Dive into the world of industrial cybersecurity with Malik Haidar, a seasoned expert who has spent years safeguarding multinational corporations from sophisticated cyber threats. With a sharp focus on analytics, intelligence, and security, Malik brings a unique perspective by blending business needs with cutting-edge cybersecurity strategies. In this interview, we explore the critical role of Zero Trust architecture in protecting operational technology (OT) environments, the challenges of implementation in industrial settings, the benefits it offers amidst growing digitization, and how it aligns with key industry standards. Malik also sheds light on practical solutions and strategies for building cyber resilience in critical sectors like energy and manufacturing.
How would you describe Zero Trust in the context of industrial systems, and why is it becoming so essential today?
Zero Trust in industrial systems is all about assuming that no one and nothing can be trusted by default, whether they’re inside or outside your network. It’s a mindset shift from the old “castle and moat” approach to a model where every user, device, and connection must prove its legitimacy before gaining access. In industries like energy or manufacturing, where operational technology controls critical processes, a single breach can lead to catastrophic downtime or safety risks. Today, with increasing connectivity and sophisticated threats, Zero Trust is essential because it minimizes the risk of attacks spreading and ensures that even if someone gets in, they can’t move freely through the system.
What sets Zero Trust apart from traditional security methods like perimeter defenses in industrial environments?
Traditional security methods, like perimeter defenses or airgaps, focus on building a strong outer wall—think of it as locking the front door and hoping no one gets inside. But once someone breaches that wall, they often have free rein. Zero Trust, on the other hand, operates on the principle of constant verification at every step. In industrial settings, where OT networks are often flat and sprawling, Zero Trust creates smaller, controlled segments. This means even if an attacker gets past the perimeter, they’re boxed in and can’t easily access critical systems or cause widespread damage.
Can you break down the “never trust, always verify” concept for someone new to OT security?
Absolutely. “Never trust, always verify” means that no matter who or what is trying to access your system—whether it’s an employee, a contractor, or a device—you don’t automatically assume they’re safe. In an OT environment, this could mean that a maintenance technician connecting to a control system has to authenticate their identity, prove their device is secure, and only get access to the specific equipment they need to work on. It’s like checking ID at every door in a building, not just the entrance, to make sure only the right people get to the right places.
What are some of the toughest challenges in rolling out Zero Trust in industrial settings, especially with a “deny by default” approach?
One of the biggest challenges is the “deny by default” policy itself. In industrial environments, operations can’t afford downtime, so blocking access until explicit permissions are set up requires incredible precision. You need to know exactly who needs access to what and when, which is tough when OT networks often have thousands of devices and legacy systems that weren’t designed for this level of scrutiny. Misconfigure a policy, and you could halt production. Plus, getting buy-in from OT teams, who prioritize uptime over security, adds another layer of difficulty.
How does the lack of a real-time asset inventory impact Zero Trust implementation in these environments?
Without a real-time inventory, implementing Zero Trust is like trying to secure a building without knowing how many rooms or doors it has. In industrial settings, OT networks often grow organically over decades, with devices added or removed without proper documentation. If you don’t know what assets you have or how they communicate, you can’t create effective access policies. This can lead to either overly restrictive rules that disrupt operations or gaps that leave vulnerabilities wide open. A dynamic, up-to-date inventory is the foundation for making Zero Trust work without breaking the system.
Why is remote access such a pain point for OT networks when adopting Zero Trust compared to traditional VPNs?
Traditional VPNs are like giving someone a key to the entire building—they get broad access to the network, and then you have to layer on extra tools to limit where they can go. In OT networks, this is a nightmare because you’re dealing with critical systems where one wrong move can cause major issues. Zero Trust for remote access focuses on granular control—think temporary, specific access to a single machine based on who you are. The challenge is managing this at scale with constantly changing users and assets, something VPNs just aren’t built to handle efficiently in industrial contexts.
How does Zero Trust help shrink the attack surface in industrial networks, and can you tie this to a real-world incident?
Zero Trust reduces the attack surface by limiting access to only what’s necessary and segmenting the network into smaller, isolated zones. If an attacker gets in, they’re stuck in a tiny box instead of having the run of the place. Take the 2021 Colonial Pipeline attack as an example—once the attackers got into the system, they moved laterally and disrupted fuel operations across a huge region. With Zero Trust, that lateral movement could have been stopped or slowed down significantly because the attacker wouldn’t have had easy access to other parts of the network, minimizing the damage and downtime.
In what ways does Zero Trust support industries as they embrace digitization and industrial AI?
As industries digitize and adopt industrial AI, they’re connecting more devices and systems to the internet, which expands their risk profile. Zero Trust provides a framework to secure these new connections by enforcing strict access controls and continuous monitoring. For instance, AI systems often need to pull data from multiple sources—Zero Trust ensures that only authorized systems can interact, preventing data leaks or tampering. It’s about enabling innovation without sacrificing security, allowing industries to modernize confidently.
How does Zero Trust align with guidance from the U.S. Cybersecurity and Infrastructure Security Agency for OT environments?
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, strongly advocates for Zero Trust in OT environments, particularly through micro-segmentation. Their guidance emphasizes breaking down networks into smaller, manageable segments to limit the spread of an attack. They also stress the importance of having a detailed asset inventory to know what you’re protecting and how it communicates. Zero Trust fits perfectly with this by ensuring continuous verification and granular control, helping organizations improve their security posture while meeting CISA’s recommendations.
What’s your forecast for the future of Zero Trust in industrial cybersecurity over the next few years?
I see Zero Trust becoming the backbone of industrial cybersecurity in the next few years, driven by the rise in cyber threats and regulatory pressures. As more industries digitize, the need for robust, scalable security models like Zero Trust will only grow. I expect we’ll see better tools for asset visibility and policy management tailored for OT environments, making implementation smoother. Collaboration between IT and OT teams will also become non-negotiable. Ultimately, Zero Trust won’t just be a nice-to-have—it’ll be a fundamental requirement for staying resilient in an increasingly connected world.
