Korea Internet & Security Agency (KISA) said on the 22nd that it released a guide to applying zero trust in operational technology (OT) environments and proposed a new direction for security that reflects the characteristics of industrial sites. This is the first guide to systematically apply the zero-trust concept to OT environments that control national critical infrastructure such as power, transportation and energy.
Zero trust is a security model that continuously verifies all access on the assumption that the network has already been compromised. However, in OT environments where real-time performance and availability are paramount, there has been a limitation in that it is difficult to apply the existing information technology (IT)-centric zero-trust model as is.
Taking these characteristics into account, the guide presents ways to apply zero trust on the premise of stable operation of OT equipment. Unlike the frequent authentication and verification methods emphasized in IT environments, it focuses on building a security framework that assumes compromise while not undermining the real-time control characteristics of industrial sites.
In the guide, KISA encompasses the Purdue model, which hierarchically separates IT and OT networks, and reorganized the six core elements of Zero Trust Guidelines 2.0 to fit the domestic industrial environment. Based on this, it presents zero-trust requirements needed in OT environments and plans to develop them into a step-by-step maturity model going forward.
The core principles of OT-specialized zero trust include: ▲ maintaining real-time performance and availability ▲ ensuring the independence of OT equipment ▲ assuming compromise across all IT and OT domains ▲ continuous monitoring. The structure is premised on the stable operation of industrial facilities while constantly considering the possibility of cyberattacks.
As major countries, including the United States, are addressing OT security as a national-level task, KISA plans to build a preemptive response system in Korea through institutional improvements and empirical research. The guide can be found in the "Laws and guidelines" menu on the knowledge platform of KISA's website.
KISA President Lee Sang-jung said, "We hope this guide will raise awareness of OT security at domestic industrial sites and serve as an opportunity to elevate the security level," adding, "Having established the need and methodology for applying zero trust tailored to OT environments, we will continue to refine the details by referring to guidance from leading countries globally."