IoT is a sexy topic these days. It’s hard to open a magazine or blog without seeing statistics that project there will soon be more IoT devices online than there are teenagers on ClickChat. Like the growth of mobility and smartphones before it, IoT is a phenomenon that merits attention. But this time it’s different. IoT networks and devices play a crucial role in our global transition to a digital economy, and organizations that fail to adopt a digital business model may not survive. Which is why we also need to give credit to those who pioneered the use of IoT-like technologies — not just over the past few years, but for the past couple of decades.
I’m talking about the technologists working in our critical infrastructures, who have successfully relied on lightweight sensors and analytics to measure the availability and resiliency of our infrastructures that are underpinned by Industrial Control and Supervisory Control & Acquisition Systems (ICS/SCADA). As these sorts of technologies become more mainstream, it is important that we look at both the lessons learned from the use of “industrial internet of things” sensors, along with their security shortfalls (many ICS/SCADA systems were optimized around availability rather than other security services), as we expand the development and deployment of IoT solutions.
Sometimes it’s helpful to characterize IoT with greater precision. I like to place IoT devices in three categories. First, consumer IoT, such as smart TVs and watches and connected appliances or home security systems, is something that nearly everyone is familiar with and benefits from. The other two categories, commercial IoT and industrial IoT, are made up of things many of us never see. Yet we depend on them every day to provide essential resources and services. Commercial IoT includes things like inventory controls, device trackers and connected medical devices, and industrial IoT covers such things as connected electric meters, water flow gauges, pipeline monitors, manufacturing robots and other types of connected industrial controls.
Traditionally, commercial and industrial networks and their IoT devices ran in isolation. But with the mainstreaming of things like smart cities and connected homes, they now need to coexist within local, national and global infrastructures, creating hyperconnected environments of transportation systems, water, energy, emergency systems and communications. Medical devices, refineries, agriculture, manufacturing floors, government agencies and smart cities all use commercial and industrial IoT devices to automatically track, monitor, coordinate and respond to events and manage critical resources.
As a result, public-facing IT (information technology) networks and traditionally isolated OT (operations technology) networks are starting to be linked together. For example, data collected from IoT devices that is processed and analyzed in IT data centers is increasingly used to influence real-time changes on a manufacturing floor or deliver critical services, such as clearing traffic in a congested city in order to respond to a civil emergency.
The security implications are profound. Because of the hyperconnected nature of many systems, untrustworthy IoT behavior could be potentially catastrophic. OT, ICS and SCADA systems control physical systems, not just bits and bytes, where even the slightest tampering can sometimes have far-reaching — and potentially devastating — effects. And compromising critical systems connected to individuals and communities, such as transportation systems, water treatment facilities or medical infusion pumps and monitors, could even lead to injury or death.
Unfortunately, many IoT devices were never designed with security in mind. Their challenges include weak authentication and authorization protocols, insecure software and firmware, poorly designed connectivity and communications, and little to no security configurability. Many are “headless,” which means that they cannot have security installed on them or even be easily patched or updated.
And because IoT devices are being deployed everywhere, securing them demands visibility and control across all ecosystems. This is requiring many organizations, for the first time, to tie together what is happening across their IT, OT and IoT networks — on remote devices and across their public and private cloud networks — with a unified set of security policies and protocols. Integrating distinct security tools into a coherent system enables organizations to collect and correlate threat intelligence in real time, identify abnormal behavior and automatically orchestrate a response anywhere along an attack path. But it isn’t easy. Many of these systems were never designed to work together, and what may be an acceptable risk in one environment may be catastrophic in another.
To accomplish this, enterprises need to implement three strategic network security capabilities:
- Learn — Organizations need to understand the capabilities and limitations of each device and network ecosystem they are tying together. To do this, security solutions require complete network visibility to securely authenticate and classify IoT devices. Operators of OT and ICS/SCADA networks and devices are particularly sensitive since, in some cases, even simply scanning them can have a negative effect. So it is essential that organizations learn to safely enable real-time discovery and classification of devices, allowing the network to build risk profiles, and automatically assign IoT devices to IoT device groups along with appropriate policies.
- Segment — Once an organization has established complete visibility and centralized management, it can begin to establish controls to protect the expanding IoT attack surface. An essential component of those controls involves the intelligent and, where possible, automated segmenting of IoT devices and communications solutions into secured network zones protected by enforced policies. This allows the network to automatically grant and enforce baseline privileges for each IoT device risk profile, enabling the critical distribution and collection of data without compromising the integrity of critical systems.
- Protect — Combining policy-designated IoT groups with intelligent internal network segmentation enables multilayered monitoring, inspection and enforcement of device policies based on activity anywhere across the distributed enterprise infrastructure. But segmentation alone can lead to fractured visibility. Each group and network segment needs to be linked together into a holistic security framework. This integrated approach enables the centralized correlation of intelligence between different network and security devices and segments, followed by the automatic application of advanced security functions to IIoT devices and traffic located anywhere across the network — especially at access points, cross-segment network traffic locations and in the cloud.
Finally, it is essential that IoT not be treated as an isolated or independent component of a business. IoT devices and data interact across and with the extended network, including endpoint devices, cloud, and traditional and virtual IT and OT. Isolated IoT security strategies simply increase overhead while reducing broad visibility. To adequately protect IoT, including IIoT, organizations require more than just security point products or platforms. They need an integrated and automated security architecture.
An integrated security framework is able to tie together and orchestrate the disparate security elements that span your networked ecosystems. Such an approach expands and ensures resilience, secures distributed compute resources, including routing and network optimization, and allows for the synchronization and correlation of intelligence for effective, automated threat response. It also ensures that you are securely connecting known IoT devices, along with their associated risk profiles, to appropriate network segments or cloud environments. This enables the effective monitoring of legitimate traffic and the checking of authentication and credentials, while imposing access management across the distributed environment.
But back to the pioneers of this work. We have a lot to learn from the ICS/SCADA professionals who, for decades, have been protecting our critical infrastructures. Using a variety of protocols, hardware, analytics and SIEMs, these OT technologists have accumulated wisdom that ought to be tapped, rather than relearned the hard way. It is essential that organizations grow and educate their workforce of IT and OT professionals, enabling them to be better prepared, not just to secure their IIoT domain but the increasingly interconnected critical infrastructure domain as well.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.