CISA Must Update its latest OT Security Warning and Guidance to Include Zero Trust

On April 14, 2022, CISA published a warning regarding potential denial-of-service attacks that could exploit vulnerabilities in certain OT assets. Specifically, CISA warned that an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. According to the warning, servers with the default configuration, TLSv1.2 and renegotiation enabled, are vulnerable, and the vendors were releasing patches. 

As mitigation, CISA recommends isolating the OT network from the IT network and the internet, and suggests that for remote access, companies use VPNs to securely remotely access industrial manufacturing areas. Yet CISA also cautions that VPNs themselves aren’t infallible and can contain vulnerabilities as well. To me it seems, this advice is limited, and outdated. NIST and many other reputable expert bodies have advocated eliminating the use of VPN and replacing it with Zero Trust Architecture. We must remember that the Colonial Pipeline ransomware attack took place by stealing VPN credentials and getting on the corporate network, moving laterally and finding high-value billing applications, encrypting it, and asking for ransom. The biggest risk of VPN access is that it puts people on the network, hence enabling lateral threat movement. In contrast, Zero Trust Architecture connects authorized users to specific applications, not to the network. 

Beyond the fact that these mitigation strategies are not fail-proof, they also can restrict progress towards factory modernization. Forever hiding the OT network from the IT side and from the internet can mean factories must pass on a whole host of benefits that could otherwise be gleaned from adopting Industry 4.0. This includes the OT/IT convergence, which yields more comprehensive asset management, as well as artificial intelligence-driven production line automation, which yields efficiency gains, better factory uptime, and higher output.  

Fortunately, Zscaler and Siemens have teamed up to design and offer a zero trust approach for secure access to OT assets, including Siemens’ devices. The solution yields increased security and at the same time, maximizes uptime to keep the shop floor, robotics, and automated assets running smoothly even in the face of cyber threats. Specifically, Zscaler Private Access app connector is run alongside the Siemens SCALANCE LPE, offering enterprises the opportunity to layer in zero trust connectivity alongside traditional perimeter-based methods. In most cases, VPNs are able to be replaced with zero trust.
 

Several advantages of the Zscaler Solution that is based on Zero Trust architecture include:

• Secure remote access to plants and machines — Microsegmentation based on zero trust policies allows convenient and secure access to OT/IIoT systems, reducing reliance on VPNs which, as CISA point out, aren’t often updated and can contain vulnerabilities. 
• Privileged remote access for internal and third-party users — Browser-based access allows authorized admins to execute commands from remote endpoints to OT systems over secure and fully isolated connections, without the need to install an agent on the OT systems or any software on the user’s endpoints.
• Seamless integration into existing OT networks — Docker-based app connectors make it easy to deploy secure remote access on industrial control systems (ICS) and industrial network components such as Siemens SCALANCE LPE, as well as other Arm and Intel-based devices.
• Distributed, multi-tenant OT/IIoT security exchange — Zscaler’s solution has the largest security cloud with over 150 data centers worldwide, which enables the fastest connections between users and assets, and supports factories no matter where they are in the world.
• Jump-host alternative. It is often recommended to create a  jump host server in the DMZ so every external connection is terminated in the DMZ, with new connections beginning there via a separate system, that create an internal connection from the jump host server to the end devices. However, jumphosts can be hijacked, providing the attacker access to everything. A zero trust secure remote access solution, in contrast, removes the need for the jumphost and is a far more secure alternative. Powered by a cloud-native zero trust exchange, there is no attack surface for an attacker to target in the DMZ, rendering a setup that is far more resilient with very low risk of disruption.
• Security and stability. Unlike other OT-specific secure remote access solutions, Zscaler Private Access has been in market for 6 years and the Zscaler Zero Trust Exchange for 14 years, yielding a proven and reliable exchange service that governs access.

Siemens already considers the need to layer zero-trust as part of defense-in-depth. Here you can read more about it. I am proud of the work Siemens and Zscaler have done to modernize security for factories. CISA, we strongly recommend you update your guidance to add the zero trust defense layer as well.