Segmentation on the WAN and the LANZero trust strategy outlines the need for four areas of segmentation.
User segmentation
Workload segmentation
Branch/campus segmentation
Device segmentation
For device segmentation for local traffic not leaving the LAN or the branch, a new method of segmentation is required. Zscaler already delivers user, workload, and branch segmentation via the Zero Trust Exchange in the Zscaler Cloud. For water and electric organizations, the segmentation of these local devices can prove difficult as many times a software agent simply cannot be deployed on the device. These devices could be legacy technology, unable to accept modern agents, or could be owned or operated by third parties, presenting an access challenge. This is why an agentless approach is key to zero trust implementation.
Agentless Zero Trust SegmentationWith our recent acquisition of Airgap, Zscaler enables automatic device discovery and ringfences each device into a “network of one” and classifies them into asset groups (IT, OT, printers, etc.). With classification, technologies can be segmented into logical groups, providing IT and OT separation.
Airgap assumes the role of default gateway for protected VLANs to keep traffic moving. This use of a gateway, rather than a local switch, increases the security with minimal impact on speed (adding only 70 microseconds of latency). This approach replaces east-west firewalls with microsegmentation and allows organizations to:
Auto provision every endpoint
Automatically classify end points into groups
Enforce group-based policies
Enforce policies based on threat level
Zscaler’s technology also includes a ransomware kill switch, disabling non-essential device communication to halt lateral threat movement without interrupting business operations.
More informationThe Zscaler/Airgap Solution Team hosted a Carahsoft webinar that detailed how Zscaler helps organizations employ microsegmentation and operate with zero trust principles. You can check out the webinar for more details and watch a live demo of the solution.
Download the solution brief: Zero Trust Security for Critical Infrastructure.
↧