Ask the Expert: Zero Trust and Printers
Through sean hope
Senior Managed Printer Service Specialist
You may have heard the term “zero trust” at some point in the last few years. If so, then hopefully in the context of cybersecurity and not as part of a couples therapy session. Even if you’ve heard the phrase… even if you understand the technical aspects of implementing a Zero Trust network architecture… or perhaps because you already know how difficult it is to actually migrate to such an environment… it remains light years away from the reality for most organizations.
This is not to say that the principles of Zero Trust should be ignored. On the contrary, IT departments across the country have largely begun to apply these principles and best practices to their most valuable and effective security policies and procedures. However, there is one ubiquitous type of network endpoint that is usually overlooked in this regard…printers.
As the name suggests, Zero Trust is in many ways a constant state of paranoia, but as the expression suggests, “Just because you’re paranoid doesn’t mean they aren’t after you.” The concepts of eliminating open paths that allow lateral movement within the network from device to device, multi-factor authentication, vigilant monitoring, and rapid patching of vulnerabilities are all part of the Zero Trust mentality. The challenges preventing organizations from moving to a full Zero Trust environment are both technical and cultural. On the technical side, making such architectural changes to the network can require a significant investment of labor and capital. Culturally, there is always some level of resistance to change, especially when those changes can be costly and lead to an end result that some see as having a negative impact on the user experience. Let’s face it, two-factor authentication alone is a step (or two) more than some less-technical workers/employers accept as standard practice.
Why should companies apply Zero Trust principles to printers? I’m glad you asked (even if you didn’t). In February 2021, the NSA released a document entitled “Embracing a Zero Trust Security Model” CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF (defense.gov). This article is a great in-depth explanation of Zero Trust as a whole, but one of the fundamental tenets of the guidance provided is the mindset that: “A breach is inevitable or has already occurred.” Once we accept the reality that maintaining a strong firewall isn’t the end of security, we need to look at how to minimize risk and exploitation. It’s often said that security is a multi-layered approach, and incorporating printers into security strategies simply adds another layer to that approach.
Zero trust principles can be applied to print shops in both procurement and management. First of all, it is necessary to understand the differences in the security features of different printer brands and models in order to make strategic purchasing decisions. A telltale sign of a printer’s level of built-in cyber protection is what the manufacturer emphasizes in the product’s marketing materials. If a model has a competitive advantage in terms of cybersecurity features, it will certainly be highlighted in the manufacturer’s marketing materials. Conversely, if a model has only the bare minimum of cyber security features, this will be reflected in how little detail on endpoint security is included in a product brochure.
Supply chain attacks are an increasingly common tactic, and a Zero Trust mentality requires measures to be taken to protect the organization from such efforts, which are inherently capable of bypassing a network’s firewall. When it comes to printers and the supply chain, the potential threats of a supply chain vulnerability are not just within the printer itself. Toner cartridges contain chips that allow the cartridge to communicate with the printer. Every time a new cartridge is inserted into a printer, an external chip is inserted at a network endpoint behind your firewall. When applying the Zero Trust principles, the question arises as to the supply chain security of the chip. Compatible toner cartridges have historically been cheaper than OEM cartridges, but the security of their supply chain around them is a gray area considering they are reprogrammable chips.
While OEM toner cartridges can offer more security, it’s important to note that even OEMs can outsource the production of their toner cartridges. According to this October 2021 Keypoint Intelligence report (hp-cartridge-iso-20243.pdf (keypointintelligence.com)), HP is the only manufacturer to have ISO 20243 certified all of its toner cartridges for the entire life cycle of the product including the supply chain .
When adopting a Zero Trust mentality, printer and toner cartridge security features must be factored into strategic purchasing decisions. Safety concerns don’t end with procurement, however. A critical element of Zero Trust is the timely application of manufacturer’s firmware patches. Exploiting unpatched known vulnerabilities is a hallmark of state-sponsored hackers, including groups that have attributed US intelligence to Russian intelligence. Printers as an attack vector are so widespread that the hacktivist collective known as Anonymous exploited known vulnerabilities in some printers to hijack over 100,000 printers in Russia to print instructions for citizens to bypass censorship of information about the Russian invasion of Ukraine .
Most companies don’t have a patch management process for their printers, nor do they have the bandwidth to develop and implement a recurring process. A printer that has not been patched because of a known vulnerability and/or a printer that is so old that it is no longer supported by the manufacturer for security updates must be considered untrustworthy and unacceptable. Manufacturers today have started offering tools to help patch printers, but these tools are not all created equal. Even the manufacturers that offer such tools only provide a way to help the patching process, but an unused tool is essentially a useless tool. This is where working with a managed print services provider (like Usherwood) that has both the tools and the process in place to keep your printers current with security patches is essential.