Demystifying Zero

Trust Strategies in
OT
June 2022
 How do we define Trust?
The fundamental principle of Zero Trust is “Never trust, always verify”. Translating this ideology into the OT
space would mean that unlike the traditional hierarchical approach, legacy systems can be placed into zones
as per their functions and dependencies.

Attacks on industrial control systems have grown
significantly in the past decade. Ransomware and
Zero trust architecture supply chain attacks are not only IT problems
is fundamentally anymore but are making ripples in the operational
technology (OT) security space too.
different and
segregates each Security approaches now require a second look as
resource and device. It attacks become more sophisticated and targeted.
The industry has already seen multiple strategies
is a shift from
but like a swinging pendulum attaining equilibrium;
perimeter security balancing the right security and business
approach to a more requirements requires the right mix of parameters.
access-based security
New approaches to security in OT environments
approach. are often avoided due to the fear of additional
overheads and the need to for the organizations to
rebuild their legacy infrastructure.
Before organizations move to adopt the Zero Trust
approach, there is a need to get back to the basics.
Inherent challenges within the existing setup such
as understanding what assets are there in the
network or identifying misconfigurations for
example need to be addressed. Segmentation and
appropriate creation of effective demilitarized
zones (DMZ) will be important to the success of the
Zero Trust implementation.
While the Zero Trust approach has its advantages,
it is not so simple to adopt in the OT environment
especially as you go down to the lower levels of the
Purdue Model. At EY, we understand the
challenges in OT environments and have designed
an approach keeping safety and availability in
mind.

Business drivers and challenges accelerating the need for Zero Trust
Complex environments: Rapid digitalization of different industries offers several benefits that include cost savings by lowering
operating cost and optimizing resource utilization, higher performance through better KPIs for efficiency drivers; improved flexibility
through access to real-time data; increased operational standards and enhanced security orchestration.

Legacy systems: Most of the ICS

components used today were OT/IT
manufactured without any or limited Convergence
security features and are easily 20 to 30
years old.

Insecure by design : Traditionally, OT/ICS

communications are not authenticated
and protocols are unencrypted during
transit. A majority of the ICS systems
utilize proprietary and vendor specific
protocols.
Supply chain: The increasingly global
vendor landscape further creates
complexities as companies manage new
risks across a wide range of IT and OT
environments.
New strategies to keep systems
safe: Safety, reliability and
availability of the system is
critical to any security solution
implementation.
Latency issues that arises when legacy
systems or high speed real-time operating
systems are used with multiple firewall
rules and ineffective micro segmentation.
New technology: Peer to Peer and mesh
networks technology, do not compliment
the zero trust model due to their shared
access nature.
Every user, device and interaction is
treated as a potential threat. Hence, all
OT/ICS the connections or conditions are
assets Overall
required to be continuously monitored
and validated in order to see if it is
legitimate..
There are several industry guidelines
and best practices that are
Safety
Zero Trust incorporating Zero Trust concepts. For
Industry example, the National Institute of
& OT perspectives standards and Technology (NIST)
publication 800-207 for zero trust
architecture shows a roadmap to
introduce and implement zero trust.
The capabilities or features such as log
Change in storage need to be designed in a way
New that analytics, monitoring, encryption,
Technology services auditing, etc. can be automated to
reduce overheads.

IIoT/
Industry 4.0

Push towards digital transformation : An increased use of emerging technologies, such as Cloud and machine learning,
increases the surface area for potential vulnerabilities and the need to keep security at the heart of modernization.

2 Report titles
 EY Zero Trust Framework
In order to determine an effective zero trust strategy, it is imperative to first define the foundational pillars.
The ZT OT framework takes into account multiple perspectives that include; impact of hyperconvergence on
the Purdue model, knowing the mission critical assets and data paths, limitations and compatibility with
existing technologies, and visibility across IT,OT and Industry 4.0.

ZT OT Operating Model
Solutions

Telemetry and analytics Automation and orchestration

• Security information & event management (SIEM)

• Threat and vulnerability response
• Advanced Threat Protection (IDS/IPS, endpoint
• Security incident management
security etc)
• Operations automation
• User and entity behaviour analytics (UEBA)
• Auto-remediation
• Data Loss Prevention (DLP)

Users & Devices Applications Infrastructure & Network Data

• Considers physical assets, • Run time monitoring for • Asset and network discovery to • Considers
devices, users and systems anomalies, control of determine the accessible systems in the communication
• Verify and secure every identity user actions and site/facility channels and legacy
Pillars

with strong authentication and
least privilege
• Takes into account certification
management, PKIs
• Monitor and enforce device
health, restrict access from
vulnerable & compromised
devices
Capabilities
validation of secure • Assess for version, configuration, and protocols used
configuration options harden defence, use telemetry to detect • Data should be
• Least privilege access to attacks and anomalies, and automatically classified, labelled,
the critical applications block and flag risky behaviour and take and encrypted, and
• Monitoring of unused protective actions access restricted
ports and services, • Multi-level & micro segmentation with based on those
accounts in applications real-time threat protection, end-to-end attributes
encryption, monitoring, and analytics

Identity Governance Advanced Access Control Segmentation Monitoring

Governance, Policies & Standards

Leveraging EY Zero Trust Framework, 1. Evaluate: Assist clients in assessing existing capabilities/
readiness for adoption
we have designed an approach that

EY Circle combines the ideas of Zero Trust with

the core requirements of OT; Safety
2. Strategize: Develop strategic roadmaps/actionable
recommendations

of Trust
and Security. The Circle of Trust is EY
approach to creating a new security
strategy for our OT customers and the
systems within.
3. Architect: Develop technical architectures
4. Implement: Assist with implementation of security controls
5. Monitor, Manage & Maintain: Manage and operate select Zero
Trust capabilities across the framework

Evaluate
• Back to the basics
• Know your identities

Monitor, Manage & Strategize

Maintain • Create the balance
• Components and KPI’s • Consequence
that are critical to prioritization
success EY Circle
of Trust

Implement Architect
• Integrate • Define the policy
• Sustain • Plan the flow

3 Report titles
 Key Contacts EY | Building a better working world
EY exists to build a better working world, helping to
create long-term value for clients, people and society
and build trust in the capital markets.

Piotr Ciepiela Enabled by data and technology, diverse EY teams in

over 150 countries provide trust through assurance and
EY Global Consulting Cyber
help clients grow, transform and operate.
Architecture, Engineering &
Emerging Technology Leader
Working across assurance, consulting, law, strategy, tax
and transactions, EY teams ask better questions to find
new answers for the complex issues facing our world
today.

EY refers to the global organization, and may refer to one or

Steve Lam
EY Asia-Pacific Advisory
Cybersecurity IoT/OT leader
more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young Global Limited,
a UK company limited by guarantee, does not provide services to
clients. Information about how EY collects and uses personal data
and a description of the rights individuals have under data
protection legislation are available via ey.com/privacy. EY
member firms do not practice law where prohibited by local laws.
For more information about our organization, please visit ey.com.

© 2022 EYGM Limited.

All Rights Reserved.
Doug Clifton
Executive Director, Cybersecurity EYG no. 004749-22Gbl
ED None
Ernst & Young LLP
This material has been prepared for general informational purposes only
and is not intended to be relied upon as accounting, tax, legal or other
professional advice. Please refer to your advisors for specific advice.

ey.com

Jacek Walaszczyk
Senior Manager, OT/IoT Security
Ernst & Young sp.zoo Consulting
sp.k

Amit Lather
Senior Manager, Zero Trust
Security Leader
Ernst & Young LLP

Sonia Francisco
Manager, OT/IoT Security
Ernst & Young LLP

4 Report titles