You Know Who’s In The Building — But Who’s In Your Network?
Over my 30 years in IT, I’ve worked in many facilities. The most interesting and challenging office buildings were the secured buildings used by critical infrastructure industries. Deploying systems within these environments meant that I always had an escort, and in the most secured facilities, all my electronics were left at the front desk, so documentation was by pen and paper, and if any software was needed, the customer had to have it beforehand. This is the model of least privileged access applied to physical security.
While many facilities apply strong physical security controls, many are still hesitant to take similar precautions with operational technology (OT) networks. Why?
Recent news stories and guidance from government agencies have exposed the poor security in much of the US’s critical infrastructure. The continuing saga of Volt Typhoon, where hackers have maintained residence inside some OT environments for up to five years, highlights that, because of an inherent trust model adopted by many for the OT network infrastructure, once you’re through the “front door,” you have access to many places and tools you shouldn’t be accessing.
Through my research and customer discussions, many have said that a key weakness of their OT security framework is their remote access approach, where vendors and service delivery techs need to remotely connect to the OT environment to assess or manage critical components. Many customers indicate that they regularly find that a technician for Vendor A cannot only access Vendor A’s equipment but the equipment of Vendors B, C, and D because their scope of access has not been limited. The same thing can be said around common applications on endpoints within the OT infrastructure: scripting tools, remote access tools like RDP or VNC, or a host of drivers commonly referred to as LOLBins. Unfettered access can allow a malicious actor to live off the land and compromise the network. Just as with a physical visitor whose access you restrict to only authorized areas and tools, the same principles should apply to your cyber visitors to reduce the scope of their access and authorization.
Let’s say you’ve replaced the solution provided by your OT vendor or your existing VPN with a secure service edge solution to control the access of these service techs. That’s a great first step to limit the access of these known visitors, but you should go deeper and ask these five questions:
- You limited access for the remote service techs, but what about your operators? Have you ensured that they only have the access needed to perform their work?
- Can you identify all the devices on your OT network (not just a device type and model but firmware/OS, vulnerabilities, communication flows, device state, etc.)?
- Is your OT network “flat”? It’s great that you limit the visitor’s direct access to only certain devices, but if those devices are on the exact same network as other devices, you haven’t solved the lateral movement problem.
- What is your approach to identity in your OT network? Take our service tech; is there one account for all techs from Vendor A? Does each operator have their own identity with the OT network?
- Do you monitor your OT networks to look for the unknown digital visitors or other anomalies? If a background process on an engineering station is probing the network, do you get notifications?
Positive security, least privileged access, and default deny are all core principles of Zero Trust: If not explicitly allowed, it should be denied. But that is just one piece of the Zero Trust model you need to implement to ensure that any user, application, or device only has access to what is needed to perform their tasks and that if any system within your OT environment is compromised, the scope of the attack will be limited.
At Forrester’s Security & Risk Summit in Austin, Texas, on November 5–7, 2025, myself, Carlos Rivera, and Peter Cerrato will host a workshop on November 6 at 11 a.m. CST where we’ll talk about the practical steps you can take to apply Zero Trust principles to your OT environments.
Forrester customers who want to dive deeper into this topic and discuss my research on applying Zero Trust principles to OT can schedule an inquiry or guidance session with me.