{"id":97665,"date":"2021-11-08T09:00:47","date_gmt":"2021-11-08T17:00:47","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=97665"},"modified":"2023-08-10T13:59:33","modified_gmt":"2023-08-10T20:59:33","slug":"learn-how-microsoft-strengthens-iot-and-ot-security-with-zero-trust","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/08\/learn-how-microsoft-strengthens-iot-and-ot-security-with-zero-trust\/","title":{"rendered":"Learn how Microsoft strengthens IoT and OT security with Zero Trust"},"content":{"rendered":"

As cyber threats grow more sophisticated and relentless, the need for Cybersecurity Awareness Month<\/a> becomes more urgent every year. As part of our year-round commitment to security for all<\/a>, Microsoft continues to track numerous incidents targeting both digital and physical operations for many organizations. Beyond the usual espionage and data-theft attacks aimed at IT systems, threat actors have increasingly turned their attention toward IoT devices and operational technology (OT) equipment\u2014everything from oil pipelines1<\/sup> to medical devices.2<\/sup> Malicious actors have also had success in targeting supply chains, as seen in the insidious Solorigate3<\/sup> and Kaseya4<\/sup> attacks.<\/p>\n

Earlier this month, we published the 2021 Microsoft Digital Defense Report<\/a> to help organizations better understand this evolving threat landscape, as well as provide guidance on securing your supply chain and IoT and OT assets. In the spirit of security for all, some highlights of these chapters are presented here for easy reference.<\/p>\n

Securing supply chains<\/h2>\n

The practice of adopting multiple tools to monitor different tiers of suppliers increases complexity, which in turn increases the odds that a cyberattack can produce a significant return for your adversary. Siloes can create additional problems\u2014different teams have different priorities, which may lead to different risk priorities and practices. This inconsistency can create a duplication of efforts and gaps in risk analysis. Suppliers\u2019 personnel also are a top concern. Organizations want to know who has access to their data; so they can protect themselves from human liability, shadow IT, and other insider threats<\/a>.<\/p>\n

For supplier risk management, an always-on, automated, integrated approach is needed<\/strong>, but current processes aren\u2019t well-suited to the task. To secure your supply chain, it\u2019s important to have a repeatable process that will scale as your organization innovates. At Microsoft, we group our investments into nine secure supply chain (SSC) workstreams<\/strong> to methodically evaluate and mitigate risk in each area:<\/p>\n

\"First-party<\/p>\n

Figure 1: <\/em>Nine areas of investment for a secure end-to-end supply chain.<\/em><\/p>\n

For supply chain risk management, having integrated solutions and greater visibility into who ultimately has access to an organization’s data are top priorities. While there are many places to begin a Zero Trust<\/a> journey, instituting multifactor authentication<\/a> (MFA) should be your first step.<\/p>\n

From the White House<\/h2>\n

On May 12, 2021, the White House issued Executive Order (EO) 14028 on Improving the Nation\u2019s Cybersecurity<\/a> outlining steps for federal agencies and their technology providers to enhance supply chain security. For software providers, the EO calls for requirements to enhance resistance to attack, including secure software development practices, software verification and vulnerability checks, a software bill of materials (SBOM), a vulnerability disclosure program, and other secure practices.<\/p>\n

For federal agency users of software with privileged access, EO 14028 calls for implementing security measures published by the National Institute of Standards and Technology<\/a> (NIST). Microsoft has long been invested in developing best practices for secure software development, and we\u2019ve contributed to efforts to define industry-wide practices and consensus standards, including through SAFECode<\/a>, ISO\/IEC<\/a>, and NIST\u2019s National Cybersecurity Center of Excellence<\/a> (NCCoE) on the Implementing a Zero Trust Architecture<\/a> project.<\/p>\n

IoT and OT security<\/h2>\n

With the prevalence of cloud connectivity, IoT and OT have become another part of your network. And because IoT and OT devices are typically deployed in diverse environments\u2014from inside factories or office buildings to remote worksites or critical infrastructure\u2014they\u2019re exposed in ways that can make them easy targets. When you add in privacy concerns and regulatory compliance, it\u2019s clear that a holistic approach is needed for enabling seamless security and governance across all your devices.<\/p>\n

Securing IoT solutions with a Zero Trust security model<\/a> is built upon five requirements<\/strong>:<\/p>\n