The Cloud Security Alliance (CSA) has released a new paper, “Zero Trust Guidelines for Critical Infrastructure,” examining the application of Zero Trust principles in operational technology (OT) and industrial control systems (ICS).
This paper was developed by CSA's Zero Trust Working Group and focuses on bridging the gap between traditional IT security approaches and the specific requirements of critical infrastructure sectors, which are increasingly exposed to cyber threats due to digital transformation. This transformation involves the integration of operational technology and IT systems, requiring more sophisticated security solutions.
The Zero Trust Guidelines for Critical Infrastructure provide a roadmap for implementing Zero Trust principles in OT/ICS settings. This includes the CSA's recommended five-step process: defining the protection surface, mapping operational flows, building a Zero Trust architecture, creating Zero Trust policies, and monitoring and maintaining the network. These steps are consistent with best practices outlined in the NSTAC Report to the President on Zero Trust and Trusted Identity Management.
“The Zero Trust strategy is a powerful way to fortify critical OT/ICS systems against increasingly sophisticated adversaries as they can keep pace with rapid technological advances and an evolving threat landscape,” said Jennifer Minnella, lead author of the study and a member of the research team. Zero Trust Working Group Leadership Team. “We hope that this set of guidelines will serve as a useful tool for communication and collaboration between those teams charged with cybersecurity policies and controls and the owners and operators of operational and industrial control systems.”
The document provides a detailed examination of the inherent differences between traditional IT systems and OT/ICS systems, including aspects such as network design, hardware diversity, and specific security requirements. It also provides a step-by-step implementation guide with actionable insights for deploying Zero Trust in these settings. This includes guidance on identifying critical assets, mapping data flows, building a custom Zero Trust Architecture (ZTA), policy formulation, and the nuances of continuous monitoring within an OT/ICS context.
Joshua Woodruff, another lead author of the paper and a member of the Zero Trust Working Group leadership team, commented: “In an environment where security is both critical and clearly challenging, Zero Trust is not just a security upgrade but a necessity.” By outlining the practicalities Specific strategies and methodologies designed to implement Zero Trust strategy in CI environments, we help ensure resilience and security amidst the rapidly evolving digital technology and threat landscape.
CSA's Zero Trust Working Group continues to develop standards for consistency across cloud, hybrid, user endpoint, and OT/ICS/IoT environments. Their discussions range from the benefits and architecture of Zero Trust, automation, maturity models, literature reviews, and industry events. The group invites individuals to join future research and initiatives.
