Zero Trust Must Protect Every Part of Extended Federal Networks

If there is one thing the entire federal government agrees on, it’s that Zero Trust is the best approach for stronger cybersecurity. How to achieve that goal is another matter. The Government has developed two approaches to Zero Trust – one for the Department of Defense and another for Civilian agencies. There are important differences in these approaches.

Today we are seeing the convergence of environments that historically had been separated. OT, IT, IoT and IoMT assets are all on the same networks, and this pattern is accelerating. While the DoD and Civilian approaches have different numbers of pillars required for Zero Trust,  they both have Devices and Network pillars in common. These two pillars are critical building blocks of Zero Trust.

For purposes of accountability every asset on the network must be clearly assigned to an owner. The need to include every asset in a Zero Trust approach is clear in language from NIST Special Publication 800-207, a foundational document meant to provide an implementation roadmap for zero trust security concepts. It states the following:

“A ZT approach is primarily focused on data and service protection but can and should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other non- human entities that request information from resources).”

It is critically important that all assets and systems are accounted for in a Zero Trust approach.

The DoD understands the need for this broader understanding of Zero Trust protection. Randy Resnick, Director of the Zero Trust Portfolio Management Office for the DoD, explained how devices are foundational to Zero Trust in an interview this past January. Resnick talked about how the Device Pillar is one of the first needed because Zero Trust can’t work without “fundamental sources of truth.” He talked about how an “accurate inventory of devices that are allowed on the network” is a prerequisite for Zero Trust effectiveness.

Unlike the DoD, the approach taken by CISA in its Zero Trust Maturity Model is focused more on the Application and the User more than the network. These are indeed critical pieces of the equation, yet they are not enough by themselves to make Zero Trust work. This approach seems off target in light of CISA’s prescient Binding Operational Directive (BOD) 23-01, released on 10/3/22.

BOD 23-01 requires all Federal Civilian Executive Branch (FCEB) agencies to begin performing automated asset discovery every seven days. This discovery must at a minimum include the entire IPv4/IPv6 space used by the agency. Agencies must also initiate vulnerability enumeration across all discovered assets every 14 days. CISA recognizes the dangers every device that connects to a network can pose.

These dangers are highlighted in recent Armis research identifying the top connected medical and IoT devices that are exposed to malicious activity in clinical environments. Data analyzed from the Armis Asset Intelligence and Security Platform, which tracks over three billion assets, found nurse call systems to be the riskiest IoMT device, followed by infusion pumps and medication dispensing systems.

We found that nurse call systems are the riskiest connected medical device, with 39% of them having critical severity unpatched Common Vulnerabilities and Exposures (CVEs) and almost half (48%) having unpatched CVEs. More than half of IP cameras we monitored in clinical environments have critical severity unpatched CVEs (56%) and unpatched CVEs (59%), making it the riskiest IoT device.

Armis sits at the convergence of these multiple cyber environments – IT, OT, IoT and IoMT. Legacy security tools are not capable of asset discovery and vulnerability management across these environments, instead treating each of these environments as isolated networks. This approach causes visibility gaps that make it difficult for agencies to understand their true and complete cybersecurity postures. Ransomware and Log4j for example are examples of successful attacks across these environments. Over 90 percent of the assets in a network are unmanaged and cannot be seen or protected with traditional IT security tools. This lack of visibility threatens to undercut the effectiveness of Zero Trust before agencies even get there. It’s imperative that emerging Zero Trust frameworks include a broad definition of network that addresses this current lack of visibility and builds upon a solid foundation for better cybersecurity.