Access to operational technology (OT) systems is too broad.
Many enterprises have fallen victim to security breaches due to attackers exploiting vulnerabilities of traditional VPNs and other appliance-based security solutions used to provide remote access to operational technology (OT) systems or Industrial Control Systems (ICS). Whether it's due to ransomware, malware, or malicious third-parties, the results are the same: costly security breaches that put production lines at risk and have a negative impact on company revenue and brand reputation.
With most remote access solutions, employees, contractors and third-party partners are granted full network access into the OT networks. In most cases, remote access solutions like VPN are putting the OT or ICS systems at risk by keeping access available 24/7 on the internet. These overprivileged users introduce high risk to the production environment because you do not ultimately control them while they are on your OT network.
So how do you provide secure remote access to your ICS systems, while allowing for timely maintenance of your production lines, without providing them full access to your OT network?
Vendors only need to access their specific ICS systems, so why introduce them to the OT network?
We know it’s risky to extend full and lateral OT network access to all users, but you need to provide them with access to their specific OT systems. The solution is to decouple OT systems management software access from the network, while segmenting access based on individual users and apps. The only way to achieve this is through zero trust network access (ZTNA) technology.
While most remote access solutions based on the Purdue reference model for OT networks are network-centric, ZTNA focuses on providing secure connectivity between the user—employee, third-party partner, or contractor—and authorized enterprise applications, never the network. The result is microsegmented access to OT systems that maintains security while reducing risks from overprivileged third-party access.
Before: Employees, vendors and contractors were given lateral network access, exposing the OT systems to unnecessary risk.
After: Zero trust access only gives users access to authorized ICS Systems, not the OT network.
Before: Remote access solutions required a client be downloaded on either a managed or personal device.
After: Regardless of the device or location, a user can simply leverage a browser to gain access to authorized ICS systems.
Reduced Attack Surface
Before: Remote access solutions were prone to attacks with many vulnerabilities. Unpatchable OT system software magnified this risk.
After: ZTNA solutions eliminate this attack surface by making the OT systems invisible. The best defense against unpatchable OT systems is to maintain the best possible air gap between IT and OT.
Eliminating remote access risk is easy with a zero trust network access (ZTNA) service
Secure remote access for OT systems enabled by Zscaler Private Access is a ZTNA service that takes a user- and application-centric approach to OT security. Whether a user is an employee, contractor, or third-party partner, ZPA ensures that only authorized users have access to specific ICS systems or applications without ever providing access to the OT network. Rather than relying on physical or virtual appliances, ZPA uses lightweight infrastructure-agnostic software like docker containers or virtual machines, paired with browser access capabilities, to seamlessly connect all types of users to OT systems and applications via inside-out connections that are stitched together within the Zscaler Zero Trust Exchange.
Software-defined perimeter concept
1. Browser Access Service or Client—based Access
- Both methods redirect traffic to IDP for authentication and multi-factor
- Browser access removes the need for client download on device
- Browser access leverages HTML5-based streaming
2. ZPA Public Service Edge
- Secures user-to-app connection
- Enforces all customized admin policies
3. App Connector
- Sits in front of OT systems and apps in the data center, Azure, AWS, and other public cloud services
- Provides inside-out TLS 1.2 connections to broker
- Makes OT systems invisible to prevent DDoS attacks
Browser access enables secure third-party vendor access in minutes
With ZPA browser access service, third-party partners and users gain secure access to OT systems without the need for a client. Partners no longer need to jump through hoops to securely access OT systems—they simply use their own device to effortlessly access them over the internet. The outcome is highly controlled third-party access that allows users to connect to OT systems from any device, any location, at any time.
- Seamless experience for partners and users
- Secure OT system access from BYOD
- Limit exposure of unpatchable ICS systems
- Integrations with top IDPs