Zero Trust for the Utility Industry

Written by Matt Morris and Carmen Garibi

Industries in every sector are bringing critical infrastructure online, enabling remote access. While this step undoubtedly enables greater operational efficiency and innovation, it nevertheless exposes operational technology (OT) systems to a greater range of cyberthreats.

If this digital transformation is to continue in the industrial space, security solutions must do better at future-proofing this infrastructure. OT cyberthreats will continue to increase. The question becomes: What can be done without exposing ourselves to greater risk?

Since the beginning, the ways industrial operators have accessed or allowed access to cyber infrastructure has been problematic. Relying on perimeter-based security models is only half the battle, and therefore insufficient. This model assumes that once someone is successfully connected to the corporate or the industrial control network, that individual should be trusted. In practicality, however, that is not necessarily true and poses a significant risk to insider threats.

A unique, preventive approach to filling the gap in the security market is needed to allow industrial operators to effectively defend themselves against threats: by implementing zero-trust security to authenticate the user and device/system, even though someone may have already gained access to either of the (formerly) trusted networks.

The zero-trust, identity-based security model gives critical infrastructure operators granular control over the extent and time of access to systems, creating a trusted foundation for every interaction — human-to-machine, machine-to-machine, or edge-to-cloud. In a typical electrical substation, for example, multiple parties require varying degrees of control and access — for instance, the operating organization and contracted equipment vendors have different needs when performing maintenance on installed systems. Zero-trust solutions allow for finely tuned remote and local user and access management, utilizing identity to verify and authorize access based on individual roles. In this scenario, participating parties each receive access tailored to their needs while seeing that access management is secure, convenient, and error-free.

That kind of control and access becomes even more important when talking about entities with large territories, such as oil and gas, solar and wind operators. Zero-trust solutions allow operators within these entities to add, remove and control resources without compromising security.

For those within the industrial control system (ICS) cybersecurity community who prefer to stick to a standards-based approach, the National Institute of Standards (NIST) published the zero-trust security standard (NIST SP 800-207) in August 2020.   In May, the executive order (EO) on critical infrastructure cybersecurity called for the implementation of zero-trust security across the public sector, with guidance for the same across private industry.

Too many approaches to access control and remote access leave vulnerabilities for attacks to penetrate and proliferate through operations. By applying advanced security solutions that integrate a zero-trust approach, you can bolster your first line of defense by blocking and/or isolating attacks.

This article edited by Doug Houseman

For a downloadable copy of the September 2021 eNewsletter which includes this article, please visit the IEEE Smart Grid Resource Center.

Matt Morris is a Digitalization and Cybersecurity executive and author. Matt is currently the Managing Director for 1898 & Co. Security, where he leads a diverse team of ICS cybersecurity practitioners. His mission is to serve humanity by improving safety, security, and reliability of the world’s critical infrastructure through resiliency, improved situational awareness and preparedness. An industry luminary, Matt previously spearheaded ICS cybersecurity programs at Cisco, Siemens, and NexDefense.  At Cisco, Matt architected and led the world’s first managed industrial cyber security service, among other major achievements.  Matt has 26 years of strategy and technology leadership. Matt is a highly sought-after speaker on ICS cybersecurity and an accomplished author.  He has been published in SecurityWeek, USA Today, FoxNews.com, International Business Times, CIO Insights, CIO Review, and many other notable publications. Matt is a Certified CISO (C|CISO), holds 12 DHS ICS-CERT certifications and a MBA degree from Emory Goizueta Business School.

Carmen Garibi is the Director, Critical Infrastructure Cybersecurity, Risk Management & Compliance at 1898 & Co., part of Burns & McDonnell, where she leads Business Development, Sales, and Marketing efforts. Carmen works together with clients in utility, oil and gas, water, transportation, government and other markets to support them maintain their business, operational, and digitalization objectives by addressing the core aspect – remaining cyber vigilant. A cybersecurity executive with more than 14 years of experience, Carmen has been focused in supporting businesses in their IoT transformation and realizing operational and financial targets. Carmen holds a Master’s in Business Administration from the University of San Francisco and is based in Houston, TX