A best practice in Industral Automation Control System Cyber Security is Zones and Conduits. These are complex to implement without strong identity and an identity-based firewall. Merging the best practices of a Zero-Trust Network Architecture with the ISA/IEC-62443 Zones and Conduits model improves security due to simpler implementation and greater control and audit.
Four key principles need addressing:
- Least Privilege (which means per-user identity and multi-factor)
- Defense In Depth (which means controlling lateral traversal and blast radius)
- Risk Analysis (understanding the downside)
- Compensating Security (the great list of workarounds)
The ISA/IEC 62443 standard has a conceptual architecture of zones and conduits. In theory easy to understand, in practice hard to implement.
An identity-based zero-trust network architecturecan bridge the gap of theory and practice.
Vendor single-sign-in, per person, no shared accounts. No VPN’s True micro-segmentation.