On April 14, 2022, CISA published a warning regarding potential denial-of-service attacks that could exploit vulnerabilities in certain OT assets. Specifically, CISA warned that an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. According to the warning, servers with the default configuration, TLSv1.2 and renegotiation enabled, are vulnerable, and the vendors were releasing patches.
As mitigation, CISA recommends isolating the OT network from the IT network and the internet, and suggests that for remote access, companies use VPNs to securely remotely access industrial manufacturing areas. Yet CISA also cautions that VPNs themselves aren’t infallible and can contain vulnerabilities as well. To me it seems, this advice is limited, and outdated. NIST and many other reputable expert bodies have advocated eliminating the use of VPN and replacing it with Zero Trust Architecture. We must remember that the Colonial Pipeline ransomware attack took place by stealing VPN credentials and getting on the corporate network, moving laterally and finding high-value billing applications, encrypting it, and asking for ransom. The biggest risk of VPN access is that it puts people on the network, hence enabling lateral threat movement. In contrast, Zero Trust Architecture connects authorized users to specific applications, not to the network.
Beyond the fact that these mitigation strategies are not fail-proof, they also can restrict progress towards factory modernization. Forever hiding the OT network from the IT side and from the internet can mean factories must pass on a whole host of benefits that could otherwise be gleaned from adopting Industry 4.0. This includes the OT/IT convergence, which yields more comprehensive asset management, as well as artificial intelligence-driven production line automation, which yields efficiency gains, better factory uptime, and higher output.
Fortunately, Zscaler and Siemens have teamed up to design and offer a zero trust approach for secure access to OT assets, including Siemens’ devices. The solution yields increased security and at the same time, maximizes uptime to keep the shop floor, robotics, and automated assets running smoothly even in the face of cyber threats. Specifically, Zscaler Private Access app connector is run alongside the Siemens SCALANCE LPE, offering enterprises the opportunity to layer in zero trust connectivity alongside traditional perimeter-based methods. In most cases, VPNs are able to be replaced with zero trust.
Several advantages of the Zscaler Solution that is based on Zero Trust architecture include:
Siemens already considers the need to layer zero-trust as part of defense-in-depth. Here you can read more about it. I am proud of the work Siemens and Zscaler have done to modernize security for factories. CISA, we strongly recommend you update your guidance to add the zero trust defense layer as well.