Embracing Zero Trust for IoT and OT: A Fundamental Mind Shift

Securing any network begins with understanding every connected user and device and every bit of data they are trying to access. This is a basic premise of any security framework—including Zero Trust. Clearly, you need to know who is trying to access what before you can create appropriate enforcement policies and controls.

But what happens when devices become users?

Zero Trust requires that security start with the user, but interestingly, it’s not limited to the user identity. Security must focus on where the threat is most likely to occur. IoT, OT and network-enabled smart devices introduce a massive area of potential compromise for networks and enterprises. As a result, security architects are being forced to re-examine the concept of identity. Essentially, every connected thing has an identity and must be under consideration within the Zero Trust Framework—users, devices, virtual infrastructure and cloud assets.

Consider this:

• IoT devices don’t require human assistance to gather, access and share information, or to automate functions and improve business efficiency. IoT has quickly become the fastest-growing category of devices in the modern enterprise and IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025.¹
• Machine-to-machine (M2M) communication, which has become commonplace in industrial and manufacturing environments, is now being used in a variety of healthcare, business and insurance applications.²
• Businesses are bolting operational technologies onto IT networks en masse, and those systems must also be secured. According to Gartner, by 2021, 70% of OT security will be managed directly by the CIO or CISO, up from 35% today.³
• Smart devices can make very dumb security decisions. As we’ve seen in some widespread DDoS attacks, Botnets such as Mirai can take control of unmanaged IoT devices with weak credentials, potentially directing millions of them to disrupt critical services.

Don’t stereotype—every device is unique

Truly understanding devices requires much more than simply identifying their IP addresses, manufacturers and model numbers. It’s important to gain detailed insight into every device on the network, including its business context and potential for risk. This is where accurate situational awareness makes all the difference.

Let’s look at a common category of IoT devices: IP-connected cameras. The same camera often performs very different functions. For example, is the camera used for video surveillance or for video conferencing? In financial services, the camera might be used to monitor customers during transactions or built into an ATM for scanning check deposits. The video feeds from each of these cameras need to share communication paths with different data center applications and cloud services. As such, the concept of device identity and context is foundational for Zero Trust security.

Zero Trust considerations for IoT and OT

Creating a Zero Trust architecture requires in-depth understanding of all IoT and OT systems on the network, so you can make context-based segmentation decisions to reduce business risk without unduly impacting availability. To truly embrace Zero Trust across your enterprise network, here are some things to consider:

1. Expand Zero Trust beyond users to include non-user devices
2. Use agentless device visibility and continuous network monitoring for IoT and OT devices. Agent-based security methodologies can’t be used for such devices.
3. Understand the identity of every device that touches your network, including business context, traffic flows and resource dependencies.
4. Use segmentation to address critical Zero Trust principles and risk-management use cases:
   • Control and continuously monitor user and device access to protect critical business applications)
   • Enforce privileged access to critical IT and OT infrastructure
   • Segment enterprise IoT and OT devices into appropriate zones to reduce blast radius
   • Contain vulnerable devices and legacy applications/OS that can’t be patched or taken offline within separate zones to reduce the attack surface

Forescout is the vendor for Zero Trust IoT/OT focused security—Just ask Forrester.

According to The Forrester Wave^TM: Zero Trust eXtended Platform Providers, Q4 2019 , “IoT/OT device security is one of the hardest problems to solve within the enterprise. This is Forescout’s sweet spot.” In fact, Forescout is the only company recognized specifically for IoT and OT focused security in Forrester’s 2019 Zero Trust Wave.

The report’s authors also noted, “[Forescout’s] platform and capabilities for IoT/OT security shine above those of the competition. Maximum visibility, leading to maximum operational control and, ultimately, security, is the crux of Forescout’s approach to Zero Trust.”

Read more about the Zero Trust eXtended Platform and how to strengthen security with this complimentary copy of Forrester’s Zero Trust Playbook.

1. IDC, Worldwide Global DataSphere IoT Device and Data Forecast, 2019–2023, May 2019
2. https://internetofthingsagenda.techtarget.com/definition/machine-to-machine-M2M
3. Gartner, Strategic Roadmap for Integrated IT & OT Security, May, 2018