Zscaler Inc. and Siemens AG announced an interesting partnership this week wherein the two vendors are bringing zero-trust security to operational technology systems.

OT systems are most commonly found in industrial networks but are seeing increased adoption in other industries. Historically, OT systems ran on their own proprietary networks that were often isolated from the company’s data networks. Industry leaders have been predicting that information technology and OT systems would eventually come together, but that has been slow to materialize in industrial settings.

Some OT systems have been integrated with IT networks, such as building facilities like alarm systems, LED lighting and heating and air conditioning systems as part of smart building initiatives, but that has been more the exception than the norm in industrial settings.

The COVID-19 pandemic forced many organizations down the IT-OT path as workers required access to the OT systems from home and the most cost-effective way to do that was to enable VPN access through the data network. That enables workers to remotely manage and control systems and diagnose problems.

Although VPNs were successful in connecting workers to industrial systems quickly, they are not ideal because they create a back door into the industrial “internet of things” environments. That greatly expands the organization’s attack surface and exposes the business to large-scale network attacks.

Some organizations have turned to firewall-based network segmentation, and that can work, but it is very complicated to set up and is even more difficult to keep updated in dynamic environments. That’s because every time a device moves, the segmentation policies must be updated. Coarse-grained segmentation is widely used, but businesses have struggled with fine-grained segmentation, which is needed in IoT environments to minimize the impact of a breach.

Zero trust is a better approach because it flips the network model around. IP-based networks are built on the principle that everything can talk to everything, which is why the internet is so fast. The problem is that any path between two points can be used by threat actors, and with an expanding and dynamic attack surface, finding those points of entry is nearly impossible.

Zero trust assumes nothing can talk to anything without explicitly allowed. And because zero trust is provisioned as an overlay and completely independent to the physical network using identity and an exchange, zero-trust policies follow the device, user or application and do not need to be constantly reconfigured. With Zscaler, those policies are stored in its cloud-based Zero Trust Exchange, which effectively acts as a switchboard for zero trust.

Specifically, with this partnership, Zscaler and Siemens are collaborating to bring zero trust to OT in industrial environments. The joint solution is more of a distributed cloud rather than a pure centralized cloud that Zscaler customers typically use. In this case, the Zscaler cloud is extended to the Siemens SCALANCE local processing engine on its ruggedized switch using Zscaler’s Private App Connector.

That lets the Zscaler zero-trust “switchboard” run as a Docker container on the Siemens device. The benefit of running it on the Siemens device is that localized processing capabilities provide better performance and ease of implementation.

Organizations that deploy the tandem solution will realize significantly simpler remote access, since VPN clients will no longer be required. VPNs are very popular but can be cumbersome and slow-performing for some users, not to mention to potential backdoors into highly secure environments. Also, the zero-trust implementation greatly reduces the attack surface, so if a breach does occur, the “blast radius” is minimal, making remediation fast and simple.

Given that hybrid work is here for the foreseeable future, organizations need to take a step back and rethink their remote-access procedures. VPNs were innovative a couple of decades ago when environments were static. Businesses, even industrial organizations, are increasingly dynamic and distributed, and zero trust meets the needs much better.

Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for SiliconANGLE.

Image: Tumisu/Pixabay