Asking AI - Design Zero Trust Architecture for an OT Environment

One of the benefits of spending stupid amounts of money on pro subscriptions to a handful of GenAI tools is that I can pit them against each other when I’m doing a thing, and then take the best bits from each of them and combine them in the thing’s final product.

This week’s thing was asking 2.5 GenAI tools about architecture for implementing zero trust in OT environments. For anyone not familiar with the term, OT is operational technology, and OT environments are those found in places like manufacturing and oil and gas facilities and power plants.

I say 2.5 tools because I asked Claude and I asked two different OpenAI models - ChatGPT 4o and o1. All three offered reasonable responses, but o1 and Claude were better than ChatGPT 4o - so I’ll talk about their responses here.

The network diagram above is part of Claude’s response, and I think it’s pretty good. Claude’s outline of key components in the design seems solid too:

Key Components:

1. Access Control Layer

• Privileged Access Management (PAM) system as the central access control point

• Jump servers for all remote access

• Multi-factor authentication required for all access

• Just-in-time access provisioning with automatic revocation

2. Network Segmentation

• Physical separation between IT and OT networks

• Micro-segmentation within OT levels using virtual segmentation

• Unidirectional security gateways where appropriate for critical systems

• Data diodes for one-way data flow from lower to upper levels

3. Security Controls

• Next-generation firewalls with deep packet inspection

• Network IDS/IPS specifically tuned for OT protocols

• Asset discovery and inventory management

• Continuous monitoring with OT-specific SIEM integration

4. Identity and Authentication

• Centralized identity management integrated with OT systems

• Role-based access control (RBAC) aligned with job functions

• Hardware security modules (HSM) for critical credential storage

• Certificate-based authentication for devices and systems

OpenAI’s o1 recommended some of the same components, including an industrial DMZ, next-gen firewalls, micro-segmentation, and jump servers. One good recommendation that 01 offered which Claude did not is continuous monitoring and threat detection, and specifying:

A Security Operations Center (SOC), OT-aware Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), and industrial protocol monitoring tools are critical. Continuous assessment of device states, baseline deviations, and abnormal behavior alerts security teams to potential breaches.

Both o1 and Claude recommended the use of unidirectional gateways, with o1 saying:

Data Diodes and Unidirectional Gateways (Where Applicable):

For highly sensitive operations, consider one-way data flow devices (data diodes) that allow data to leave a zone for monitoring or reporting but prevent any commands or malicious data from returning.

As with all GenAI responses, we should never be taking 100% of what is stated and recommended and putting it straight to use - whether it’s an email draft, a summary of a research document, or anything else we ask an AI tool about. That applies even more so here, because OT environments are complex and very different to IT environments. Zero trust is a tricky subject too - partly because there are many approaches to it, and also because it is more of an ongoing process or a goal, than a one off project.

Having said all that, I think the responses from o1 and Claude here would serve as good food for thought and discussion starters for teams looking at this area.

If you would like to see the full responses from one or both of the tools, let me know with a comment. Same goes if you have another cyber related subject to ask GenAI tools about - please let me know.

Comments

[Paul Caloca]

Fascinating read. I’d like to see responses from both tools. I’m learning about ZT and this will help me see what AI can do. 👍

[Patrick Jordan]

Claude's full response was:

Let me outline the key components and reasoning behind this zero trust architecture:

Core Design Principles:

Segmentation by Purdue Levels with strict access controls between layers

Identity-based access rather than network-based

Micro-segmentation within each level

Continuous monitoring and validation

Least privilege access enforcement

Key Components:

Access Control Layer

Privileged Access Management (PAM) system as the central access control point

Jump servers for all remote access

Multi-factor authentication required for all access

Just-in-time access provisioning with automatic revocation

Network Segmentation

Physical separation between IT and OT networks

Micro-segmentation within OT levels using virtual segmentation

Unidirectional security gateways where appropriate for critical systems

Data diodes for one-way data flow from lower to upper levels

Security Controls

Next-generation firewalls with deep packet inspection

Network IDS/IPS specifically tuned for OT protocols

Asset discovery and inventory management

Continuous monitoring with OT-specific SIEM integration

Identity and Authentication

Centralized identity management integrated with OT systems

Role-based access control (RBAC) aligned with job functions

Hardware security modules (HSM) for critical credential storage

Certificate-based authentication for devices and systems

Benefits of this Approach:

Security Benefits

Reduced attack surface through segmentation

Quick containment of potential breaches

Detailed audit trails of all access

Prevention of lateral movement

Operational Benefits

Maintained availability through careful segmentation

Simplified compliance with regulations

Improved visibility into system access

Reduced risk of human error

Business Benefits

Protected intellectual property

Reduced cyber insurance premiums

Simplified vendor management

Enhanced regulatory compliance

Implementation Considerations:

Phased Approach

Start with identity management and access control

Gradually implement network segmentation

Roll out monitoring and validation tools

Finally implement automation and orchestration

Legacy System Integration

Use protocol gateways for legacy systems

Implement compensating controls where needed

Consider security wrapping for unpatched systems

Change Management

Extensive testing in lab environment

Clear rollback procedures

Comprehensive staff training

Updated documentation and procedures

Would you like me to elaborate on any particular aspect of this architecture or provide more detail about specific components?