ZTNA - For Machine Vendors
Zero Trust or as I prefer it Zero Implicit Trust is usually described from the perspective of an IT department, in charge, to protect its users and resources. Sometimes this perspective is extended to the shopfloor owner and I recommend Zero Trust connectivity in industrial environments, a free whitepaper published by Worldline to dive deeper into this topic.
But what if it is not your factory? What does Zero Trust mean for industrial champions that specialize in manufacturing equipment, turbines, robots or even medical devices?
Zero Trust is a transformation of the security requirements of their customers and governmental guidance, like January 2022’s White House Memorandum, amplifies the pressure. Let’s thus take a look at Zero Trust from the perspective of the powerhouse of the German economy, the classic “Maschinenbau” company.
Note: this is part three of a small series of Zero Trust Network Architecture (ZTNA) related pieces. For a more beginners friendly introduction to ZTNA or a (hopefully) fun and insightful journey through some real world security failures see
- Part 1: ZTNA fundamentals
- Part 2: ZTNA hacking time
Industrial Equipment Vendors and Industry 4.0
Let’s start with a brief recap on industrial equipment vendors and the unique transformation they are facing right now.
Maybe a decade ago we could split Operational Technology (OT) and Information Technology (IT) with relative ease. One rooted in the physical world, to control industrial equipment. The other to process data, model the business and manage the company. Today, reality is a bit messier as we see in examples such as the Colonial Pipeline Disaster (ZTNA hacking time). Let’s take a deep breath and look at the unnatural marriage of IT and good old mechanics, the challenges it presents but also the opportunities it creates.
Life expectancy: A principal challenge in converging IT and OT systems is the mismatch in their lifecycles and life expectancies. As an example, we can take the European Train Control System (ETCS) which provides safety and interoperability for national train networks (e.g. emergency stop of a train that crosses a stop signal). This system is fundamental for tightly packed train schedules and maximizing the capacity of our networks and thus essential for a European, green future of traveling. But its development started in the mid-90s, a time where GSM was cutting edge and Windows 3.1 powered the personal computer. And we will long have decommissioned Windows 10 before it has been fully rolled out across Europe.
Certified equipment: For critical systems (think medical, energy, defense) it is not uncommon to require certification including the software stack. For instance you wouldn’t want your MRT scanner to restart while you are in it, would you? The issue is certification can take a lot of time and this doesn’t go well with the patch hell that a typical IT system presents.
Worldwide footprint: Shipping hardware worldwide can have interesting consequences like embargos, sanctions, national security acts and generally geopolitics. While this is principally true for IT, it’s worse in the physical world. A small company of just some hundred employees might ship that one machine to Taiwan, that is crucially needed, to produce the next generation of computer chips and thus find itself at the center of international attention.
If it’s that complicated, why bother at all:
Connectivity & Data Collection: They are at the core of the Fourth Industrial Revolution. Remote Maintenance instead of physical presence and the ability to predict with and learn from data are examples of improving costs and value in the core business of an industrial equipment vendor.
Expert Clusters: An up-sell strategy, where vendors do not only sell hardware and maintenance but also strive to create an excellence cluster of experts that directly improve or generate the value for end customers. For instance vendors of CNC milling machines offer troubleshooting with field experts and medical equipment manufacturers employ trained radiology personal to ease labor shortage and improve the utilization of hardware.
Services: The ultimate goal though is to sell services instead of
softwarehardware. Remember when Microsoft started selling three sixty-five? It’s happening with your car right now. While some of this is just price gauging, services provide other advantages. They offer predictable income, lessen the risk of a next generation failure and keep your customers close to your company.
In short the potential of this marriage for industrial equipment vendors is to improve what is there, expand to new business areas and most importantly convert a company’s portfolio to full lifecycle.
Applicability of NIST 800-207
An innovative manufacturer will soon find itself sandwiched between two IT departments (vendor and buyer) enforcing their respective company policies and tools. In some cases this will turn into a simple power struggle between two unequal partners and one of the companies has to make an exception. But what if both companies are big enough to implement a serious IT security strategy? What if both of them run their own breed of Zero Trust or if regulatory constraints mandate a Zero Trust compatible solution from the vendor?
Zero Trust is often explained against the castle and moat security metaphor in the context of one company that protects few company resources from many subjects. For example access to the ERP system for employees and external consultants.
However the application of the model is not as straightforward if we look at a full lifecycle industrial vendor and its customers:
- we must consider the security needs of both, the buyer and the vendor
- the number of certain resources (machines) might be quite big
- some resources belong to the vendor for instance analytics services or fleet management
- communication is often between two machines without human interaction
Is Zero Trust applicable at all in such a context? Do both parties need to buy from the same security software company to make things work?
Key Concepts & Model
It helps to remember that Zero Trust as defined by NIST 800-207 is not a single architecture or technological solution but rather “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions […] in the face of a network viewed as compromised”.
The NIST model accommodates for devices, applications and other non-human entities as subject such that for instance machine to machine communication from the shop floor to analytics services is fully covered. Furthermore, in terms of the resource to subject ratio there are no limitations in the concepts, if such limitations exist in practice this is an artefact of the concrete implementation. The only real difference is thus that we want to apply the concepts from the perspective of two companies, with subjects and resources belonging to both companies.
Looking back at the key concepts that we defined in the first article of this series:
- Protect data sources and services, not network segments
- Measure, monitor and secure all company associated assets
- All communication is secured
- Access is granted on a per-session basis
- Access policies are dynamic
- Manageable risk for a given purpose
We can see that all of them are in a sense symmetric i.e. if the property is implemented as part of the Zero Trust strategy of one of the involved companies, it is also fulfilled for the other party.
This is easy to see for a concept like secured communication, proper encryption is obviously beneficial for both companies. For most of the other concepts it boils down to an agreement of equivalence. If the vendor has solutions in place that ensure that all assets with access to the machine are measured, monitored and secured in an acceptable manner for the buyer the property is fulfilled (and vice versa). Alternatively Zero Trust implementations can be chained or deployed in parallel but at increased costs and complexity.
Architectural Approaches & Implementation
The NIST special publication discusses three Zero Trust Architecture variations. Enhanced Identity Governance is least suitable for the discussed scenario as it would require strong identities beyond the boundaries of the companies. Similarly Network Infrastructure based solutions are better suited for solutions within one enterprise - maybe excluding Layer 7 solutions for partial traffic capturing.
The remaining approach is Micro Segmentation for individual resources or groups of resources. This practice is straightforward to implement on the shop floor with either boxed gateways in the form of small industrial computers or by deploying dedicated network infrastructure like IPsec routers. Finally from a deployment perspective all four suggested model can play a role in an industrial setup.
- Device Agent / Gateway: fits best if software can be installed on the machines and technician laptops, a classical Remote Service solution
- Enclave Gateway: easiest to implement on the shopfloor, best used to segment a small network with an IPsec router or boxed software gateway
- Resource Portal: best used if control over assets or resources is restricted for instance in cooperation with 3rd parties or SaaS vendors
- Device Application Sandbox: for smart gateways that contain containerized edge applications that themselves act as individual subject or resource
NIST specifically doesn’t ask you to choose one approach over the others to implement Zero Trust. Different deployment models and architectural styles can be combined to achieve bi-directional cross-company connectivity with manageable risk for a given purpose.
Desirable Implementation Properties
Given all of that, what are building blocks and attention points for your move to Zero Trust?
Boxed software on an edge device or classical IPsec routers can both be used to implement enclave style deployments, with the added benefit that they also address life expectancy and certification concerns. If frequent updates are not an issue software based solutions can also be used in agent style setups. Chaining capabilities towards existing customer connectivity solutions and an ability to address political influence spheres with regional hosting and traffic routing complete the picture.
A baseline for Industry 4.0 is a thorough ability to provide remote service. Per session access must be ensured with a scalable authorization metaphor that works for many protected resources including granting, delegation and revocation mechanisms. A practical example for dynamic access factors are time based constraints like maintenance windows or temporary holiday replacement grants. Finally, a flexible identity management integration with customer domains can relieve technicians from tedious password management while improving overall security.
Automated Data Collection
The next step for the vendor is data collection, for more advanced services like predictive maintenance. Per session access as well as capabilities like blacklisting of embargo countries or integrated contract and data protection management are required to address legal and political challenges. Automated virus scanning and a reduced attack surface (compared to universal access) help to reduce the managed risk.
Machine to Machine Connectivity
For full lifecycle services, connectivity and authorization properties must be applicable to machine subjects that access resources autonomously. Like their human counterparts machines should be uniquely identified and authorized. Their access to resources should be monitored and narrowly restricted. In contrast to IT assets a much longer productive life and ultimately more violations of asset security have to be factored into the equation. A machine connector must carefully balance inevitable deviations with counter measures like monitoring, least privilege principles and mitigation strategies.
Zero Trust is often described in the context of the IT landscape of a singular corporate entity. For machine vendors this narrow context must be expanded to describe the interaction between two companies. A Micro Segmentation architecture is a suitable path to integrate a Zero Trust compliant vendor into the Zero Trust environment of its customers. An ideal implementation will care for the specific needs and characteristics of the shopfloor while upholding Zero Trust key concepts.