How to Extend Zero Trust OT Security to Meet Air Gap Requirements

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker

How to Extend Zero Trust OT Security to Meet Air Gap Requirements.png

 

Today we are excited to announce the general availability of the capability to extend our Zero Trust OT Security solution to air gapped environments. As part of that solution, our cloud-delivered service — Industrial OT Security — delivers comprehensive visibility, risk monitoring and security for OT assets and networks.  This is a significant step forward for the industry as it allows customers that prefer to use air gaps to continue meeting their regulatory and other cyber security requirements. They can also leverage the power of the cloud to get the best possible security so they can accelerate their OT digital transformations with confidence.  

 

With these new capabilities, organizations can deploy Industrial OT Security utilizing a telemetry gateway. This forwards low-risk security telemetry data, such as Enhanced Application Logs (EAL), from isolated OT networks, to Industrial OT Security, our cloud-delivered service that delivers comprehensive visibility, risk monitoring and security for OT assets and networks. This process is all completed without a direct Internet connection to OT NGFWs, meaning that Zero Trust OT Security can deliver the best of both worlds.

 

  1. Best in Class Security for air gap environments — Because the telemetry gateway securely sends network logs from isolated OT NGFWs to Industrial OT Security we can utilize cloud-scale machine learning to classify every asset across your networks, identify risky behaviors and assets and automatically send real-time alerts to help prevent zero day threats and other attacks.
  2. Continue to meet Air Gap requirements — Through our sophisticated yet easy to set up telemetry gateway, we enable customers to maintain a logical air gap around their OT network, so they can continue to stay compliant with industry regulations and best practices. In other words, if you like your air gap, you can keep your air gap.

 

In this blog post we want to dive a little deeper on how these capabilities work. 

 

How it Works

 

Most customers we talk to who are looking to extend Zero Trust OT Security to their air gap environments want to realize the benefits of cloud based cyber security solutions to enable real-time and enterprise wide experiences and visibility. Real-time security in OT networks requires real-time streaming of security telemetry data to our Industrial OT Security and Advanced Threat Prevention security services.  We provide a secure telemetry data streaming architecture to deliver NGFW security telemetry data, such as EAL logs, to our security cloud services from air-gapped OT environments without direct Internet connections. 

 

unnamed (5).png

The Palo Alto Networks NGFWs deployed in the OT environment send security telemetry data to one or more cascaded telemetry gateways. These telemetry gateways are a single path of egress out of the OT network and forward the required logs to Palo Alto Networks’ cloud security solutions such as Industrial OT Security. Cloud delivered security solutions from Palo Alto Networks utilize cloud scale compute to power AI/ML models  enabling secure OT asset discovery, identification, risk and behavior insights, and advanced threat detections; this is something that cannot be done cost effectively with on-premise solutions. Customers can leverage existing iDMZ and IT NGFWs or deploy purpose-built NGFWs as telemetry gateways. 

 

Here are some key takeaways of Industrial OT Security capabilities and how we ensure a secure stack is being delivered:  

 

  • OT Asset visibility, risk and behavior insights, and advanced threat detection for air gapped OT networks
  • Device-ID and App-ID driven policy recommendations and enforcement for least privilege micro-segmentation of OT networks
  • Hardened telemetry gateways to secure data flows from OT networks
  • Secure and encrypted transmission of OT network telemetry to cloud using outbound mTLS connection
  • Cloud environments and physical data centers used by Industrial OT Security in the processing and storage of network telemetry have achieved SOC 2 Type II Plus certification (FedRAMP Moderate environments also available)

 

The telemetry gateways are hardened Palo Alto Network NGFWs that have already been certified in OT and IT environments, and are familiar to network security teams. Security policies typically implemented by NGFWs can be leveraged to control and secure the traffic traversing through the telemetry gateway. Common examples of these security measures are zone and Device-ID based policies, security profiles for threat prevention and URL filtering. Additionally, telemetry gateways  eliminate direct, inbound Internet connections to the OT NGFW. Customers can increase the depth of their logical OT air gap between OT and IT networks by implementing cascading OT and IT gateways to provide further segmentation of control and ensure that no inbound traffic hits the OT telemetry gateway.  

 

The telemetry gateway allows secure outbound mTLS connections between the OT NGFWs and the Industrial OT Security cloud without any need for decryption while allowing OT NGFWs to get Device-ID policies and device verdicts from Industrial OT Security. This allows customers to maintain a logical air gap between their OT network and other external or IT networks to adhere to strict OT compliance requirements all while realizing the benefits of cloud scale cyber security solutions. NGFW functions such as policy enforcement, threat detection and prevention will continue to operate even if the upstream telemetry connection goes down.

 

Industrial OT Security receives security logs from the telemetry gateways where that data is processed and stored in a region of the customer’s choosing (e.g. US-West, UK, Singapore, etc.). Any data stored on, or processed by Palo Alto Networks systems is secured with rigorous technical and organizational security controls. Palo Alto Networks has achieved SOC 2 Type II Plus certification for IoT/OT Security to demonstrate its strong security policies and internal controls. For more information please see the IoT/OT Security Privacy Data Sheet.

 

System Requirements

 

Telemetry gateways require 4th generation NGFW (PA-1400 series, PA-3400 series, vm-300, vm-500, vm-700) running PAN-OS version 11.0.1-h2 or later and a web proxy license.

 

Prerequisites for installing the Industrial OT Security subscription on OT NGFWs can be found HERE.

 

Learn more

 

We hope you find the new deployment model for air gap capabilities using a telemetry gateway helpful! We are glad our customers can now extend Zero Trust Security capabilities to meet their air gap requirements.

To learn more, check out our Zero Trust OT Security and Industrial OT Security pages. You can contact us here

As always, we welcome all comments and feedback in the comments section below.

1 Comment
  • 5399 Views
  • 1 comments
  • 3 Likes
Register or Sign-in
Labels