Zero Trust is a Paradigm Shift

By Srinivas Kumar
Chief Technology & Product Officer at Mocana Corporation


Zero trust is a paradigm shift, and not a disruptive technology. Does it imply decommissioning brownfield devices? Does it require field device updates? Does it require costly upgrades to field devices? Does it mean a quarantine colony for non-compliant devices like network admission controls?

The resistance

First, the economic aspect of device transformation. Zero trust in brownfield (legacy) devices will require a “zero cost” one-touch provisioning without hardware upgrades. With a low footprint (memory and storage) agent, this is technological possible on resource-constrained field devices.

Second, the intellectual aspect of device transformation. Security practitioners believe and agree with zero passwords and the need to digitally authenticate “commands” and by extension “responses” even if unencrypted because of real-time performance (low latency) considerations. There are NIST-approved cryptographic ciphers and network layer protocols to accomplish this without requiring reengineering of line of business (LOB) applications.

Third, the political aspect of device transformation. Device owners want original equipment manufacturers (OEM) to “protect” their devices. OEMs have no financial incentives or compliance mandates to do so on legacy (in-field) devices with a truck roll and field engineers. The network-based detection and prevention methods, software-defined edge (SD-Edge), and secure access service edge (SASE) solutions serve as a beginning on the CISO’s IT budget to “optimize” workflows across information technology and operational technology (OT) systems. However, CTOs and product security architects will have to transform devices for embedded trust in things to build out a horizontal platform for IT/OT/IoT/IIoT systems – the “holy grail” for digital transformation to empower machine learning and artificial intelligence applications.

Cyber insurance companies need to determine how to underwrite policies with infrastructure modernization (greenfield) and infrastructure hardening (brownfield) factored in before they pick up the tab on payouts after a cyberattack on a hybrid ecosystem with inadequate protection. The useful service lifetime of a brownfield device may ultimately determine premature retirement of the device from service with a rip-and-replace policy.

Why zero trust matters

Zero trust is an “explicit” trust model, in contrast to an “implicit” trust model. While authoritative identification and mutual (two-way) authentication are core elements of foundational trust, attestable runtime operational “integrity” is essential for high assurance of trustworthiness. Possession of a driver’s license may suggest that the driver is implicitly trusted, but unless the driver’s “current state of mind” is inspected (e.g., driving under the influence), explicit trustworthiness cannot be inferred.

Similarly, in a peer-to-peer connection connected devices need to convey mutual trustworthiness. This may be accomplished using an immutable identity (from a hardware, firmware, or software-based root of trust), and a certificate issued to the attested identity by a private, public, or closed PKI system (i.e., certificate authority). A compelling reason to use cryptographic keys and certificates correctly is described in this video. X.509 certificates provide several benefits (with security attributes) and may be used in authentication ceremonies with the private key protected on embedded (headless) devices. This helps overcome the stigma of factory default and cached/persisted passwords being exploited to orchestrate sophisticated cyberattacks through unprotected supply chains.

Digitally signed messages help in “tamper resistant” communications between authenticated peers over insecure media and/or transport protocols. Locks were intended to keep honest people honest; thieves break locks! Zero trust is an enhancement to “blind trust” in cyberspace where nation-state and cybercrime syndicates are lurking. Traditional “closed” systems may also be breached through ingress points such as HMI (user) workstations, tablets, smart phones, and portable media (e.g., USB). Today, insider threats are a reality (e.g., a disgruntled employee, malicious actor, espionage, social/political activism, etc.).

Whether systems are loosely coupled (open) or tightly coupled (closed/air gapped), to connect and communicate, establishing a reasonable level of trust provides cyber resilience in cyberspace where hackers are in possession of sophisticated tools and methods to land (infect) and propagate laterally. In fact, with mutually verifiable trust, network-based intrusion detection and firewall policies could be fine-tuned to reduce false positives and true negatives.

The degrees of zero trust

Mocana’s TrustEdge CyberSec described in this video provides a solution without requiring any reengineering of LOB applications that may not be SSL-enabled, for interoperability and scalability in public/private or closed PKI systems (without requiring internet connectivity). It only requires a TCP/IP network stack on the target device. The keys are automatically renewed/rotated at configurable frequency. Certificates are auto-renewed (using the EST protocol – RFC 7030) before expiry or on-demand through Mocana TrustCenter.

Certificates can be used for identification and authentication, with support for use of pre-shared keys provided as an option. The strategy required is to protect the high-value assets that are on the attacker’s radar (e.g., Windows based HMI workstations, Linux controllers). Zero trust is a concept that can be implemented to the “grade” and “degree" of desired safety and protection controls.

Zero trust is not a “all or nothing” value proposition. It is about identifying high/imminent risks and addressing them head-on. Is there a supply chain risk exposure – as was the case in a recently publicized breach? Is there an insider threat that could exploit passwords? Is there an IT policy to rotate pre-shared keys (especially when administrators change)?

Every technology has its pros and cons. TCP/IP, SSL/TLS, blockchain, and certificates are not perfect solutions but were designed with a specific purpose (and objective) in mind and provide reasonable benefits to relevant applications. Similarly, preserving status quo with “do nothing” also has its pros and cons. The real challenge in critical infrastructure and control systems is whether field device interoperability in a multi-vendor ecosystem is addressed through specifications as an industry standard for next-generation device security.

Cybersecurity has always been, and still is, an afterthought based on compliance drivers. In isolated/controlled environment the focus is on physical and logical access controls, and not on the sophisticated tools and methods in the arsenal of determined adversaries. That is why cyberwars are asymmetric warfare – detection is not protection.

The road to zero trust

The solution to address the cyber risks and challenges is not in its entirety a device owner/operator responsibility. The current recurring costs and effectiveness of network-based detection/prevention methods must be scrutinized for incremental value and sustainability. There needs to be a modernization plan on a timeline even if it is based on a rip-and-replace policy rather than retrofitting protection controls to extend the service lifetime of brownfield devices (by another 10+ years). Ultimately, it is for the board of directors and cyber insurance companies to objectively define and implement the “grade” and “degree” of desired safety and protection.


Related Posts:

Download This Blog