Zero trust is a paradigm shift in cybersecurity that emphasizes verifying every user and device attempting to access an organization’s resources, regardless of their location. By abandoning the traditional approach of trusting internal networks and adopting a “never trust, always verify” mindset, zero trust aims to mitigate the risk of data breaches and unauthorized access.
On the ICS Pulse Podcast, we talked to Dennis Hackney, an esteemed cybersecurity professional with a wealth of experience in military communications, defense contracting and compliance. To listen to the full podcast, click here.
The following was edited for clarity.
ICS Pulse: Before we get into it, we like to ask all our guests about their background in the space and who they are, where they came from and how they got to where they are now. What’s your background in cybersecurity, and how did you get into the field?
Dennis Hackney: I love telling the story because I started with a humble background and humble beginnings in the military. What’s really cool about it is that back then, I didn’t really realize the emphasis was on security so much, but I was in tactical communications. As part of my job, I was a communications controller, which in the ’90s they called it a computer systems communications controller. We manage the circuits. You have a picture in your mind of that old BellSouth attendant plugging in patch cords to patch the lines to make the telephone calls go through. That was part of what our job was, but it wasn’t just audio. It was digital, too. Managing those circuits, we had to manage the encryption devices on those circuits.
This is in defense, so I started having to manage the comsec, which was what you loaded into the encryption devices even early on in my career. I eventually got out of the military and said, “Hey, I’m done with this. I’ve done my time,” and instantly got offered contracts, roles to work in different defense contracting organizations. I picked one, the money was good, it was great. I started doing cybersecurity compliance, which at the time we called it DITSCAP, the DoD (Department of Defense) Information Technology Security Certification Accreditation Program. We were doing that on research and development systems.
They lumped research and development systems or testing and evaluation systems into SCADA, process control and operational technologies (OT). That’s when I figured out what that was. After defense contracting for a few years, I got into oil and gas and realized that a lot of the technical work that I was doing really helped with the compliance side of the house. After a little bit of time, I started getting interested into exposure risk. Not risk like cyber risk, which is an equation of sorts to determine something. Risk like enterprise risk, risk to an organization, things that expose you to litigation and things like that.
Now, I’m interested in more of the compliance side of the house again but related to that. I do teach as an adjunct professor, cybersecurity compliance in a legal program. So that’s my background. One of many hats that I wear at my day job is an OT cybersecurity engineer for a super major oil company, and that always keeps me on the run. That’s it in a nutshell.
ICSP: What is zero trust, and what are the components, technologies and architectures that make it up?
Hackney: I would say in this world where we have a lot of different communications systems and networks and enterprise resources and people who are trying to access those enterprise resources, it’s becoming increasingly difficult to manage the connections and manage access to those systems. The theory of zero trust really started with, “We must explicitly deny everyone access until we can verify that we trust that identity.” What that’s turned into in the modern world is some enhanced access control, which that would make the most sense. Access control mechanisms point toward active directory, where that’s coming from, but we’ll talk into detail about what makes it enhanced.
Microsegmentation means we control access to different parts of our networks more discreetly. Instead of having a large, wide-open network or a local area network with multiple resources, we microsegment those into different resource pools. Some of the more modern technologies are going toward a software defined network approach. Using tools like Elisity to define your network via software application versus just putting in a switch here and a router there.
Zero trust in its purest form is you have a subject who’s trying to gain access to an enterprise resource. The enterprise resource is protected. The subject is an unknown or untrusted subject at first. They use an asset, which could be a computer, and there’s a policy enforcement engine and a policy decision point that takes place in the middle, where once that access is requested, it gets parsed and checked against different things like threat intel, the updates or patching that’s been done to the asset they’re using, and whether or not they have the right or the need to know. Then, once that access is granted, you essentially trust the subject, and they can gain access to the enterprise resource.
ICSP: Why should we be looking at zero trust in operational technology networks? What are the drivers to adopt some zero-trust model in OT, which I feel like it would be more difficult in OT than information technology (IT)?
Hackney: That’s a very good question. Many organizations have already implemented some form of zero-trust architecture in their enterprise or IT networks, although they may have encountered challenges along the way. Pure zero-trust networks are quite rare, and technology providers are continuously striving to develop better zero-trust solutions. However, when it comes to operational technology networks, the situation is different.
Traditionally, we have relied on the Purdue model or the Purdue Enterprise Reference Architecture to guide our OT implementations. This model recognizes multiple levels within the system, with the lower levels involving sensors, physical components and discrete signals, while the higher levels encompass more computerized systems. However, what we have found is that there is often a lack of protection or security measures between these levels, leading to unrestricted communication and potential vulnerabilities.
From a security perspective, we typically employ firewalls as north-to-south barriers between these levels to enhance protection. This ensures that there is controlled access and better segmentation. The principles of zero trust can be applied in the OT context, as well. Rather than completely redesigning the entire architecture with numerous boundary protection devices, zero trust introduces proactive access control functionalities.
By strategically placing process or policy decision points and enforcement points within the existing network, we can achieve safer access control for critical infrastructure devices. This approach allows us to enhance security without the need for extensive architectural modifications. While it may present some challenges specific to the OT environment, adopting a zero-trust model can significantly improve the overall security posture of operational technology networks.