By Anand Oswal, Senior Vice President and GM at cyber security leader Palo Alto Networks\n\nCritical infrastructure forms the fabric of our society, providing power for our homes and businesses, fuel for our vehicles, and medical services that preserve human health.\n\nWith the acceleration of digital transformation spurred by the pandemic, larger and larger volumes of critical infrastructure and services have become increasingly connected. Operational technology (OT) serves a critical role as sensors in power plants, water treatment facilities, and a broad range of industrial environments.\n\nDigital transformation has also led to a growing convergence between OT and information technology (IT). All of this connection brings accessibility benefits, but it also introduces a host of potential security risks.\n\nCyberattacks on critical infrastructure threaten many aspects of our lives\n\nIt\u2019s a hard fact that there isn\u2019t an aspect of life today free from cyberthreat. Ransomware and phishing attacks continue to proliferate, and in recent years, we\u2019ve also seen an increasing number of attacks against critical infrastructure targets. Even in environments where OT and IT have been traditionally segmented or even air-gapped, these environments have largely converged, presenting attackers with the ability to find an initial foothold and then escalate their activities to more serious pursuits, such as disrupting operations.\n\nExamples are all around us. Among the most far-reaching attacks against critical infrastructure in recent years was the Colonial Pipeline incident, which triggered resource supply fears across the US as the pipeline was temporarily shut down. Automobile manufacturer Toyota was forced to shut down briefly after a critical supplier was hit by a cyberattack. Meat processing vendor JBS USA Holding experienced a ransomware cyberattack that impacted the food supply chain. The Oldsmar water treatment plant in Florida was the victim of a cyberattack that could have potentially poisoned the water supply. Hospitals have suffered cyberattacks and ransomware that threaten patients\u2019 lives, with the FBI warning that North Korea is actively targeting the US healthcare sector. The list goes on and on.\n\nGlobal instability complicates this situation further as attacks against critical infrastructure around the world spiked following Russia\u2019s invasion of Ukraine, with the deployment of Industroyer2 malware that is specifically designed to target and cripple critical industrial infrastructure.\n\nToday\u2019s challenges place an increasing focus on operational resiliency\n\nWith all of these significant challenges to critical infrastructure environments, it\u2019s not surprising that there is a growing focus on operational resiliency within the sector. Simply put, failure is not an option. You can\u2019t have your water or your power go down or have food supplies disrupted because an outage of critical infrastructure has a direct impact on human health and safety. So, the stakes are very high, and there is almost zero tolerance for something going the wrong way.\n\nBeing operationally resilient in an era of increasing threats and changing work habits is an ongoing challenge for many organizations. This is doubly true for the organizations, agencies, and companies that comprise our critical infrastructure.\n\nDigital transformation is fundamentally changing the way this sector must approach cybersecurity. With the emerging hybrid workforce and accelerating cloud migration, applications and users are now everywhere, with users expecting access from any location on any device. The implied trust of years past, where being physically present in an office provided some measure of user authenticity simply no longer exists. This level of complexity requires a higher level of security, applied consistently across all environments and interactions.\n\nOvercoming cybersecurity challenges in critical infrastructure\n\nTo get to a state of resiliency, there are a number of common challenges in critical infrastructure environments that need to be overcome because they negatively impact security outcomes. These include:\n\nLegacy systems: Critical infrastructure often uses legacy systems far beyond their reasonable lifespan from a security standpoint. This means many systems are running older, unsupported operating systems, which often cannot be easily patched or upgraded due to operational, compliance, or warranty concerns.\n\nIT\/OT convergence: As IT and OT systems converge, OT systems that were previously isolated are now accessible, making them more available and, inherently, more at risk of being attacked.\n\nA lack of skilled resources: In general, there is a lack of dedicated security personnel and security skills in this sector. There has also been a shift in recent years toward remote operations, which has put further pressure on resources.\n\nRegulatory compliance. There are rules and regulations across many critical infrastructure verticals that create complexity concerning what is or isn\u2019t allowed.\n\nGetting insights from data: With a growing number of devices, it\u2019s often a challenge for organizations to get insights and analytics from usage data that can help to steer business and operational outcomes.\n\nThe importance of Zero Trust in critical infrastructure\n\nA Zero Trust approach can help to remediate a number of the security challenges that face critical infrastructure environments and also provide the level of cyber resilience that critical infrastructure needs now.\n\nHow come? The concept of Zero Trust, at its most basic level, is all about eliminating implied trust. Every user needs to be authenticated, every access request needs to be validated, and all activities continuously monitored. With Zero Trust authentication, access is a continuous process that helps to limit risk.\n\nZero Trust isn\u2019t just about locking things down; it\u2019s also about providing consistent security and a common experience for users, wherever they are. So, whether a user is at home or in the office, they get treated the same from a security and risk perspective. Just because a user walked into an office doesn\u2019t mean they should automatically be granted access privileges.\n\nZero Trust isn\u2019t only about users: the same principles apply to cloud workloads and infrastructure components like OT devices or network nodes. There is still a need to authenticate devices and access to authorize what the device is trying to do and provide control, and that\u2019s what the Zero Trust Model can provide.\n\nAll of these aspects of Zero Trust enable the heightened security posture that critical infrastructure demands.\n\nZero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of implicit trust from an organization\u2019s network architecture. The most important objectives in CI cybersecurity are about preventing damaging cyber physical effects to assets, loss of critical services, and preserving human health and safety. Critical infrastructure\u2019s purpose-built nature and correspondingly predictable network traffic and challenges with patching make it an ideal environment for Zero Trust.\n\nApplying a Zero Trust approach that fits critical infrastructure\n\nIt\u2019s important to realize that Zero Trust is not a single product; it\u2019s a journey that organizations will need to take.\n\nGoing from a traditional network architecture to Zero Trust, especially in critical infrastructure, is not going to be a \u201cone-and-done\u201d effort that can be achieved with the flip of a switch. Rather, the approach we recommend is a phased model that can be broken down into several key steps:\n\n1. Identifying the crown jewels. A foundational step is to first identify what critical infrastructure IT and OT assets are in place.\n\n2. Visibility and risk assessment of all assets. You can\u2019t secure what you can\u2019t see. Broad visibility that includes behavioral and transaction flow understanding is an important step in order to not only evaluate risk but also to inform the creation of Zero Trust policies.\n\n3. OT-IT network segmentation. It is imperative to separate IT from OT networks to limit risk and minimize the attack surface.\n\n4. Application of Zero Trust policies. This includes:\n\nBy definition, critical infrastructure is vital. It needs to be operationally resilient, be able to reduce the potential attack surface, and minimize the new or expanding risks created by digital transformation. When applied correctly, a Zero Trust approach to security within critical infrastructure can play a central role in all of this \u2014 ensuring resilience and the availability of services that society depends on every day.\n\nLearn more about our Zero Trust approach.\n\nAbout Anand Oswal:\n\nAnand serves as Senior Vice President and GM at cyber security leader Palo Alto Networks. Prior to this Anand, was Senior Vice President of Engineering for Cisco\u2019s Intent-Based Networking Group. At Cisco he was responsible for building the complete set of platforms and solutions for the Cisco enterprise networking portfolio. The portfolio spans enterprise products across routing, access switching, IoT connectivity, wireless, and network and cloud services deployed for customers worldwide.\n\nAnand is a dynamic leader, building strong, diverse, and motivated teams that continually excel through a relentless focus on execution. He holds more than 50 U.S. patents and is focused on innovation and inspiring his team to build awesome products and solutions.