Session Abstract: Operational technology (OT) encompasses systems that manage physical processes, including critical infrastructure. Historically, these systems have operated almost entirely separate from traditional IT business systems in order to meet OT-specific requirements to protect the physical processes. Many of these systems have not yet benefited from the advances in IAM capabilities. The increasing use of remote access and public internet for data transport within these systems, coupled with increasing employee churn and third-party support, has created a threat environment where OT systems are attacked through insiders, remote account takeover, data injection, and even hardware and software supply chain compromises (e.g., the 2020 SolarWinds attacks).
The traditional OT “zones and conduit” architecture (IEC 62443) for securing OT systems is no longer sufficient. Standard practices need to leverage identity standards and protocols in order to apply zero trust architecture principles to OT systems design and improve their real-time, dynamic security posture.
This presentation will review the current state of OT systems standards and introduce ideas on how we could incorporate modern identity standards and protocols into the best practices for new OT designs.