Over the last few years, industrial organizations have accelerated digital transformation initiatives, including the transition to hybrid workforce models that have interconnected the operational networks and assets more and more with IT and Cloud assets. This requires a rethinking of security approaches for industrial cybersecurity. 

Operational security is evolving from a network-centric to an asset-centric security model per insights provided by Katell Thielemann, VP Analyst at the Gartner® Security and Risk summit in June 2022 at the National Harbor, Maryland, USA during her session titled: “CPS Security — Top 10 Must-Dos.” 

Before diving into details on why the asset-centric security model is game-changing for operational security, we believe, it is important to understand what Gartner means by operational “assets”, which they define as Cyber Physical Systems (CPS): “Engineered systems that orchestrate sensing, computation, control, networking, and analytics to interact with the physical world (including humans). When secure, they enable safe, real-time, reliable, resilient, and adaptable performance.” Gartner’s concept of CPS is inclusive of Operational Technology (OT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), Smart Buildings, Smart Grids, and Smart Cities. CPS interacts and bridges both the physical and digital worlds and CPS security needs to be handled differently to digitally focused IT security. 

Katell points out that there are many different types of Cyber-Physical Systems (CPS) due to technology refreshes – from legacy OT systems to modern fully automated systems (e.g., robots used in food & beverage manufacturing), and each of these systems have different security capabilities hence the need to move to an asset-centric model for CPS security. 

Gartner recommendations on moving to focus on asset-centric security are something Xage has been hearing from our customers quite a bit. 

Xage helps operators discover and protect their assets and all interactions with them utilizing an identity-centric (including asset-centric) zero-trust approach. Xage provides capabilities such as identity-based access management and privilege enforcement, “just-in-time” and “just-enough” remote access, identity-based dynamic segmentation, credential management, and protecting access to sensitive data. As today’s operations have become more and more connected due to hybrid workforce and digital transformation efforts, our customers see the need to granularly manage access to their assets utilizing asset identities and identity-based access policies, which also extend to identities of users, applications, and even data. 

Organizations can now go from visibility to protection using an asset-centric security approach. To provide an assessment on how asset-centric security can protect CPS, let’s assess the top issues Gartner has identified per their client conversations. In her session at the Gartner Summit, Katell also highlighted critical issues like weak/shared passwords, default credentials, minimal privilege access management, etc. (see below). 

Xage has seen in our customer deployments that an asset-centric approach to Cyber-Physical System (CPS) security can immediately help organizations identify and group different types of assets so that protection measures can be deployed to secure vulnerable as well as critical assets. For example – having a real-time view of your CPS connectivity is important but at the same time, you need the ability to prevent a CPS from being accessed via the internet for no authorized business reason. Taking an asset-centric approach and establishing access management policies is critical – for example, implementing strong credentials, password rotation, and multi-factor authentication (MFA) across all assets is not only good CPS security hygiene, but it protects these assets from attacks.

Ultimately the asset-centric approach to Cyber-Physical Systems protection enables organizations to adopt zero trust without rip and replace based on the work Xage has been doing with our customers. We look forward to hearing more from Katell and Gartner about this game-changing transition and how this can help critical infrastructure operators take a proactive and preventative approach to CPS security. 

Source:
Gartner, “Gartner Security and Risk Management Summit”, “CPS Security — Top 10 Must–Dos”, Katell Thielemann, June 2022 (National Harbor, Maryland, USA) 

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.