Zero Trust: A Strategy for Cybersecurity Victories

NMFTA - July 1, 2024

Chase Cunningham, Ph.D. is known in the industry as Dr. Zero Trust. While that may sound to some like a warning not to share secrets with him, Cunningham is actually named that because he is a strong advocate of the philosophy designed to protect digitized industries from cyberattacks.

Through extensive collaboration with NMFTA, Cunningham has frequently shared his insights with the LTL carrier industry. A notable instance was at the October 2023 NMFTA Cybersecurity Conference in Houston, TX, where he displayed a QR code and informed the audience they could scan it to receive a free book.

Those who followed the prompt found themselves exposed to a phishing site. Dr. Zero Trust had made his point.

The strategy known as Zero Trust in cybersecurity means no one is presumed to deserve default access to network resources, and it must require authentication any time someone wants said access.

Also known as a “default deny” posture, Zero Trust denies every person, device, or application automatic access unless they can pass the test of authentication. Even more so, Zero Trust will microsegment networks into small zones, so you don’t just have to authenticate to get into the system. You must authenticate to go from zone to zone.

In various recent presentations, Cunningham explained why Zero Trust is so important, particularly for the LTL carrier community.

“How do you eliminate the adversary’s ability to be successful within the system?” Cunningham asked. “If the adversary’s there, what would they use to move around that infrastructure?”

Zero Trust is especially important in the context of application programming interface (API) security. Without API security, Cunningham said you can’t really achieve Zero Trust because exposed APIs give too many people easy access to various points in a company’s system.

At the same time, the Zero Trust approach within a system is designed to make it almost impossible for an attacker to move around.

One example Cunningham cited of a methodology to shut down adversaries is the Lockheed Martin Cyber Kill Chain, which makes an adversary’s job much more difficult by introducing a series of tactics to shut the adversary out as he attempts to advance through the system.

The Kill Chain has seven stages — reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Along the same lines, Zero Trust systems make it harder for attackers to keep advancing because they can never get far before there is another access point that requires authentication.

And if no one has automatic access, but is required to authenticate every time, it prevents an attacker from simply using someone’s saved credentials to keep getting further into the system.

While Zero Trust is not a technology or a specific software product, Cunningham emphasized there are best practices and strong technologies carriers should embrace to do it successfully. Those include strong encryptions, permissions, network microsegmentations and next-generation firewalls.

And Cunningham cautioned that no company can achieve complete Zero Trust implementation overnight.

“If you’ve been building your infrastructure for 30 years, you’re not going to be Zero Trust in 30 days,” he said.

Implementing a Zero Trust system will require careful and diplomatic handling with employees, especially those accustomed to default authorization. The term “Zero Trust,” itself may have implications that could be unsettling for some team members.

Cunningham recognizes the challenge.

“Some are going to say, ‘You don’t trust me?’” Cunningham said. “But it’s Zero Trust, it’s not zero faith. I have faith in your employees. They’re good people. It’s not that I don’t inherently trust my people. This is about things I have to do to take care of this business so that those employees can continue to earn their paychecks. Some of those things might be slightly uncomfortable as we migrate to new technologies. But it’s not about not trusting the people. It’s about not trusting what’s going on in the environment, and removing trust so the bad guys can’t use it against us.”

He emphasized that companies should start by focusing on the areas that are most essential to the viability of the business. That not only achieves the strongest outcomes out of the gate, it also tends to convince people like CFOs that the money is being well-spent.

And Cunningham urged companies to make good use of outside services to help them.

“I did a workshop with a candy company recently, and they said they were getting ready to set up their own cybersecurity system,” he recalled. “I told them, ‘You’re a candy company and you do awesome stuff with sugar. Don’t be a candy company that also does cybersecurity. Have a security leader who herds the cats, but make use of service companies who can help.”

To learn more about Zero Trust and other cybersecurity issues for LTL carriers, check the wide array of cybersecurity research and cybersecurity resources available from NMFTA, and register for our Cybersecurity Conference in October.

NMFTA
NMFTA

The National Motor Freight Traffic Association promotes, advances, and improves the welfare and interests of the motor carrier industry and less than truckload carriers operating in commerce, both domestically and/or internationally.