Insider Threats and Zero Trust – Possibilities for Utility OT Cyber Security

Zero trust has been getting more attention in the past year, but that attention is almost entirely focused on IT cyber security.  But what about the mission-critical Operations Technology (OT) infrastructure in utilities?  Could zero trust concepts be successfully applied to industrial control system (ICS) environments?  EPRI offers a qualified yes, although research caveats apply. 

The zero trust approach may work well to reduce risks from insider threats, which are cited as a growing cyber security risk to utilities.  An insider threat originates from people inside an organization – current and former employees, contractors, and vendors who have or had access to security practices, data, and IT and/or OT systems.  Insider threats are not resolved in the traditional cyber perimeter defense concept.  At its essence, a perimeter defense is designed to keep intruders outside.  In cyber security, that means outside of utility networks. 

Zero trust is a defensive cyber security concept that focuses on data and asset security inside an organization.  It presumes that the perimeter is breached.  Zero trust can be summed up as never trust, always verify every user or device in a network.  The National Institute of Standards and Technology (NIST) special publication draft on zero trust offers this definition: … a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

The EPRI definition of zero trust is tailored for utility OT environments.  Zero trust is a concept of continuous identity authentication and activity authorization based on identity of the entity (a user or device) and context of the activity.  In mission-critical OT environments, product and process data must be protected from alteration to avoid performance disruptions in OT assets and their data networks.  

EPRI posits that zero trust policies can improve detection of lateral movement by insiders within security perimeters because trust is reassigned to the data and entity levels. The Ukraine utility cyber attack in 2015 began as an external threat that managed to defeat perimeter defenses.  The forensic analyses determined that the attackers were actively embedded inside their utility OT networks for months without detection.  A zero trust architecture may be useful to lessen attacker dwell time within networks.

There’s another reason to consider the zero trust concept for utilities.  It’s challenging to model and manage a secure perimeter when cyber risk assessments may include DER aggregations managed by third parties in web- or cloud-based systems. Instead of attempting to continuously expand secure perimeters as grid edge attack surfaces grow, a zero trust approach identifies the data, devices, applications, and systems that must be protected. 

There are two clear conclusions that utilities can draw.  First, continuing to conduct cyber security operations on a traditional perimeter model will produce diminishing returns as perimeters change.  Second, insider threats are a growing concern for utilities and other organizations.  Any cyber security framework that helps address that significant concern should be examined for its value to utility OT operations. Zero trust is a paradigm shift that fundamentally changes a utility’s cyber security architecture from the traditional perimeter model.  EPRI’s OT cyber security research team is laying the groundwork to address some of the questions posed above to help utilities understand the benefits and costs to adopting this model to secure mission-critical operations.