Zero Trust for the Utility Industry
Written by Matt Morris and Carmen Garibi
Industries in every sector are bringing critical infrastructure online, enabling remote access. While this step undoubtedly enables greater operational efficiency and innovation, it nevertheless exposes operational technology (OT) systems to a greater range of cyberthreats.
If this digital transformation is to continue in the industrial space, security solutions must do better at future-proofing this infrastructure. OT cyberthreats will continue to increase. The question becomes: What can be done without exposing ourselves to greater risk?
Since the beginning, the ways industrial operators have accessed or allowed access to cyber infrastructure has been problematic. Relying on perimeter-based security models is only half the battle, and therefore insufficient. This model assumes that once someone is successfully connected to the corporate or the industrial control network, that individual should be trusted. In practicality, however, that is not necessarily true and poses a significant risk to insider threats.
A unique, preventive approach to filling the gap in the security market is needed to allow industrial operators to effectively defend themselves against threats: by implementing zero-trust security to authenticate the user and device/system, even though someone may have already gained access to either of the (formerly) trusted networks.
The zero-trust, identity-based security model gives critical infrastructure operators granular control over the extent and time of access to systems, creating a trusted foundation for every interaction — human-to-machine, machine-to-machine, or edge-to-cloud. In a typical electrical substation, for example, multiple parties require varying degrees of control and access — for instance, the operating organization and contracted equipment vendors have different needs when performing maintenance on installed systems. Zero-trust solutions allow for finely tuned remote and local user and access management, utilizing identity to verify and authorize access based on individual roles. In this scenario, participating parties each receive access tailored to their needs while seeing that access management is secure, convenient, and error-free.
That kind of control and access becomes even more important when talking about entities with large territories, such as oil and gas, solar and wind operators. Zero-trust solutions allow operators within these entities to add, remove and control resources without compromising security.
For those within the industrial control system (ICS) cybersecurity community who prefer to stick to a standards-based approach, the National Institute of Standards (NIST) published the zero-trust security standard (NIST SP 800-207) in August 2020. In May, the executive order (EO) on critical infrastructure cybersecurity called for the implementation of zero-trust security across the public sector, with guidance for the same across private industry.
Too many approaches to access control and remote access leave vulnerabilities for attacks to penetrate and proliferate through operations. By applying advanced security solutions that integrate a zero-trust approach, you can bolster your first line of defense by blocking and/or isolating attacks.
This article edited by Doug Houseman
For a downloadable copy of the September 2021 eNewsletter which includes this article, please visit the IEEE Smart Grid Resource Center.
To have the Bulletin delivered monthly to your inbox, join the IEEE Smart Grid Community.
To view archived articles, and issues, which deliver rich insight into the forces shaping the future of the smart grid. Older Bulletins (formerly eNewsletter) can be found here. To download full issues, visit the publications section of the IEEE Smart Grid Resource Center.