In recent years, control systems, the keystones of critical industrial infrastructure, have become increasingly open. Connectivity to information systems, and to the cloud beyond them, is becoming essential. During the process of dealing with these changes, security issues have arisen, and there is a growing interest in how to best implement control system security. Eyes are turning to the concept of “zero trust.” Toshiba Digital Solutions has been at the forefront of building full-fledged zero trust networks from the perspective of cyber resilience, with an eye towards not only the opening of control systems but also the realization of Cyber-Physical Systems. Let’s learn about the need for zero trust networks and Toshiba’s efforts in this area.
Security measures based on perimeter defense are reaching their limits
Many companies are now striving to create Cyber-Physical Systems (CPS) that use the virtual world (cyber) to analyze data obtained from the real world (physical) and create knowledge from it, so that this knowledge can be used to help solve social problems. Critical industrial infrastructure is no exception. In conjunction with the greater adoption of IOT technologies and the growing need to leverage industrial data, industrial control systems (ICS), the linchpins of industrial infrastructure, are becoming more open. ICS must be connected to the outside world, such as information networks and the internet, as the result of this open approach and in order to create CPS.
A rising number of companies see ICS-related industrial data as a management resource. They use the cloud to analyze and visualize industrial data acquired from equipment and machinery sensors, devices, and programmable logic controllers (PLC) equipment. They then use these findings in repairs, maintenance, and failure prediction, as well as in the creation of new infrastructure services.
As this shift continues, security is becoming a pressing issue. In the past, ICS were protected from network-based intrusion by being physically separated from information networks and the internet. However, these ICS, previously physically protected, are now being connected to the outside world, which presents a greater security risk. There have been major security incidents targeting core industrial infrastructure, and case reports that have impacted in our daily lives.
We continue to strive to prevent these incidents from occurring, but we expect that security measures predicated solely on perimeter defense networks, in which security products such as firewalls are installed on the borders between networks, are not enough to protect systems from the increasingly advanced and sophisticated threats that they face.This is why we are turning our attention to the “zero trust” security approach. This approach is based on the assumption that nothing can be trusted. It does not draw perimeters between “external” and “internal” networks, but instead controls access from all networks and continuously monitors the actions of all users and devices (Fig. 1).
Creating a zero trust network requires a mechanism for verifying all elements of networks, such as users, devices, and applications, and proving that they can be trusted. This approach verifies each element accessing the network. It also limits this access to the minimum essential resources of network elements. This ensures security.
The diversification of control system security threats
Until now, security measures for control systems have primarily used perimeter defense, based on the assumption that other parties are not hostile. However, as control systems become more open, control networks need to be able to deal with a greater variety of threats. These include attacks using vulnerabilities in Supervisory Control And Data Acquisition (SCADA) systems, PLCs, and the like, connections from unauthorized devices, spoofing, malware infection via USB memory and maintenance computers, the installation of unauthorized Wi-Fi routers and unauthorized external access via those routers, data tampering and leakage through attacks targeting vulnerabilities in IoT devices, and more. Control networks and information networks are also becoming connected, which presents the threats of external intrusion via information networks and internal attacks from information systems. As the use of cloud computing becomes more widespread, there is also a rising risk of connections from unauthorized devices and spoofing using cloud environments, which can then be used to attack control systems.
Solving these problems using zero trust networks
We build zero trust networks to provide security that solves these problems.
The zero trust approach is predicated on the belief that no one can be trusted. It verifies and monitors all network elements and traffic. For information systems, and even control systems, the perimeter defense security measures used in the past, based on trust, are reaching their limits. If these systems are hit by cyber-attacks, they must have effective mechanisms for minimizing the impact of the attacks and rapidly returning to their normal states. For these reasons, from the perspective of cyber resilience, we believe that zero trust networks are the optimal solutions.
* Cyber resilience is introduced in detail in the first article of this article.
In order to deal with today’s increasingly sophisticated and diverse attacks, we not only use a zero trust, but have also defined the security management policies of “risk-based security management,” which prioritizes the handling of risks with high incidence frequencies (likelihoods) and impacts (losses), and “customer zero,” in which we are our own first customers and provide customers with solutions they can trust, based on our knowledge and first-hand experience. We use these three policies to create internal zero trust networks.
The usage environment surrounding internal network infrastructure is changing. In the past, solid security barriers were erected to completely separate internal and external networks. The software development systems used by employees and the information assets used in development were managed within internal networks, whose safety was assured. However, we now engage in innovation activities with partners and external consultants, and increasingly collaborate with customers. The use of telework to has become commonplace in order to combat the spread of COVID-19. It is now vital that people have environments that allow them to access internal networks from home, while on the move, and at other locations. The future will see even greater use of cloud services and Bring Your Own Device (BYOD) approaches.
Because of this, security measures are applied to all access through the use of internet security gateways and authentication services. This makes it possible to use various networks and cloud services safely, without distinguishing between internal and external access.
Our zero trust networks are built on three concepts: “a fundamental design that does not trust any networks but is focused on access control and monitoring,” “making it possible to safely connect to networks any time, from anywhere, by any means,” and “user IDs and devices, location monitoring and management, and application control.”
We first deployed a zero trust network in our internal development environment for developing social infrastructure and mission critical systems (new development network). This network is now in the test operation phase (Fig. 2).
The key points in deploying and using zero trust networks
Here are some of the difficulties and areas requiring further deliberation that we have discovered through our experience with building, deploying, and operating zero trust networks.
The first is the need for a system for fully identifying “who, what, where, when, why, and how.” Achieving this requires the further advancement of the functions offered by the Security Operation Center (SOC), such as expanding the scope of risk monitoring. The second is that consideration must be given to issues such as how to implement access control and account management when preparing the operation rules that will be applied when introducing new solutions. The third is that mechanisms for automating security operation must be implemented and efforts must be made to improve efficiency. Network access and system usage methods vary widely due to differences in the mentality users have regarding security. Operation can be made more efficient by using automation platforms such as Security Orchestration, Automation and Response (SOAR) instead of relying on human decision-making.
The fourth is the importance of user authentication and device authentication. In zero trust networks, security monitoring of user and device behavior is more important than in conventional perimeter defense networks. Zero trust networks require not only reactive security through monitoring, but also proactive security by using monitoring to detect signs of potential risks. The SOC plays an extremely important role here as well.
The most difficult part of building zero trust networks is the creation of technical mechanisms and operational structures. Through our zero trust network test operations, we are identifying all of these issues and using our findings to develop solutions.
While our new development network is still in the test operation phase, by being at the forefront of creating and operating zero trust networks, we are confident that we are moving one step closer to the future of CPS and the realization of cyber resilience for control and information systems.
- The corporate names, organization names, job titles and other names and titles appearing in this article are those as of March 2021.
>> Related information
Vol.36 Toshiba's Cyber-Security, Supporting Infrastructure Services