The Fast Mode spoke to Joseph Baxter, Solutions Architect at BlastWave on the impact of traffic visibility on ZTNA networks. Joseph joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What do you consider are the core features (must have) of ZTNA?
Joseph: The world of “Zero Trust” encompasses many things, some of which break new ground and disrupt entire technology stacks. However, not all segments immediately celebrate the disruptive nature of ZTNA. Critical infrastructure and Operational Technology (OT) do not follow the same priorities as Information Technology (IT). Ask any electrical entity employee, and they will say safety will consistently rank as their top mandate, followed closely by reliability, then compliance – hopefully (but not always) coincident with cybersecurity.
The core features of ZTNA in the OT space must include frictionless deployment, transparent operation, and legacy awareness.
The average OT administrator has neither time nor resources to babysit a new platform. A ZTNA platform must work first, must work right, and must work every time. These personnel often retain full responsibility for production in their roles, equal to that of decades before, so cybersecurity tasks only add to their workload. For instance, this tendency to tag a SCADA engineer with “also cybersecurity” militates stringently against complex and overblown systems requiring nuanced skillsets. A ZTNA platform design must provide robust simplicity and frictionless implementation from square one.
Next, ZTNA must facilitate operations, not impede them. Vendors must understand that compliance and cybersecurity will play second fiddle to safety and reliability, regardless of the best plans, technology, and intentions. Considering this practical fact, any ZTNA technology or platform that fails to grasp this reality will go unused, disabled, or uninstalled. While not necessarily a pleasant truth, the OT world will look you straight in the eye and “wire around” any ZTNA platform that interferes with safety or reliability.
Lastly, a ZTNA system in the OT market must approach cybersecurity with legacy awareness. IT manages asset lifecycles in three- and five-year spans. OT contemplates service lifespans of twenty and even thirty years without batting an eye. Today's OT may crash at the first probe of a threat scanner. An installable agent won’t just “not run” but may cause a half-billion US Dollar installation to go offline. In the IT world, those assets could be replaced with newer ones. In the OT world, they are inextricably tied to system operations.
The technical must-have features of ZTNA platforms might change from time-to-time at the speed technology progresses, but these three OT intangibles will always remain.
Ariana: What challenges do you see across ZTNA deployments?
Joseph: For the IT world, wholesale infrastructure change is difficult. In OT, it might be legitimately impossible. In his columns twenty years ago, Bob Lewis (Keep the Joint Running) would say, “There is no such thing as an IT project. There are only business change projects, most of which have an IT vector.”
OT, by nature, resists business change.
While tempting to imagine ZTNA as “fixing” the nonexistence of security controls in OT systems of old, that very lack presents huge issues to modern cybersecurity systems. Many systems exist on unsegmented networks listening on unprotected TCP/IP ports, services running without authentication or buffer, and poorly restricted flat files. These security flaws simultaneously restrict and require a ZTNA solution. For instance, OT professionals have always excluded vast swaths of files from malware scanning tools – if even allowed at all – as traditional malware solutions tend to corrupt older OT databases. Ping sweeps are avoided as they tend to fail over systems with unprotected heart-beat ports. Because of this, any ZTNA solution that behaves cavalierly will not be considered.
Timing delays remain a tremendous challenge to ZTNA deployments in the electrical sector, for example. A Flexible AC Transmission System (FACTS) or a High Voltage DC Conversion (HVDC) station operates at nanosecond polling intervals. It must sense and make decisions in logic well ahead of the sixty Hertz (in North America) standard. The physical cyber assets in these systems often operate as only the host of a Realtime OS. Therefore, anything that delays or alters the network communications or diminishes processing power for that RTOS will create unexpected behaviors, potentially costing millions in line underutilization alone.
Finally, ZTNA platforms must expect OT infrastructure to remain, perhaps artificially, out-of-reach. Water treatment, power stations, and other critical infrastructure systems experience vendor lock-in at a level rarely seen in the IT world. Most large OT vendors, as far back as the early nineties, have installed networks according to a cookie-cutter template. Every router world-wide they install will have the same configuration so attackers need not even enumerate the network. All possible additions to the system already exist with default IP addresses, ready and waiting for more units, duct coolers, pump stations, and so on. Many of these vendors refuse to alter these networks without voiding a warranty or service contract. Right or wrong, a ZTNA solution that attempts to change this sacrosanct environment can only meet with failure.
Joseph Baxter protects critical infrastructure at BlastWave as Solutions Architect. For over twenty years in cybersecurity and regulatory audit, Joseph served critical infrastructure and financial, most recently in the electrical sector with NERC CIP regulated entities and for NERC itself. Joseph has participated in more than a hundred regulatory audits. He truly believes that a well-designed process with strong security controls solves almost any problem.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
