Extending Zero Trust OT Security to Meet Air Gap Requirements

In February, we introduced Zero Trust OT Security, a new solution to help industrial organizations achieve comprehensive Zero Trust security with zero operational downtime. As part of that solution, we also announced a new service — Industrial OT Security — that delivers comprehensive visibility, risk monitoring and security for OT assets and networks. These offerings were designed to help organizations stay secure while adapting to the tremendous amount of change occurring in OT from transformation initiatives, like Industry 4.0 and smart manufacturing.

These changes include where employees and partners work, the introduction of new technologies, like 5G, and the dramatic increase in attacks on industrial facilities. The new offerings are designed to help organizations stay secure in every environment in their enterprise and work for every type of OT organization — from manufacturers and oil and gas companies, to utilities around the world. Zero Trust OT Security is designed to support a variety of OT operational considerations, such as air gaps, harsh environments and globally distributed facilities.

Many Companies Utilize Air Gaps, but Increasingly Face Challenges

Air gaps isolate mission-critical assets from other less secure networks by creating communication barriers (either physical or logical) between OT networks and IT and external networks. Today, many organizations utilize air gaps to help maintain security and safeguard their critical assets, protecting sensitive information and systems from threats, and to help them meet compliance requirements.

However, in the face of their ongoing digital transformation and increased cyberthreats, customers have told us that air gaps need to evolve. Air gaps prevent them from getting 100% visibility into their assets and usage patterns, which makes it impossible to fully deliver on the promise of Industry 4.0. Customers increasingly recognize their air gap environments are still vulnerable to sophisticated attacks, as demonstrated with the Stuxnet worm in 2010. It only takes one person with a laptop or USB drive to gain access and infect many computers and machines.

Zero Trust OT Security Now Delivers Comprehensive Security While Meeting Air Gap Requirements

When we announced Zero Trust OT Security, we noted that its early access capabilities extended to partially air-gapped architectures. Today, we are excited to announce the general availability of those capabilities. This is a significant step forward for the industry as it allows organizations that prefer using air gaps to continue meeting their regulatory and other air gap requirements. They can also leverage the power of the cloud to get the best possible security, so they can accelerate their OT transformation with confidence.

With these capabilities, organizations can deploy Industrial OT Security, utilizing a telemetry gateway. This forwards low-risk security metadata from isolated OT networks to our Industrial OT Security, cloud-delivered service, without a direct Internet connection. This means that Zero Trust OT Security can deliver the best of both worlds.

1. Best-in-class security for air gap environments — Because we can securely see and process meta-data for every asset, and can utilize cloud-based machine learning, we can identify risky behaviors and assets and automatically send alerts to help prevent zero day threats and other attacks.
2. Continue to meet air gap requirements — Through our sophisticated yet easy to set up telemetry gateway, we enable organizations to maintain a logical air gap, so they can continue to stay compliant with industry regulations and best practices. In other words, if you like your air gap, you can keep your air gap.

Together, this means that organizations can continue on their OT transformation journey with the confidence of knowing they are staying as secure as possible.

How We Extend Zero Trust OT Security to Air Gapped Environments

Our air gap deployment model is based on a core insight that is being adopted in many OT and Industrial IoT (IIoT) applications — that organizations can segment different data based on their characteristics and risk profiles. We identified two data profiles: higher-risk data (industrial asset control data) and lower-risk security metadata (security metadata generated by our security tools). We then built an architecture that safeguards the higher-risk data while forwarding a copy of the lower-risk data.

Our approach is simple in its architecture, but comprehensive in its design. It starts by leveraging cascaded Palo Alto Networks NGFWs as hardened telemetry gateways. These gateways ensure that organizations’ security telemetry data can be securely proxy forwarded to Industrial OT Security instances, operated securely in the cloud. Organizations can choose to cascade these hardened proxy gateways depending on their needs. This gives organizations the power of a hardened architecture, which ensures there are no direct and inbound internet connections between the deployed OT NGFWs and the cloud. For more details, visit How to Extend Zero Trust OT Security to Meet Air Gap Requirements.

Dedicated to Bridging Every Gap in Your Enterprise

Digital transformation is hard. Especially in OT environments where downtime is unacceptable and in critical industries where errors can be catastrophic. We are excited to provide these new capabilities that enable organizations to securely take one more step down their OT transformation path. We look forward to partnering with organizations to fill every security gap in their path, so we can all protect our digital and physical way of life.