Professional Documents
Culture Documents
Whitepaper Iec62443andzerotrust en
Whitepaper Iec62443andzerotrust en
Challenges lead to opportunities moats and walls representing firewalls and network
segments – it is much more. With Defense in Depth,
Unfortunately, there are some major differences many versatile measures are described. Holistic
between OT and IT, which are preventing the roll-out security requires guidelines and policies, in addition
of application-specific, Zero Trust network access to physical perimeter protection, such as simple
– down to every single end device. It needs to be fences and video surveillance, and even integrity
considered that OT environments often rely protection mechanisms of used devices. Therefore,
on devices that have been operating for several Defense in Depth does not mean to add a second
decades and cannot be easily replaced. These ‘legacy’ or third lock to an entrance door, but rather to add
devices were designed in times where nearly no one different measures such as motion detectors or video
considered any cyber threats. But even some more surveillance to prevent a burglar to enter a house.
modern devices lack security functions like encryp- This lock analogy strongly reflects the perimeter-
tion capabilities, integrity protection or providing based protection concepts, which are less powerful
their unique identities for any authentication than a Zero Trust Network Access. It's critical to figure
purposes, which is an important prerequisite for out how to utilize the advantages of Zero Trust in OT
Zero Trust. while eliminating the gaps of perimeter-based
defense. The benefit of an untrusted enterprise
With IEC 62443, a standard was written addressing all
network comprising IT and OT with authorized and
specific requirements of an industrial control system.
verified accesses are clearly obvious – higher security
Even if the IEC 62443 does not reflect the principles
postures and only one single management system.
of Zero Trust – the concept was simply not yet
defined when the standard was written – and even However, some challenges must still be overcome
if it is based on the traditional Defense in Depth to combine IEC 62443 and Zero Trust network access.
concepts, it is not outdated. The core principles of a There are several restrictions in IEC 62443 and OT
layered Defense in Depth architecture are not just architectures, preventing the replacement of network
cells and firewalls with Zero Trust. One area that it In conclusion, the major challenges
is at odds with the IEC62443, however, concerns can be summarized as follows:
network segmentation and the restriction of data – N
etwork segmentation according to
flows. Part 2-1 of the mentioned standard, which security levels
requires the establishment of a security program for – P
rotection of zone boundaries and
automation control systems, demands a segmented restriction of data flows
network architecture as well as a segmentation or – Separation of IT and OT networks
even isolation of critical parts of the control systems. – Isolation of critical network segments
To do so, the standard refers to so-called ‘barrier
devices’ that are employed to block non-essential
communication. These requirements are additionally Besides these challenges, there are also some require-
reflected in part 3-3 demanding a system security ments for which a Zero Trust based solution would be
architecture for industrial communication networks. predestined. User access and user authentication are
requirements also described in IEC 62443-2-1 and 3-3,
A network segmentation is also demanded with the
which challenges every perimeter-based security
fifth foundational requirement addressing the restric-
architecture – especially for remote users. Depending
tion of data flows. Depending on the target security
on the target security levels, these requirements
level which shall be achieved, a different set of
comprise an authentication of all users before a
requirements needs to be fulfilled. This includes,
system can be used, re-authentication, full logging
amongst others, physical and logical isolation of
of access attempts and also authentication for a
critical network segments, protection of zone boun-
so-called ‘task-to-task communication’. Even if the
daries as well as separation of production networks
mentioned requirements are speaking both for and
and non-control networks, such as the office environ-
against a Zero Trust solution, it is obvious that there
ment. If these requirements
are many advantages for network operators and
are fulfilled, the OT-specific requirements such
users if Zero Trust can be applied for OT environ-
as ensuring safety and determinism can also be
ments as well.
fulfilled.
Combined strength of Siemens and Zscaler Depending on the intended operational environment
and intended use, an additional device, Siemens
As a result, Siemens is taking the approach that Zero
SCALANCE LPE, will be attached to the barrier device
Trust Network Access is a fundamental component of
protecting the target network cell. It is recommended
an industrial network following the Defense in Depth
to use a firewall to protect the network segment to
strategy supported by Zscaler Zero Trust Exchange.
create a specific subnet for the SCALANCE LPE, a
With Zero Trust gateways like the Siemens local
kind of micro-DMZ (demilitarized zone). With the
processing engine SCALANCE LPE – which runs
Zscaler App Connector hosted on the SCALANCE LPE
Zscaler App Connectors in docker container format
device, an outbound tunnel connection on port 443
directly at the cell networks and next to existing cell
can be established to one of the Zscaler Service
firewalls – a feasible concept can be established. This
Edges. This may be located on-premise or in a cloud
enables factories to bring IT and OT closer together
infrastructure, depending on the IEC 62443 security
with the assurance of Zero Trust connectivity while
assessment.
preventing the bad guys from getting to the OT side.
It thereby also enables factories to deprecate VPNs
at this layer, reducing cost and complexity, adding
agility and reducing risk.
Step 1:
defining access
At the end of the day, it is important to understand
In a first step, the intended use of the solution
that IEC 62443 always follows a risk-based approach
needs to be defined to specify the scope and
and there is always a residual risk that needs to be
architecture of the Zero Trust solution. As part
accepted by an asset owner or network operator.
of this step, it must be defined which users
It also means that a specific solution may fit for some
shall have access to the necessary assets to
production networks while others require a different
perform their dedicated task. Depending on
solution. To be compliant to IEC 62443, several
the potential impact concerning health, safety
factors must fit together – it’s necessary to have a
and environment, the IEC 62443 recommends
security system comprising different technologies
assigning appropriate user rights, following the
but also a security program comprising trainings and
principles of least privileges, to perform specific
organizational measures. Therefore, it is not possible
tasks. For critical production environments and
to state that a certain solution is always compliant
segments, it may be necessary to prevent any
to IEC 62443, but the solution can support in esta-
controlling activities and to authorize only
blishing a compliant security system and program.
monitoring capabilities. For other areas, it may
A suitable approach to demonstrate conformity
be allowed to actively control certain function-
of the Siemens Zero Trust Solution with IEC 62443
alities remotely. Moreover, the required
offered as part of the Siemens-Zscaler partnership
strength of authentication needs to be consid-
is described in the following.
ered in this step, which is often part of a secu-
rity assessment – the best case multi factor
authentification.
Step 2:
specifying the environment
must be described. For a simplified consider- the availability of systems and assets can be
ation, it will be assumed that the target envi- ensured even if there are peak loads, miscon-
ronment follows the recommendations of IEC figurations or security issues in other network
62443 and that a classical perimeter-based segments, such as the backbone network. The
network concept – comprised of perimeter and remote access to a specific application running
network cells – has been established. Addi- in one of the identified target network cells will
tionally, the target security levels must then be realized by Zscaler Zero Trust Exchange.
be assessed and all required operational
measures maintained. Under this condition,
the Zscaler Zero Trust Exchange comprising As stated above, the Zscaler Zero Trust Exchange will
its infrastructural component called App be considered a separate zone, meaning that there
Connector is considered a separate security is still the requirement of controlling and restricting
zone and added to the target environment. the data flow to the target application hosted in the
App Connectors are lightweight containers connected network cell. This can be achieved by
located in front of private applications deployed some specific inbound firewall rules controlling the
at the edge of the network cells. They traffic between the Zscaler App Connector and the
broker security connectivity between target connector. With this approach, it is possible
an authorized user and a named app with to segment networks according to security levels
an inside-out connection, which therefore and protect zone boundaries to restrict data flow
doesn’t expose application to the internet. at a zone boundary while granting access to specific
applications on demand. Depending on the results
of the risk assessment, it would also be possible to
Step 3: isolate mission critical network segments and to
choosing a system concept prevent lateral movement between the connected
network segments.
In a third and final step, an architectural system
concept must be chosen to fulfil the technical To sum up, current objective is not to replace existing
requirements of IEC 62443 and to realize the perimeter-based security concepts, established by
defined demands of the previous steps. To firewall or by other means based on overlay technolo-
enable compliance with IEC 62443, it is strongly gies, but rather to enrich it with Zero Trust principles
recommended to stick to the classical perime- and to evolve it over the coming years.
ter-based security concepts for OT. In doing so,
Office Zscaler Zero
Network Trust Exchange
Industrial
Backbone
In the following, we
Industrial Data Center / DMZ
Factory hall