Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Securing Access to Smart Factories: The CISO’s Next Frontier


Industry 4.0 cannot operate with air gaps: it’s time for a new paradigm

The application of digital technologies including sensors, digital twins, artificial intelligence, cloud and edge computing - collectively known as Industry 4.0 - to industrial processes promises to deliver significant gains in manufacturing productivity, plant and personnel safety, and profitability. The vision of Industry 4.0 is one of “fully-integrated, collaborative manufacturing systems that respond in real time to meet changing demands and conditions in the factory, in the supply network, and in customer needs,” according to the National Institute for Standards and Technology (NIST) which partners with the U.S. manufacturing sector. By connecting devices to the supply chain and enterprise networks, companies can unlock the full potential of operational technology (OT) and industrial internet of things (IIoT) - but this also introduces new and previously unknown cybersecurity and plant safety risks. 

OT environments were once islands—self-contained and isolated units air-gapped from the internet, and more or less a reliable barrier against cyberattacks. But this is no longer the case. Air gaps are eroding and these systems are opening up and evolving into a buzzing ecosystem. But the internet-connected shop floor creates vulnerabilities and increases the risks of an attacker breaking into your OT network and disrupting your business, or worse, putting your frontline workers in danger. Threat actors are weaponizing OT environments to the point that by 2025 they will have the capability of injuring or killing humans, according to a report by Gartner. In addition, new research from Zscaler’s ThreatLabz threat research team underscores hackers’ penchant for targeting the manufacturing sector in particular.

The recent string of ransomware attacks directed at industrial and supply-chain targets has sharpened the focus on industrial cybersecurity by business and political leaders. Faced with mounting threats of economic and operational disruption, the OT world is coming to grips with the fact that there’s no such thing as a completely “air-gapped” cell or network, and therefore we must double down on our defenses to secure industrial infrastructure against cyber attacks. Enter zero trust, the security model that assumes everything to be hostile and should not be inherently trusted. 

To change the industrial cybersecurity paradigm, we must first understand the unique challenges of the cyber-physical world.

Navigating the complexity of the converging IT-OT worlds 

IT and OT which have been, by and large, oblivious to the other’s existence are now becoming more interdependent and being forced to come together, thanks to the convergence of our digital and physical worlds. But the path to convergence can be steep due to significant cultural barriers.

IT primarily concerns itself with the confidentiality, integrity, and availability (also known as the CIA triad) of enterprise data and IT systems at any cost. Whereas OT primarily concerns itself with productivity, safety, and uptime of physical operations at any cost. One in three firms says that a single hour of downtime can cost them anywhere from $1 million to $5 million in losses. Their worldviews are sometimes at odds, even if their convergence is driven by the same top-level business outcomes.

No, really, it’s complicated

What’s more, the technical and operational complexities of the factory floor are genuinely difficult to tackle in a number of unique ways: 

  • Complex, idiosyncratic environments. A typical plant can have hundreds of pieces of highly customized equipment from different OT vendors each with its own proprietary automation software and protocols - all designed to support specific processes. In contrast, enterprise IT widely uses SaaS and off-the-shelf software and hardware that can be easily deployed, managed, upgraded, and patched.  
  • Legacy machinery and equipment. The average lifespan for industrial assets often lasts into the decades—even as generations of more efficient and more secure technology is introduced— so it’s not uncommon to find aging machinery and equipment on the plant floor.  IT systems, on the other hand, typically have lifespans of between four to six years. 
  • Limited security and third-party risks. Unlike IT, the proprietary nature of OT means companies rely on OEMs and boutique vendors to maintain and manage their equipment. The assets are kind of a black box to their owners who have limited visibility into their controls and vulnerabilities. Any security flaws in industrial equipment and communication protocols get compounded by poor security, increasing the attack surface.   

Accelerated digitalization was only the beginningset the stage for the next (cyber) frontier

The path forward calls for charting a new course. IT teams working alongside OT teams with a common goal of protecting critical processes, plants, automation, and workflows that go into creating a product. CISOs will be at the helm of this next frontier and it will be imperative for them to extend the principles of the zero trust security model that many in the IT world are now implementing to the OT world. 

The National Institute of Standards and Technology (NIST) proposed the zero trust architecture for industrial and enterprise networks and stated, “perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.” A zero trust architecture can simplify security for industrial infrastructure and solve key challenges, such as secure remote access for industrial systems, without requiring complex physical segmentation at each layer of the hierarchical Purdue Model

CISOs have a prime opportunity to improve the cyber resilience of their manufacturing environments and industrial assets while keeping production lines and processes running smoothly, safely, and reliably. 

Knock down the barriers impeding OT-IT convergence. Start with zero today. 

A zero trust-based approach can help you integrate OT with IT and unify cybersecurity controls across your industrial and enterprise networks. Zscaler helps companies truly embrace the zero trust mindset by providing visibility into what applications need to be protected and which users need to access them, making infrastructure completely invisible to attackers and accessible only by authorized users, and providing end users with an amazing experience.

OT personnel have traditionally connected to industrial equipment and systems using remote-access virtual private networks (VPNs), but these solutions inadvertently expand the organization’s attack surface and open the door for bad actors to exploit excessive implicit trust inherent with VPNs. Consider implementing zero trust network access for your industrial environments to make it faster, simpler, and more secure for employees and third-parties alike to connect to, troubleshoot/repair, and service assets from anywhere, maximizing uptime and productivity. Zscaler Private Access (ZPA) is a cloud service that provides zero trust network access to your private applications running in your OT network or IT network. ZPA protects your systems against cyber threats by only connecting users and devices to the specific applications they need without connecting them to your network directly. 

Let us help you remove the barriers limiting the productivity of your smart factories and enable more secure connectivity with the rest of your business:

Find out whether your network is as secure as it needs to be: Zscaler Security Assessment

Read the solution brief: Zscaler Private Access for Secure Third-Party Access

Related Links

What is OT Security?

What is the Purdue Model for ICS Security?

Secure Third-Party Access For OT Systems


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.