Zero belief community entry (ZTNA) is the perfect various to mobile gateways and VPN options for distant entry.
But in OT environments, ZTNA must be distributed.
Remote entry is essential for operations groups to handle and troubleshoot operational expertise (OT) property with out time-consuming and expensive web site visits. In many organizations, machine builders, upkeep contractors, or the operations groups themselves have put in their very own options: mobile gateways that no one is aware of about or distant entry software program that IT isn’t controlling.
These backdoors are at odds to the OT safety tasks undertaken by the IT/CISO groups and create a shadow-IT scenario which makes it tough to regulate who’s connecting, what they’re doing, and what they will entry.
On the opposite hand, Virtual Private Networks (VPN) put in by IT groups within the industrial DMZ (iDMZ) have drawbacks of being always-on options with all-or-nothing entry to OT property. This makes it difficult to regulate when somebody connects and what they’ve entry to with out utilizing soar servers to handle periods and complicated firewall guidelines that have to be often up to date to stop wide-open entry.
Industrial organizations are beginning to deploy Zero Trust Network Access (ZTNA) options as options to always-on VPNs. ZTNA is a safety service that verifies customers and grants entry solely to particular assets at particular instances based mostly on identification and context insurance policies. It begins with a default deny posture and adaptively gives the suitable belief required on the time.
The answer consists of a ZTNA belief dealer, sometimes a cloud service, that mediates connections between distant customers and OT property. The belief dealer communicates with a ZTNA gateway deployed within the industrial community. The gateway establishes an outbound connection to the belief dealer which in flip cross-connects to the distant consumer, thereby making a communication path to the OT property within the proximity of the gateway.
In area networks like visitors management cupboards at roadway intersections, or utility pole-mounted capacitor financial institution management cupboards, putting in devoted ZTNA gateways isn’t an possibility as a result of area is a matter. When area is out there, having to keep up devoted ZTNA gateway {hardware} simply to entry just a few OT property places an undesirable burden on clients.
In bigger industrial networks, equivalent to manufacturing crops, the ZTNA gateway is centralized within the iDMZ to keep away from the associated fee and complexity of distributing devoted {hardware} within the OT community. But this centralized structure places the ZTNA gateway too removed from the OT property and suffers the identical disadvantage of the legacy VPN design:
- In such environments IP addresses are sometimes reused, and lots of property sit behind NAT boundaries which makes them unreachable to the ZTNA gateway within the iDMZ. The complexity now falls on the tip buyer to show these non-public IPs to the upper layers of the Purdue mannequin.
- In addition, as a result of the ZTNA gateway is much from the OT property, stopping lateral motion of distant customers between OT property turns into difficult.
Both these features negate key tenants of ZTNA, particularly useful resource isolation and limiting lateral motion.
With Secure Equipment Access (SEA), Cisco is fixing the challenges of deploying safe distant entry to operational property at scale. It embeds the ZTNA gateway perform into Cisco industrial switches and routers, making safe distant entry capabilities quite simple to deploy at scale. There is not any level {hardware} answer to supply, set up, and handle. No advanced iDMZ firewall guidelines to configure. Enabling distant entry is only a software program characteristic to activate in your Cisco industrial community gear.
Distributing the ZTNA gateway perform wherever within the community allows you to remotely entry each asset. The Cisco industrial change or router that gives safe and dependable connectivity to OT property, now additionally supplies zero belief distant entry to those property, no matter its IP deal with or your NAT technique. And the identical community gear can even implement micro-segmentation insurance policies to stop lateral actions within the case the asset is used as a soar host. Only Cisco gives such a sophisticated safety functionality in industrial switches and routers at the moment.
Managing a lot of ZTNA gateways throughout your operational atmosphere is straightforward. Cisco Secure Equipment Access comes with a cloud portal that centralizes gateway administration and configuration of distant entry insurance policies. It acts as a ZTNA belief dealer, verifying customers and granting entry solely to particular assets based mostly on identities and contexts.
Remote staff, distributors, and contractors hook up with the Secure Equipment Access cloud portal the place they’re authenticated and provided entry solely to the units you select, utilizing solely the protocols you specify, and solely on the day and time you permit.
Remote entry periods begin with a default deny posture and Secure Equipment Access adaptively gives the suitable belief required on the time. Assets are hidden from discovery and lateral actions are made unattainable. IP addresses are by no means uncovered within the iDMZ, additional lowering your assault floor.
Operations directors can simply create credentials to fulfill their enterprise wants and grant entry to OT property in two totally different manners:
- Clientless ZTNA. Users simply want an internet browser to entry distant OT property utilizing RDP, VNC, HTTP/S, SSH, or Telnet.
- Agent-based ZTNA (which we name SEA Plus). Cisco SEA establishes a safe IP communication channel between the consumer’s pc and the OT asset so any desktop utility can be utilized for superior duties, equivalent to file switch or PLC programming utilizing native functions for example.
Cisco Secure Equipment Access is designed to implement robust zero belief safety insurance policies and supply superior monitoring and compliance capabilities:
- Multifactor authentication (MFA) to handle the chance of stolen credentials.
- Single sign-on (SSO) to streamline the consumer expertise and implement strict consumer insurance policies from a centralized location.
- Device posture verify to evaluate the distant consumer’s safety posture and solely grant entry to hosts with malware safety software program put in for example.
- Session monitoring with the flexibility to affix a session and think about in actual time what a distant consumer is doing.
- Session termination providing directors the flexibility to kill an energetic session.
- Session recording to return in time and watch what distant customers did.
We will element these options in upcoming weblog posts over the subsequent few weeks. Make positive you subscribe to our OT Security e-newsletter to obtain them in your inbox. In the meantime, be taught extra about Cisco Secure Equipment Access (SEA), and take a look at our Cisco Validated Design Guide for help on the way to implement ZTNA in your operational atmosphere.
Share: