Matt Lamp Jan 25, 2022

3Insys’ Cross Integration Suite is a trio of products to bridge the increasingly complex interactions between the world of Information Technology (IT) and Operational Technology (OT). This world consists of a wide variety of applications, infrastructures, and protocols. In the Electric Utility world, this complex landscape includes such applications as outage management, SCADA, distribution management, demand management, voltage support, metering and asset management, and devices as diverse as meters, inverters, wind turbines, generators, transformers, circuits, capacitor banks, relays, switches, and a wide variety of sensors. These devices may communicate on IP network, on direct circuits, via wireless networks, or use SCADA focused protocols like DNP3 or 68070. Data flows among these systems are increasingly complex as software becomes more critical to effective management of the grid. And while these more complex data flows need for data sharing are growing, there is a necessary increase in the attention to cyber security.

Cross Integration Suite has three key components which when utilized together can provide the middleware layer to simplify the integration of these applications, provide a strong layer of security for these interactions, and provide an effective solution for managing the extensive volumes of data that effective management of this environment requires. These components are the Cross System Integrator (XSI), the Cross Data Integrator (XDI), and the Cross System Manager.

The landscape, IT and OT and the muddy middle

Over the last few years, considerable attention has been paid to the differences between IT technology and OT technology, with particular focus on the cultural differences. Historically, these two areas were very separate, with OT staff coming out of the instrument technology and electrical engineering background, and IT Staff coming out of the system administration, database administration, and programming backgrounds. Design philosophies were also very different, with IT expecting regular infusions of new technology and change, and the OT world focused on absolute reliability (once it works, don’t touch it). Over the years, this divide between the two areas has shrunk; the introduction of IP networks to transport data, the use of computer-based applications, with their needs for updates and patching, in lieu of strictly mechanical controls, and more recently the systems that need to share data for more effective management, planning, and operation of the grid.

While there is still a widely held view of these worlds as separate (and the NERC Critical Infrastructure Protection (CIP) with its Electronic Security Perimeter e.g.the logical border surrounding a network to which BES Cyber Systems (BCS) are connected using a routable protocol), the recognition that there is a “muddy middle” is growing. The recent Colonial Pipeline ransomware attack highlighted the issue, as the OT system had to be shut down even though the attack never reached the OT systems; operations required the interaction between IT systems (billing, scheduling) and the OT systems (Industrial controls over the pipeline SCADA). In the electrical utility world today, and certainly tomorrow with the integration of additional renewables and the addition of EV charging loads, these boundaries get stressed with advances such as the use of meters to provide voltage feedback and “last gap outage signals”, the tie-in with demand response automation to help balance the grid operations, and the automated distribution management. Use cases for data from the multiple devices routinely need to cross the IT/OT divide.

The continued barrage of attacks on systems, and the continuing success in breaching perimeter defenses leaves us, from a security perspective, to have to abandon the notion that a solid perimeter, and a solid separation between IT and OT is still feasible and desirable. Instead, the focus has to be on a security approach that recognizes that breaches will happen. This approach begins by breaking down the notions that system interactions can be trusted. Network segmentation that is logical for the use cases identified, such as incorporated in the PCI credit card standard, was a method to limit the trust within the network. . But with the increasing complexity of the data and application integration needed for the modern electrical gride, the focus now moves to the implementation of Zero Trust Architecture (ZTA) principles to promote the needed security.

NIST 800-207 on Zero Trust Architecture

Zero Trust Architecture has become the rage, and with good reason. Perimeter defenses alone have led to innumerable breaches of systems and data. As with any theory du jour, Zero Trust has been used to promote products, and shamelessly we will make the case that Cross System Integrator Suite can provide a significant foundation for Zero Trust implementation.

But first, let’s review Zero Trust Architecture as discussed in NIST 800-207. At the basic level, ZTA is:

“Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”

NIST has identified key principles for Zero Trust:

1. All data sources and computing services are considered resources
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

NIST outlines three fundamental approaches to the design and implementation of Zero Trust Architecture:

ZTA Using Enhanced Identity Governance - The enhanced identity governance approach uses the identity of actors as the key component of policy creation. For this approach, enterprise resource access policies are based on identity and assigned attributes. The primary requirement for resource access is based on the access privileges granted to the given subject. Other factors such as device used, asset status, and environmental factors may alter the ultimate access authorization.

ZTA Using Micro-Segmentation An enterprise may choose to implement a ZTA based on placing individual or groups of resources on a unique network segment protected by a gateway security component. In this approach, the enterprise places infrastructure devices to protect each resource or small group of related resources.

ZTA Using Network Infrastructure and Software Defined Perimeters The last approach uses the network infrastructure to implement a ZTA. The ZTA implementation could be achieved by using an overlay network. In this implementation, the agent and resource gateway establish a secure channel used for communication between the client and resource.

With this background, it is time to show how Cross System Integration Suite can underpin the NIST vision of a ZTA using the Enhanced Identity Governance approach.

Cross Integration Suite and the implementation of Zero Trust Architecture

The three components of Cross Integration Suite, XSM (security management), XSI (Integration management), and XDI (data management) all play an important role in fulfilling the key attributes of Zero Trust Architecture.

Cross Security Manager (XSM) contains the user information, the user authorization information, and the device information. With its API structure, it can populate the user and device information from other existing applications and directories. XSM contains the engine that provides approval for user requests to access applications and/or data. This engine can provide for adaptive authentication, providing for higher levels of verification depending on the request. From simple passwords, to MFA, to specific certificates, XSM can assure the appropriate credentials for every action. XSM with its security rules engine provides the dynamic capabilities to adapt the authorization process based on criticality and other analytical inputs. In conjunction with XSI and XDI, the Cross Integration Suite assures that all access to resources is session based, all access and activities are verified as acceptable for the combination of person, device, service, and data and that all interactions are logged into a database to assist in the identification of anomalies.

XSI, with its API management core and microservices architecture, provides the layer 7 gateway to application resources whether IT, OT, or the muddy middle, shutting off access to the microservices that are not authorized. Beyond the security role, XSI, with its microservices foundation provides a more Plug and Play integration irrespective of protocol and data conversion requirements, and a powerful engine for business process automation. This robotic process automation simplifies the tying of the authentication engine rules into the business process, by providing the key checks to XSM for the appropriate authentication.

XDI, with its collection of data bases, serving in data warehouse, elastic search, datamart, and operational data store roles, plays a similar role to that of XSI, with microservices to access the various data objects, assuring with XSM that access to data resources are properly authorized. XDI also serves the essential repository function to maintain log and activity data to facilitate the monitoring of the security posture of the organization. As the system is API and microservices based, this monitoring is especially critical with the slow nature of most API attacks.

Cross Integration Suite is not a complete implementation of ZTA, but it does substantially support the enhanced identity governance approach described in 800-207, with its store of identities, devices and its rules engine to drive the proper authorization to specific functions and data as a web access gateway securing access to APIs; This capability is significantly expanded using the capacity in XSI and XDI to block unauthorized access in the interactions between applications, and between applications and datasources. In some settings, additional network-based security measures are appropriate. These may include the use of Data Diode technology to assure one-way data movement, the use security device in front of IoT devices without native authentication capability (such as sensors, grid switches or cap banks), and network micro-segmentation. Micro segmentation can be accomplished through either ACL based approaches (although not recommended in complex environments without strong ACL auditing tools), or through Software Defined Networking. In the Industrial Control World, where there are many devices and sensors that lack the inherent ability to authenticate, the use of an overlay network (such as Tempered Networks and Blue Ridge Networks) provides the additional authentication, cloaking these insecure devices, denying connections to inappropriate users/devices.

Conclusion:

In Gartner’s recent hype cycle for security technology, they identified that:

“Turnkey and highly integrated solutions continue to trend upward. Smaller, less security-mature organizations are growing into new security operations requirements as they begin to become more dependent on connectivity and SaaS, and become dominated by compliance and regulatory requirements. Alongside turnkey requirements, consolidation is a key theme, with OT and IT security slowly converging. Differences in requirements are fading. Cloud access security brokers (CASB) are more frequently being associated with network security technologies such as zero trust network access (ZTNA) and SWG. Security and risk management leaders responsible for security operations should be looking to reduce overlapping capability across different technologies and become more risk-focused.”

Cross Integration Suite addresses this sweet spot, by providing the API access control, zero trust application access, control over data flows, and enhancing these with a robust rules engine and robotic process automation tools.