It’s Time to Simplify Third-party Access of your OT Systems
And give segmented application access instead
Access to Operational Technology (OT) systems is too broad when it comes to third-parties
Many enterprises have fallen victim to security breaches due to third-party vendors and attackers exploiting vulnerabilities of the security solutions used to provide remote access to OT systems or Industrial Control Systems (ICS). Whether it's due to ransomware or malicious third-parties, the results are the same: costly security breaches that put production lines at risk and have a negative impact on company revenue and brand reputation.
With most remote access solutions, third-party partners are granted full network access into the OT networks. In most cases, remote access solutions like VPN are putting the OT or ICS systems at risk by keeping access available 24/7 on the internet. These overprivileged third-party users introduce high risk to the production environment because you do not ultimately control them while they are on your OT network.
So how do you provide secure remote access to your ICS systems for third-parties, while allowing for timely maintenance of your production lines, without providing them full access to your OT network?
Vendors only need to access their specific ICS systems, so why introduce them to the OT network?
We know it’s risky to extend full and lateral OT network access to your third-parties, but you need to provide them with access to their specific OT systems. The solution is to decouple OT systems management software access from the network, while segmenting access based on individual users and apps. The only way to achieve this is through zero trust network access (ZTNA) technology.
While most remote access solutions based on the Purdue reference model for OT networks are network-centric, ZTNA focuses on providing secure connectivity between the user—employee, third-party partner, or contractor—and authorized enterprise applications, never the network. The result is microsegmented access to OT systems that maintains security while reducing risks from overprivileged third-party access.
Before: Third-party vendors and contractors were given lateral network access, exposing the OT systems to unnecessary risk.
After: Zero trust access only gives partners access to authorized ICS Systems, not the OT network.
Before: Remote access solutions required a client be downloaded on either a managed or personal device.
After: Regardless of the device or location, a user can simply leverage a browser to gain access to authorized ICS systems.
Reduced Attack Surface
Before: Remote access solutions were prone to attacks with many vulnerabilities. Unpatchable OT system software magnified this risk.
After: ZTNA solutions eliminate this attack surface by making the OT systems invisible. The best defense against unpatchable OT systems is to maintain the best possible air gap between IT and OT.
Eliminating third-party risk is easy with a zero trust network access (ZTNA) service
Zscaler Private Access is a ZTNA service that takes a user- and application-centric approach to network security. Whether a user is an employee, contractor, or third-party partner, ZPA ensures that only authorized users have access to specific ICS systems or applications without ever providing access to the OT network. Rather than relying on physical or virtual appliances, ZPA uses lightweight infrastructure-agnostic software, paired with browser access capabilities, to seamlessly connect all types of users to OT systems and applications via inside-out connections that are stitched together within the Zscaler Security Cloud.
Software-defined perimeter concept
1. Browser Access Service
- Redirects traffic to IDP for authentication
- Removes need for client on device
2. ZPA Public Service Edge
- Secures the user-to-app connection
- Enforces all customized admin policies
3. App Connector
- Sits in front of OT systems and apps
- Provides inside-out TLS 1.2 connections to broker
- Makes OT systems invisible to prevent DDoS attacksa
“Instead of trying to create a Citrix for users to connect to the environment and
then go to the internal registration site to register their second factor tokens, we
just expose this to ZPA through the ZPA client-less access and that
Director of IT Security, National Oilwell Varco
Browser access enables secure third-party vendor access in minutes
With ZPA browser access service, third-party partners and users gain secure access to OT systems without the need for a client. Partners no longer need to jump through hoops to securely access OT systems—they simply use their own device to effortlessly access them over the internet. The outcome is highly controlled third-party access that allows users to connect to OT systems from any device, any location, at any time.
- Seamless experience for partners and users
- Secure OT system access from BYOD
- Limit exposure of unpatchable ICS systems
- Integrations with top IDPs