Chapter 1
Use Case: Juice Factory

What do you mean, zero trust? To be a successful organisation, we need trust. Yes, but not beyond what is required for them to do their job.

Throughout this book, we will explore the ideas of Zero Trust Architecture (ZTA) using a fictional company that allows us to look at the different concepts of zero trust in a practical and fun way. The corporation we will use is called Juice Factory, which represents a business that comprises both information technology (IT) used for communication and collaboration between employees and customers. And then there is also the operational technology (OT) that controls the production system making the Juice. At the last seminar for board members, they heard about a concept called Zero Trust, which can be used to make any organisation secure. Combined with the increasing risk of a cyber incident. The board of directors has hired you as their first Chief Information Security Officer (CISO). As the CISO, it’s your job to successfully adopt the strategies of ZTA to the organisation’s IT and OT environment. Making them more resilient against cyber threats and reducing the probability of a significant cyber affecting the business.

1.1 Company Profile

The first thing any CISO or security professional should do is to understand the organisation. It’s impossible to defend something you do not understand, like why the business makes the decision that they do. With that said, let’s get started getting to know the business we will work with. Here are some more details about the Juice Factory, to help clarify what they are all about.

• Name: Juice Factory
• Industry: Manufactory
• Headquarters: Europe
• Employees: 500
• Revenue: $100 million annually
• Sales Distribution:
  • 10% from Business to Consumer (B2C) online sales
  • 90% from Business to Business (B2B) sales

1.1.1 Headquarters

The headquarters of Juice Factory is located in a major European city. With approximately 450 employees located here. It comprises two buildings: one dedicated to the administrative offices of the organisation and the other to the engineering and manufacturing of juice products. All of the data centres for Juice Factory are located on-premises within the headquarters building. This ensures streamlined of IT and OT operations.

1.1.2 Satellite Offices

Juice Factory also operates several smaller satellite offices focused primarily on B2B sales in different countries. Sales personnel mostly staff these offices. With a typical size of around 4–6 employees per office. These people manage local customer relationships and sales activities in their respective countries.

1.1.3 Operational Technology

Juice Factory’s OT systems are integral to its manufacturing processes. It automates the flow of production, using machinery control that is connected to a programmable logic controller (PLC) that is integrated with a human–machine interface (HMI), which allows the engineer to control the flow of the production facility with just a press of a button. The engineering team is responsible for monitoring and controlling the OT system. Because the production facility is critical for the business, it is not possible to reboot the system outside the planned maintenance cycles.

1.1.4 Information Technology

For the IT environment, the Juice Factory has its own IT infrastructure. The data centres are all at headquarters. The satellite offices only consist of the minimum network equipment to function and endpoints. Every satellite office is required to have a constant connection to the headquarters network to access the corporate resources. We achieve this using site-to-site VPNs.

1.1.5 Business Consideration

For the design of the security architecture for an organisation, it is important to consider the business processes. When implementing new security controls at Juice Factory, consider the following business factors.

• The continuous production of juice.
• Remote and Mobile Workers: Employees often work remotely or are on the move, requiring secure access to company resources from various locations and devices.
• Many Business Partners: The company collaborates with numerous partners, necessitating secure communication and data exchange channels.
• Intellectual Property: The Juice Factory holds valuable production and manufacturing trade secrets that require protection from unauthorised access and cyber threats.
• Diverse Endpoint Devices: The company’s IT environment includes a mix of endpoint devices running on Windows, Mac and Linux, requiring a versatile security solution.
• Geographic Diversity: With operations across different geographic locations, the Juice Factory must comply with local regulations and meet diverse compliance requirements.

Whatever organisation you are working with, the same processes should be done. Talk with the different department leaders, understand how they work and what unique challenges they are facing. This helps you identify what problems you can mitigate and, most importantly, not introduce new problems for the departments.

1.2 Getting to Know the Business and Finding the Crown Jewels

Security can no longer afford to hide in our cubicle. The goal of security is to allow business processes to be performed in a secure manner. Not only that, we also have to be sure that the security control we put in place does not limit the business. Otherwise you will quickly be faced with shadow IT, and you will no longer have control over where the business data exists. For example, when our sales team needed a file-sharing solution for large technical documents, security initially prohibited cloud storage use. This led to sales representatives creating personal Dropbox accounts for sharing product specifications, inadvertently exposing proprietary data. A good way to mitigate shadow IT is by implementing approved alternatives before restricting tools.

What is required by us is to get to know the business. For that to happen, we have to create a relationship with the rest of the business leadership team. The best way to do this is through communication and collaboration between departments. How do we go about achieving this? The goal should be to identify how security can add value to the organisation. Speak to the different key departments for the organisation. These are often sales and legal. Legal allows you to understand what regulation the organisation must adhere to. And for sales, identify if there are any security concerns from the customers or if the organisation has lost any deals with potential customers because of lacking security. Another example is if sales or legal answers compliance-related questions about information security. You should step up and take this off their shoulder. Not only are you best suited to answer the question, it also creates a positive relationship with the department. The goal is to demonstrate to the other leaders that security is not just a cost centre, and instead is a business enabler. This requires you to speak the language of business, which they know and leave behind all the IT jargon behind, for our fellow security engineers.

The end goal is to understand which business processes makes the business profitable. Including the supporting systems that enables these processes. With that, we should have identified the crown jewels of the organisation. This allows us to prioritise what to focus on first and which system needs greater protection. Let’s look at the Juice Factory and try to understand both the crown jewels and the challenges the organisation is facing. Since this is a fictional business. It is not possible for us to go out and ask the different department leaders for input about the different functions of the business and the problems they are facing. We just have to pretend that we have already done so, and these are their responses.

• Legal: Our Payment Card Industry Data Security Standard (PCI DSS) compliance efforts currently consume approximately 200 working hours yearly. We’re seeing increasing scrutiny from auditors, particularly around our card data environment segmentation. We’ve identified gaps in our GDPR compliance, specifically around data subject access requests and cross-border data transfers. Failure to address these issues may result in potential fines of up to 20 million euro or 4% of annual revenue.
• Production: Our OT environment runs on legacy systems that control specialised juice processing equipment. We cannot reboot the production environment because of the loss of production time to the business. The only time we can perform maintenance and security update are part of scheduled maintenance, with only a single day each year is all that’s allowed for maintenance. We’ve identified three critical vulnerabilities in our SCADA systems, but patching requires a full system shutdown. We store our proprietary recipes digitally, accessible to 15 engineers; however, we lack an access log to audit who accesses the documents. A competitor recently attempted to hire one of our senior engineers, raising concerns about IP protection.

This covers the security concerns of the organisation. For this book, we will not go into how to handle compliance. That could be a book on its own. Instead, let’s focus on the IT and OT environment. What we know so far is that we cannot reboot the OT environment, as the production loss is too high. That limits us to only activities that do not...