Securing The Connected Industrial Worker

Executive Overview

Industrial companies are rapidly expanding anywhere, anytime access to systems, apps, data, and people in order to drive higher productivity, better quality, and lower costs. The benefits are significant, but they come with increased cyber risks. Every interaction that crosses the system security perimeter creates a new entry path for attackers. Every third-party device that accesses corporate systems and resources raises the risks of malware injection and data loss.

Current industrial cybersecurity programs weren’t designed to allow broad-based communications with external resources. They rely on strong perimeter defenses to protect systems, especially those in OT where many assets lack even basic security capabilities.

Companies are already struggling to maintain conventional cybersecurity strategies for OT cybersecurity. Data and apps are being dispersed across multiple sites, public networks are being leveraged to communicate with remote sites, new, unmanageable technologies are being deployed in critical areas, and demands for remote access are growing exponentially. Trying to deal with each of these issues on a case-by-case basis is no longer tenable. A new approach to industrial OT cybersecurity is needed to ensure that all assets and data are protected.

The enormous benefits of connected workers make this an urgent issue. Managers can’t wait for case-by-case review and approval of every new idea. Workers also need immediate access driven by the problem at hand, as the benefits are time-sensitive. Zero trust has emerged as the best strategy to enable these benefits. This report discusses the challenges involved in implementing zero trust in industrial OT systems and offers recommendations on how users can overcome them.

The Industrial Connected Worker

Connected workers are appearing in every industry and industrial activity. Workers with remote access to systems and assets are reducing facility downtimes and travel costs. Site personnel with instant access to project information are reducing construction delays and costly errors. Instant access to cloud resources and subject matter experts (SMEs) is improving the productivity of factory workers. Remote operation of equipment in distant and hazardous areas is reducing safety risks and travel costs. Connectivity is also enabling broader use of productivity-enhancing technologies, like cloud analytics, smart glasses, and augmented reality.

All of these connected worker applications rely on anywhere, anytime, unfettered access to a wide range of devices, apps and data in corporate IT and OT systems, the cloud, and embedded physical systems. Ensuring the security of all of these assets and interactions is essential.

Enabling connected workers is critically important for many industrial companies. They need these capabilities to reduce costs, raise productivity, and increase the availability of the facilities that drive profitability. As the COVID pandemic illustrated, connected workers can also be critical for company survival during times of upheaval, whether they are pandemics or natural disasters.

While connected workers span a multitude of use cases, they can be grouped into three different categories:

• External workers using personal and third-party devices to access corporate IT or OT systems in order to provide remote support services and to help internal workers address critical issues, like process disruptions and cyber compromises. Common examples include home workers, internal workers who are currently off-site, vendor service personnel working within facilities, remote vendor support teams, etc.
• Internal workers using IT and OT system devices to access external resources like cloud apps and data, vendor sites, and external SMEs. Examples include people accessing vendor sites and people who need to interact with external experts in troubleshooting equipment and system problems, etc.
• External workers at remote sites that need to access corporate data and apps in data centers and the cloud to do their work. Common examples include engineers, project managers, and contractors at construction sites, vendor service personnel at remote sites, etc.

Implications for Industrial Cybersecurity

Industrial companies, especially those in critical sectors like oil & gas, chemicals, and power, have long recognized the importance of cybersecurity. Most have implemented programs to protect their IT and OT assets. While they started as isolated efforts, many companies are beginning to converge these programs.

Isolation of internal people, devices, networks, and resources from the external world has always been a key focus of industrial cybersecurity. Connections with anything outside system boundaries were strongly discouraged and closely scrutinized. Required connections, including those between IT and OT systems, were secured with carefully engineered defenses that restricted information exchanges to specific endpoints and message types.

Technology developments and new business strategies forced security teams to expand the number of external connections in industrial IT and OT systems. IT security programs needed to support the increased use of public networks, cloud services, and distributed computing models. OT security programs needed to support cloud data sharing, IoT devices, and the shift to cloud-based operational software. These incremental, evolutionary developments had well-defined, detailed use cases. They also emerged slowly, so security teams had time to analyze the security threats fully and engineer appropriate security protections.

Connected workers present a different kind of security challenge. These workers need ad hoc, unfettered access to a wide range of resources inside and outside established security perimeters. Their needs depend on the situation and can’t be pre-defined. Likewise, these workers can’t wait for security team reviews and approvals.

Enabling free access can generate significant benefits, but it can also create unacceptable risks to safety, environmental compliance, and business continuity. Trying to address these risks with case by case, engineered extensions of security perimeters won’t work. Some general use cases can be defined, but they will never have the specific details that security teams need to engineer specific defenses.

Securing connected workers requires changes to the premises underlying existing cybersecurity programs. This includes new processes and technologies that reflect a transaction view of cybersecurity versus traditional system boundary perspectives. The goal of these changes is to enable secure, dynamic, ad hoc interactions regardless of whether the people, devices, networks, and resources are within or outside traditional security perimeters. If implemented correctly, these changes will address two critical issues:

• Preventing cross-perimeter interactions from corrupting the integrity of corporate assets within and outside existing security perimeters.
• Providing end-to-end security of all information exchanges and actions that occur within each session.

Zero Trust has emerged as the preferred model for achieving these goals and various guidelines are available to help companies implement these concepts.

Table of Contents

• Executive Overview
• The Industrial Connected Worker
• Implications for Industrial Cybersecurity
• Industrial Connected Worker Trust Issues
• NIST Guidelines for Zero Trust Cybersecurity
• Use of Zero Trust in Industrial Systems
• Zero Trust Solutions for OT Connected Workers
• Recommendations

ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us