A cyber intrusion discovered in 2020 pushed Idaho National Laboratory (INL) to accelerate its shift to a zero trust cybersecurity architecture and adopt cloud-delivered security services from Zscaler, the lab’s top security official said Tuesday.

Speaking at the Zscaler Public Sector Summit, Robert Roser, chief information security officer (CISO) and director of cybersecurity at INL, said the breach exposed gaps in basic cyber hygiene.

“[I received] a wake-up call at about two in the morning that our DMZ, our internet-facing applications, was compromised,” Roser said. The intrusion was ultimately traced to APT41, an advanced persistent threat group linked to China.

The lab identified the activity within 24 hours and disconnected its DMZ from the internet while investigating. “We turned our DMZ completely off in about 36 hours … while we dealt with it,” Roser explained.

The incident exposed cybersecurity gaps, including cybersecurity tools that system administrators had disabled. Roser said the breach also provided a roadmap for modernizing INL’s security architecture.

“The upside was it gave me, as a new CISO, a roadmap of what I had to work on,” Roser said, adding, “Right after that, it was very obvious … we were going to shift to a zero trust environment.”

A key priority was eliminating traditional VPN-based access and adopting cloud-delivered security services. The lab turned to Zscaler for those services. Roser said the lab deployed Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) in 2020, allowing INL to secure both internet and application access while improving user experience.

“I wanted to get out of the VPN game and switch to Zscaler for a couple reasons. I didn’t like what we were using at the time. It was very clunky and not very secure and didn’t offer a very good user experience,” he said.

“With ZIA and ZPA, I got basically two for one, if you will. We deployed both of them at the same time, and have been sort of leveraging, or incrementally including, our zero trust posture with Zscaler ever since,” Roser said.

Today, Roser said INL has fully implemented Zscaler’s architecture and is focused on maturing its capabilities, including expanding artificial intelligence (AI)-driven detection and strengthening identity and data protections.

Identity remains the foundation of the lab’s approach, he said, with efforts underway to tighten role-based access and improve data tagging.

For example, “If there’s no reason for them to touch financial data, they shouldn’t be able to see it at all,” Roser said.

Deepen Desai, chief security officer at Zscaler, said organizations must combine AI and zero trust to keep pace with increasingly sophisticated cyber threats.

“Every organization needs to prioritize a solution that will allow them to use AI to fight AI,” Desai said. “You’re already seeing threat actors use AI to attack your organization, so you need AI to fight AI to level the playing field.”

At the same time, he added, agencies should pursue “a zero trust everywhere strategy” to reduce the number of attack paths adversaries can exploit.