Professional Documents
Culture Documents
Trust Strategies in
OT
June 2022
How do we define Trust?
The fundamental principle of Zero Trust is “Never trust, always verify”. Translating this ideology into the OT
space would mean that unlike the traditional hierarchical approach, legacy systems can be placed into zones
as per their functions and dependencies.
Attacks on industrial control systems have grown Before organizations move to adopt the Zero Trust
significantly in the past decade. Ransomware and approach, there is a need to get back to the basics.
Zero trust architecture supply chain attacks are not only IT problems Inherent challenges within the existing setup such
is fundamentally anymore but are making ripples in the operational as understanding what assets are there in the
technology (OT) security space too. network or identifying misconfigurations for
different and
example need to be addressed. Segmentation and
segregates each Security approaches now require a second look as
appropriate creation of effective demilitarized
resource and device. It attacks become more sophisticated and targeted.
zones (DMZ) will be important to the success of the
The industry has already seen multiple strategies
is a shift from Zero Trust implementation.
but like a swinging pendulum attaining equilibrium;
perimeter security balancing the right security and business While the Zero Trust approach has its advantages,
approach to a more requirements requires the right mix of parameters. it is not so simple to adopt in the OT environment
access-based security especially as you go down to the lower levels of the
New approaches to security in OT environments
Purdue Model. At EY, we understand the
approach. are often avoided due to the fear of additional
challenges in OT environments and have designed
overheads and the need to for the organizations to
an approach keeping safety and availability in
rebuild their legacy infrastructure.
mind.
Business drivers and challenges accelerating the need for Zero Trust
Complex environments: Rapid digitalization of different industries offers several benefits that include cost savings by lowering
operating cost and optimizing resource utilization, higher performance through better KPIs for efficiency drivers; improved flexibility
through access to real-time data; increased operational standards and enhanced security orchestration.
IIoT/
Industry 4.0
Push towards digital transformation : An increased use of emerging technologies, such as Cloud and machine learning,
increases the surface area for potential vulnerabilities and the need to keep security at the heart of modernization.
2 Report titles
EY Zero Trust Framework
In order to determine an effective zero trust strategy, it is imperative to first define the foundational pillars.
The ZT OT framework takes into account multiple perspectives that include; impact of hyperconvergence on
the Purdue model, knowing the mission critical assets and data paths, limitations and compatibility with
existing technologies, and visibility across IT,OT and Industry 4.0.
ZT OT Operating Model
Solutions
with strong authentication and validation of secure • Assess for version, configuration, and protocols used
least privilege configuration options harden defence, use telemetry to detect • Data should be
• Takes into account certification • Least privilege access to attacks and anomalies, and automatically classified, labelled,
management, PKIs the critical applications block and flag risky behaviour and take and encrypted, and
• Monitor and enforce device • Monitoring of unused protective actions access restricted
health, restrict access from ports and services, • Multi-level & micro segmentation with based on those
vulnerable & compromised accounts in applications real-time threat protection, end-to-end attributes
devices encryption, monitoring, and analytics
Capabilities
Leveraging EY Zero Trust Framework, 1. Evaluate: Assist clients in assessing existing capabilities/
readiness for adoption
we have designed an approach that
of Trust
and Security. The Circle of Trust is EY 3. Architect: Develop technical architectures
approach to creating a new security 4. Implement: Assist with implementation of security controls
strategy for our OT customers and the 5. Monitor, Manage & Maintain: Manage and operate select Zero
systems within. Trust capabilities across the framework
Evaluate
• Back to the basics
• Know your identities
Implement Architect
• Integrate • Define the policy
• Sustain • Plan the flow
3 Report titles
Key Contacts EY | Building a better working world
EY exists to build a better working world, helping to
create long-term value for clients, people and society
and build trust in the capital markets.
ey.com
Jacek Walaszczyk
Senior Manager, OT/IoT Security
Ernst & Young sp.zoo Consulting
sp.k
Amit Lather
Senior Manager, Zero Trust
Security Leader
Ernst & Young LLP
Sonia Francisco
Manager, OT/IoT Security
Ernst & Young LLP
4 Report titles