An explosion of Internet of Things connectivity mandates that security teams rethink threat protection.
The world is more connected than ever thanks to the proliferation of Internet of Things (IoT), connected edge computing devices and the technology that facilitates communication between devices.
Additionally, the term Industrial Internet of Things (IIoT) is used to describe devices and sensors in manufacturing and industrial processes. Then there’s operational technology (OT), a specific category of hardware and software that controls the performance of physical devices.
Cloud security provider Zscaler has seen an increase in the use of its services to secure connected “things.” OT, IoT, and IIoT all have unique requirements in every industry. The same principles that apply to IT security cannot be applied in OT environments because they’re a different class of devices. As an example, agents often can’t be loaded on IoT devices limiting the ability to apply critical security updates quickly.
I recently talked to Deepak Patel, head of OT/IoT/IIoT at Zscaler’s Office of the CEO, to better understand the challenges around connected things and how Zscaler is addressing them. Highlights of the ZKast interview, done in conjunction with eWEEK eSPEAKS, are below.
- When it comes to OT devices, the risk of a breach is much greater than just being taken offline. It could have major business consequences. In an industrial environment, for instance, it could mean the loss of life, limb, and equipment. With OT, there needs to be a separation between the control network and the management network.
- The key is to provide access to systems that connect to the internet without actually connecting them to the network. That’s where zero trust becomes relevant. By applying the principles of zero trust to IoT and OT, whether it’s a user or a device, the identity is validated before the user/device is permitted to connect to the network.
- The majority of breaches in OT environments result from establishing an information highway by connecting two networks together. Zero trust is about connecting an entity to another entity without connecting the networks, which contains the lateral threat movement. Companies can choose to add privileged remote access for partners and third parties to avoid exposing the network to threats.
- Take the factory floor as an example. Everything doesn’t have to be connected to the internet. There needs to be a separation of management and control, where the whole factory can operate without an internet connection. It’s not about restricting day-to-day operations, but rather separating physical security and cybersecurity.
- Segmentation is widely deployed in corporate networks to minimize the attack surface. In IoT and OT environments like a factory floor, the same rules don’t apply. Segmentation should be approached on macro level, rather than the micro level. A coarse-grained approach would work well on the factory floor, but not in the financial sector or consumer packaged goods. Understanding those nuances is crucial.
- For one customer, Zscaler is supplying a solution that allows third parties to access enclaves in its oil rigs through an isolated mechanism, without setting up VPNs and firewalls. It’s all done over satellite links. Zscaler runs a distributed cloud with more than 150 data centers. Now, when the oil rigs move around, they can still connect to the closest data center.
- Zscaler recently partnered with Siemens to create an all-in-one solution for securing OT environments. The solution, offered directly from Siemens, combines Zscaler’s Zero Trust Exchange cloud security platform and Siemens’ devices. Customers with OT infrastructures can now securely manage factories and monitor quality assurance from any location.
- For those who are thinking about securing their OT environments, Zscaler recommends first starting with the goals. The most common goals for OT are plant and people safety, as well as increasing production. It’s important to come in with a business-oriented mindset versus a generic IT playbook for patching systems.