-
Industrial
- Healthcare
-
Commercial
- Public Sector
- Threat Research
- Partners
-
Resources
Featured Content
- Company
Blog / 11 min read
The Defense Department has committed to the Zero Trust Reference Architecture for defending its mission critical systems across the mission stack, with a fairly aggressive timeline for its first of two levels: the DoD aims to meet its goal of implementing the Target level of the Zero Trust reference architecture by 2027, with the Advanced levels thereafter. Given the breadth of the DoD OT footprint, and the magnitude of having to secure so many systems of systems, we sat down with our colleagues at Aleta Technologies and RMC Global to discuss DoD’s ZTRA. In our conversation, we explored the concept of defensible architectures and how using the ZTRA against the broad and diverse DoD OT footprint creates resiliency for what is most critical and where you are most likely to be attacked.
When evaluating the best steps to applying the ZTRA, the DoD must consider the unique challenges of individual systems within their OT networks and consider the merits of defensible architectures. One can easily imagine how essential Zero Trust is for mission-critical infrastructure, particularly on a military base, across weapon systems, navigation, propulsion, fuel supply, and other control functions. Unlike the repercussions on IT networks, an attack on OT can lead to more dire consequences, including disruption to operations while afloat or afield, which can also impact forces’ safety.
Defensible architecture is a security model in which several cybersecurity measures are layered in a complementary fashion so a system can defend against a diversity of (probable) threats. According to Jim Lutz at RMC Global, this may entail taking some aspects of a traditional perimeter approach such as firewalls or IDS, and coupling them with aspects of Zero Trust to make the network as defendable as possible. One benefit to this strategy is if an adversary is able to breach one system, other methods of detection will be alerted to prevent further lateral movement. This layered approach is crucial in minimizing impact to other systems.
Now that we’ve defined defensible architectures, let’s recap from the webinar the biggest challenges to implementing ZTRA and the solutions that help create a defensible architecture.
1. Differences between securing IT and OT systems
As the ZTRA must necessarily be applied to OT environments, the approach to these OT environments is different from those in a traditional IT network. The consequences alone are vastly different, especially for the cyber-physical systems (CPS) that underpin DoD’s mission-critical operations. For example, adversary access to fueling systems could disrupt a critical air mission. Impact to weapons systems that could lead to catastrophic consequences is far different than the impact of exposing PII, while still important, or temporary disruption to an organization’s internal IT communications.
Likewise, response to an adversary’s ransomware attack is far different between these systems. While an IT network under attack from ransomware can be temporarily taken offline until the damage is addressed, OT systems may allow for only 15 minutes of downtime per year and cannot afford such an approach.
Larry Grate at Aleta Technologies points out an example of the differences, “...a company I’m familiar with was hit with ransomware, but the ransomware required an outbound connection to the internet in order to start the encryption process. They chose to operate for almost six months with their human machine interface systems essentially compromised, but chose to be able to lock down the network and prevent that outbound internet connection to allow the encryption to start because they couldn’t take the downtime to actually go remove the malware from the environment.”
Instead, the threat would be segmented to prevent it from impacting other OT systems in the environment.
Another difference is that the protocols between OT systems are proprietary and traffic or communication is limited to that between specific devices. There are also a large number of legacy OT systems that cannot be patched or otherwise directly secured.
“With OT environments, the traffic is pretty much static, you tend to see the same things hour by hour, day by day. The traffic doesn’t change much, so if you can monitor and do anomaly detection on the traffic, as well as look for malicious threats, it provides an entry point for entering Zero Trust into your defensible architecture,” explained Jim Lutz.
To address these unique challenges in OT environments, solutions include segmentation and microsegmentation, Continuous monitoring and anomaly detection are also key. As the communication traffic for many OT systems doesn’t often change, the ability to monitor for anomaly detection can help thwart an active attack. Ongoing secure remote access for contractors, vendors for maintenance and other key functions.
2. Diversity of DoD cyber-physical systems
As noted, the cyber-physical or OT environments the DoD must secure across their bases, CONUS and OCONUS, are comprised of a wide range of OT assets and systems. From the diversity of systems across the mission stack, fuel supply to air traffic control, building automation to weapon systems, each is more like a system of systems. Therefore, each system will require their own unique approach in applying the ZTRA.
Ryan Welch of Claroty mentioned, “You really have to understand how each system is unique. If you’re focusing on Zero Trust for operational technology, you can’t just copy a strategy that worked for one OT system and paste it into another OT system. You have to look at that system in itself and consider factors like, what is the latency that is required for that system to operate? Because with operational technology you have a safety component, so if you introduce latency you can have a safety significant event where you impact the operator or affect the Department of Defense fulfilling its function.”
There may also be constraints for each system depending on whether they have extra storage or compute systems.
To overcome this challenge, each system requires evaluation for its individual requirements:
Can a new capability be added to this system?
If this capability is added, will it introduce latency?
Does it have the storage and commute resources available to add that capability?
Does it require hardware?
The DoD is currently developing guidelines for how each system is evaluated in order to determine whether Zero Trust capabilities can be used. For example, weapons systems may be easier to physically access than a satellite, but that doesn’t mean they will be easier to modify.
3. The age of OT DoD systems
Another key issue is the fact that some of the OT systems in DoD environments were built decades ago and, given the magnitude of changing them, will not be updated for some time.
“One of the challenges you have to keep in mind in operational technology is service life,” Larry pointed out. “We basically refresh informational technology on a three to five year rotation. We don’t expect a server to live for twenty to twenty-five years. The reality is in operational technology that many of these systems were deployed literally twenty-five years ago. Beyond lacking the memory, it’s probably not an open operating system.”
As a result, they may lack the memory to support ZTRA or may lack an open OS, making the devices difficult or impossible to modify. Often, these systems were not built with security in mind, and have not been configured properly against sophisticated threats. For example, while encryption is a valuable measure of a defensible architecture, some devices aren’t capable of introducing encryption, leaving them vulnerable.
“There are tools out there on the market that help address some of these individually, but there’s no silver bullet to a Zero Trust implementation,” warned Larry. “It’s going to be a solution that’s going to require you to leverage lots of different types of technology to try to address the problem.”
When it comes to retrofitting these older systems, Larry suggested starting from a risk based perspective and initially taking a perimeter approach.
“I think if you fall back on what SANS put together on the five critical controls and you approach that from a Zero Trust perspective. They start with incident response while I might argue you ought to start with a defensible perimeter. I know we’re talking about Zero Trust, which means you’re trying to move away from a perimeter, but if you don’t have anything, I think that’s a great place to start.”
Operational impact must be taken into consideration with older machines, so taking appropriate steps to secure the device without a risk of latency should be prioritized.
4. Risk and threat assessment
In order to determine how each individual device should be secured, it’s critical to fully understand the possible risks to that device. It is also important to determine how exploitable a device is and assess the ways adversaries could possibly exploit it.
Traditionally, risk is assessed through the Common Vulnerability Scoring System (CVSS). However, a successful risk assessment utilizes both CVSS and the Exploit Prediction Scoring System (EPSS), which estimates the likelihood of a vulnerability being exploited. This combined methodology will allow organizations to more effectively, efficiently, and easily understand and prioritize the vulnerabilities that matter most to them.
Another way to approach this is to understand the known ways OT systems have been exploited to date. According to Larry Grate, the MITRE ATT&CK for ICS - based on actual ICS attacks - may be a good place to start. Knowing what could happen will help predict and prevent the same event happening to this system. Risk calculation will help prioritize which systems should be secured first.
5. Time and resource limitations in a DoD environment
Limited time and resources will always be one of the greatest challenges for a mission-critical environment. One such obstacle related to time and resources is the inability to regularly test security measures on OT systems. When so many of these systems are critical to the operations of the environment, downtime may not be possible, making it difficult to adequately test or add capabilities.
“If you take a risk-based or mission-critical approach, it’s hard to take one capability and apply it across all of OT,” Ryan reinforced. “For example, with weapons systems it’s going to be really hard to do microsegmentation, whereas in defense-critical infrastructure in a manufacturing facility or electrical, that ability to lock down those flows is doable. I think the first thing is to say, well what are my crown jewels? What are my assets that are mission critical? What are those systems that are most important for DoD to project and operate its defense forces globally?”
To optimize resources, you can identify the most important systems required to sustain key military operations. Using the vulnerability management framework above to assess risk, consider ways systems have been exploited in the past and prioritize those, pushing resources to the devices that could be most at risk based on past incidents, as suggested.
Conclusion
While applying the ZTRA to the DoD OT environment comes with many challenges, the DoD understands that it’s vital to secure these systems for the safety of all involved. To hear more of the conversation and consider your own approach to your OT systems, access the webinar, DoD OT Defensible Architectures with Zero Trust. And to learn how Claroty specifically enables the DoD to meet the ZTRA requirements, together with the breadth of interoperable solutions from our Technology Alliance partners, download our paper here.
