Zero Trust in operational technology environments

31 January 2022

Remote access and cybersecurity is already part of everyday life on the IT side. In the industrial production and development environments various jobs can and should also be done externally. Together, Siemens and Zscaler have tackled this issue to bring secure and demand-based remote access to the operational technology (OT) environment – combining perimeter-based cell protection with flexible Zero Trust principles.

It was only a matter of time before remote operation would be demanded by those working in OT environments. The pandemic has further increased the desire of many process and plant operators for more flexible and secure access options from the outside, beyond traditional remote maintenance. Siemens and Zscaler, a provider of a cloud-based security platform, have teamed up to help industrial organisations achieve the goal of remote, but secure, OT access.

Not all networks are the same
Heterogeneous industrial communication networks, which have often grown over years, have completely different requirements than pure IT solutions. For example, data in the production environment must be communicated frequently and deterministically, often in real-time. In addition, safety functions must often be implemented at the same time and maximum availability and know-how protection needs to be ensured. Furthermore, older components sometimes communicate completely openly and unencrypted. 

To fend off cyberattacks, protection concepts tailored to the industry have been developed, such as the ‘Defense in Depth’ concept – nested defense in line with IEC 62443. Here, network security is based on an individual risk assessment and segmented networks with production cells separately protected by their own firewalls. In such a perimeter-based network, communication from/to the office network or the Internet runs through a demilitarised zone (DMZ) or special rendezvous servers and jump hosts.

It is usual, in office networks – with countless, mostly newer devices and constant changes – that a protection concept is established in which quite simply no participant is trusted (‘never trust, always verify’). This approach, known as ‘Zero Trust’, requires that all network participants – users and devices – always prove their identity and integrity before communication with the desired target resource is established. Many existing automation components and network infrastructures are not equipped to handle this, which is why the flexible, easy-to-use  Zero Trust concept cannot be fully transferred or extended to industrial networks without adjustments.

Convergent solutions
To promote the integration of OT and IT, Siemens and Zscaler have bundled their competencies for an end-to-end Zero Trust OT/IT security approach. The local processing platform SCALANCE LPE (local processing engine) from Siemens serves as hardware in the harsh production environment, directly at or also in the production cells. Its actual core task is to collect data and preprocess it close to the process. For this, the device is simply integrated into an existing cell network secured by a firewall via Ethernet. 

With its open Linux-based operating system and CPU, the local processing platform can be employed for the secure, reliable operation of additional applications. In this case, thanks to the app connector of the Zscaler Private Access (ZPA) cloud-based remote access service, which can be quickly and easily installed as a Docker container. Using the Zscaler app connector, each SCALANCE LPE can be initially added to and configured in the Zero Trust Exchange cloud platform. It then acts as a Zero Trust gateway for its cell, which is considered intrinsically trustworthy. The Zero Trust Exchange platform monitors all rule sets required for access and provides the interfaces for various identity providers. It only grants uniquely identified and authorised participants access to the resources enabled for them.

In this way, company-wide managed users can remotely access local production or development systems flexibly in a demand-based, and secure way – remotely – without exposing these systems to an increased threat potential. 

Thanks to specific authorisation concepts, the special requirements of real-time or safety applications, as well as those of availability and know-how protection, can be ensured without having to change the architecture of the industrial network. 

The central management in the Zero Trust Exchange platform and exclusively outgoing connections reduces existing firewall rules and therefore the cost for administration and monitoring. Although additional connections are set up for the interaction of OT and IT, firewall rule sets can be configured more restrictively. 

The Siemens and Zscaler collaboration was preceded by a large-scale test with several hundred thousand Zscaler participants in the IT network from Siemens. On the same basis, various projects in the areas of development and quality assurance were successfully implemented in own production networks. 

It is now important to define further suitable applications in the production and development environments and to implement specific solutions for them. The focus is initially on companies that already rely on the Zscaler platform for IT and on network technology from Siemens for production. In such environments the new collaborative approach can be implemented without much effort or fundamental changes to the network infrastructure. 

This enables organisations to realise convergent corporate networks with uniform IT/OT security guidelines for their office and production networks. And ultimately higher cybersecurity, flexibility, and efficiency when it comes to mobile working in production and development.

The special framework conditions of industrial communication speak for implementing Zscaler and Zero Trust principles as an add-on to previous concepts – in order to act more flexibly and dynamically. The Defense in Depth concept therefore remains in place and will be expanded to include Zero Trust functionalities for network security. Classic VPN-based remote access and the associated management platform will also continue to exist and be further developed in the future. 

Depending on the industry, application, or company policy, both concepts offer advantages. In the long term, end-to-end Zero Trust concepts will not only reduce operating costs, but also contribute to greater cybersecurity in the production environment. 

For further details please go to

Contact Details and Archive...

Print this page | E-mail this page