Travais ‘Tee’ Sookoo leverages his 25 years of experience in network security, risk management, and architecture to help businesses of all sizes, from startups to multi-nationals, improve their security posture. He has a proven track record of leading and collaborating with security teams and designing secure solutions for diverse industries.

Currently, Tee serves as a Security Engineer for Check Point, covering the Caribbean region. He advises clients on proactive risk mitigation strategies. He thrives on learning from every challenge and is always looking for ways to contribute to a strong cyber security culture within organizations.

In this informative interview, expert Travais Sookoo shares insights into why organizations need to adopt a zero trust strategy for IoT and how to do so effectively. Don’t miss this!

For our less technical readers, why would organizations want to implement zero trust for IoT systems? What is the value? What trends are you seeing?

For a moment, envision your organization as a bustling apartment building. There are tenants (users), deliveries (data), and of course, all sorts of fancy gadgets (IoT devices). In the old days, our threat prevention capabilities might have involved just a single key for the building’s front door (the network perimeter). Anyone with that key could access everything; the mailbox, deliveries, gadgets.

That’s how traditional security for some IoT systems worked. Once the key was obtained, anyone could gain access. With zero trust, instead of giving everyone the master key, the application of zero trust verifies each device and user ahead of provisioning access.

The world is getting more connected, and the number of IoT devices is exploding, meaning more potential security gaps. Organizations are realizing that zero trust is a proactive way to stay ahead of the curve and keep their data and systems safe.

Zero trust also enables organizations to satisfy many of their compliance requirements and to quickly adapt to ever-increasing industry regulations.

What challenges are organizations experiencing in implementing zero trust for IoT/OT systems?

While zero trust is a powerful security framework, the biggest hurdle I hear about is technology and personnel.

In terms of technology, the sheer number and variety of IoT devices can be overwhelming. Enforcing strong security measures with active monitoring across this diverse landscape is not an easy task.  Additionally, many of these devices lack the processing power to run security or monitoring software, thus making traditional solutions impractical.

Furthermore, scaling zero trust to manage the identities and access controls for potentially hundreds, thousands, even millions of devices can be daunting.

Perhaps the biggest challenge is that business OT systems must prioritize uptime and reliability above all else. Implementing zero trust may require downtime or potentially introduce new points of failure.  Finding ways to achieve zero trust without compromising the availability of critical systems takes some manoeuvring.

And now the people aspect: Implementing and maintaining a zero trust architecture requires specialized cyber security expertise, which many organizations may not have. The talent pool for these specialized roles can be limited, making it challenging to recruit and retain qualified personnel.

Additionally, zero trust can significantly change how people interact with OT systems. Organizations need to invest in training staff on new procedures and workflows to ensure a smooth transition.

Could you speak to the role of micro-segmentation in implementing zero trust for IoT/OT systems? How does it help limit lateral movement and reduce the attack surface?

With micro-segmentation, we create firewalls/access controls between zones, making it much harder for attackers to move around. We’re locking the doors between each room in the apartment; even if an attacker gets into the thermostat room (zone), they can’t easily access the room with our valuables (critical systems).

The fewer devices and systems that an attacker can potentially exploit, the better. Micro-segmentation reduces the overall attack surface and the potential blast radius by limiting what devices can access on the network.

Based on your research and experience, what are some best practices or lessons learned in implementing zero trust for IoT and OT systems that you can share with CISOs?

From discussions I’ve had and my research:

My top recommendation is to understand the device landscape. What are the assets you have, their purpose, how critical are they to the business? By knowing the environment, organizations can tailor zero trust policies to optimize both security and business continuity.

Don’t try to boil the ocean! Zero trust is a journey, not a destination. Start small, segmenting critical systems and data first. Learn from that experience and then expand the implementation to ensure greater success with declining margins of errors.

Legacy OT systems definitely throw a wrench into plans and can significantly slow adoption of zero trust. Explore how to integrate zero trust principles without compromising core functionalities. It might involve a mix of upgrades and workarounds.

The core principle of zero trust is granting only the minimum access required for a device or user to function (least privilege). Document who needs what and then implement granular access controls to minimize damage from a compromised device.

Continuous monitoring of network activity and device behaviour is essential to identify suspicious activity and potential breaches early on. Ensure that monitoring tools encompasses everything and your teams can expertly use it.

Automating tasks, such as device onboarding, access control enforcement, and security patching can significantly reduce the burden on security teams and improve overall efficiency.

Mandate regular review and policy updates based on new threats, business needs, and regulatory changes.

Securing IoT/OT systems also requires close collaboration between OT and IT teams. Foster teamwork, effective communications and understanding between these departments to break down silos. This cannot be stressed enough. Too often, the security team is the last to weigh in, often after it’s too late.

What role can automation play in implementing and maintaining Zero Trust for IoT/OT systems?

Zero trust relies on granting least privilege access. Automation allows us to enforce these granular controls by dynamically adjusting permissions based on device type, user role, and real-time context.

Adding new IoT devices can be a tedious process and more so if there are hundreds or thousands of these devices. However, automation can greatly streamline device discovery, initial configuration, and policy assignment tasks, thereby freeing up security teams to focus on more strategic initiatives.

Manually monitoring a complex network with numerous devices is overwhelming, but we can automate processes to continuously monitor network activity, device behaviour, and identify anomalies that might indicate a potential breach. And if a security incident occurs, we can automate tasks to isolate compromised devices, notifying security teams, and initiating remediation procedures.

Through monitoring, it’s possible to identify IoT/OT devices that require patching, which can be crucial, but also time-consuming. It’s possible to automate patch deployment with subsequent verification, and even launch rollbacks in case of unforeseen issues.

If this sounds as a sales pitch, then hopefully you’re sold. There’s no doubt that automation will significantly reduce the burden on security teams, improve the efficiency of zero trust implementation and greatly increase our overall security posture.

What metrics would you recommend for measuring the effectiveness of zero trust implementation in IoT and OT environments?

A core tenet of zero trust is limiting how attackers move between devices or otherwise engage in lateral movement. The number of attempted lateral movements detected and blocked can indicate the effectiveness of segmentation and access controls.

While some breaches are inevitable, a significant decrease in compromised devices after implementing zero trust signifies a positive impact. This metric should be tracked alongside the severity of breaches and the time it takes to identify and contain them. With zero trust, it is assumed any device or user, regardless of location, could be compromised.

The Mean Time to Detection (MTD) and Mean Time to Response (MTTR) are metrics that you can use to measure how quickly a security incident is identified and contained. Ideally, zero trust should lead to faster detection and response times, minimizing potential damage.

Zero trust policies enforces granular access controls. Tracking the number of least privilege violations (users or devices accessing unauthorized resources) can expose weaknesses in policy configuration or user behaviour and indicate areas for improvement.

Security hygiene posture goes beyond just devices. It includes factors like patch compliance rates, and the effectiveness of user access.

Remember the user experience? Tracking user satisfaction with the zero trust implementation process and ongoing security measures can help identify areas for improvement and ensure a balance between security and usability.

It’s important to remember that zero trust is a journey, not a destination. The goal is to continuously improve our security posture and make it more difficult for attackers to exploit vulnerabilities in our IoT/OT systems. Regularly review your metrics and adjust zero trust strategies as needed.

Is there anything else that you would like to share with the CyberTalk.org audience?

Absolutely! As we wrap up this conversation, I want to leave the CyberTalk.org audience with a few key takeaways concerning securing IoT and OT systems:

Zero trust is a proactive approach to security. By implementing zero trust principles, organizations can significantly reduce the risk of breaches and protect their critical infrastructure.

Don’t go it alone: Security is a team effort. Foster collaboration between IT, OT, and security teams to ensure that everyone is on the same page when it comes to adopting zero trust.

Keep learning: The cyber security landscape is constantly evolving. Stay up-to-date on the latest threats and best practices. Resources like Cybertalk.org are a fantastic place to start.

Focus on what matters: A successful zero trust implementation requires a focus on all three pillars: people, process, and technology. Security awareness training for employees, clearly defined policies and procedures, and the right security tools are all essential elements.

Help is on the way: Artificial intelligence and machine learning will play an increasingly important role in automating zero trust processes and making them even more effective.

Thank you, CyberTalk.org, for the opportunity to share my thoughts. For more zero trust insights, click here.