Zero Trust in Operational Technology

So what is the Critical National Infrastructure (CNI) in the UK. Its generally defined as a facility, service, information, network, process or people that daily life depends on and if unavailable would have a massive impact on society.  

For example, the energy sector is part of the UK’s Critical National Infrastructure sector which means that it is vital to daily life for all UK residents.

This of course makes it a target for cyber-attacks. These attacks could have devastating consequences. A successful attack on the national grid could disrupt the electricity supply causing widespread energy blackouts.

Industrial Control Systems (ICS) or Operational Technology (OT) are the technology that is used to manage and administer the majority of systems in the energy industry. These systems are increasingly being connected to the internet which they were not historically designed for. This makes them vulnerable to cyber-attacks. For example, an attacker could exploit a known vulnerability and gain access to an ICS and manipulate the system to cause a malfunction or shutdown.

Cyber security in the energy industry is a complex issue, as touched upon above the systems are often old and not designed with internet cyber security in mind. This makes it difficult to retrospectively implement effective security measures, and it is often necessary to retrofit existing systems with new security technologies.

To be fair, the energy industry is taking steps to improve the Cyber Security of its ICS. For example, many companies are implementing network segmentation, which involves dividing the network into smaller, more secure segments. This makes it more difficult for attackers to gain access to critical systems and allows the company to detect and respond to any breaches that do occur more easily.

Another important aspect of industrial control cyber security in the energy industry is the need for regular testing and monitoring. This includes testing the systems for vulnerabilities and monitoring the network for any suspicious activity. By regularly testing and monitoring their systems, companies in the energy industry can stay ahead of potential cyber threats and reduce the risk of a successful attack.

One approach we recommend here at Third Party Cyber Security (TPCS) for improving industrial control security is the adoption of a zero-trust model.

In a zero-trust model, access to systems and networks is strictly controlled and only granted on a need-to-know basis. Access to systems is based on strong authentication and the least privileges principle. This means that even if an attacker can gain unauthorised access to a system, they will not be able to move laterally within the network and access further critical systems. This can greatly reduce the risk and impact of a successful cyber-attack and make it easier for companies in the energy industry to defend against threats. In zero-trust we assume a security breach and develop your approach to minimise the blast radius of any such incident.

You will no doubt hear lots about zero-trust these days and it is something we at TPCS are experts on. If you work within the UK Energy sector or indeed in any of the UK’s 13 critical national infrastructure industries, or are just interested in learning more then please do reach out to us for further information or support.

TCPS can provide expert guidance within the CNI sector and can support by implementing robust and regularly updated cyber security functions that include elements such as strong cyber policies and cyber security incident response plans. We can also conduct regular cyber risk assessments to identify and prioritise vulnerabilities and misconfigurations, an important aspect of maintaining the cyber security of any organisation.