Data in an organization is important. It can differentiate an organization from its competitors.
A properly designed IT network provides:
- Data confidentiality: ensure that data is only visible to authorized users. We achieve confidentiality by using encryption.
- Data integrity: ensure that data is only modified by authorized users. We maintain integrity with checksums and hashing algorithms.
- Data availability: ensure that the network is always available. We achieve this with proper network designs and redundancy.
Confidentiality, integrity, and availability are familiar to most of us. You see these three terms everywhere when we talk about security.
Security is difficult enough for IT network. It’s even harder for Operational Technology (OT) networks. OT is the hardware and software we use to monitor and control physical (critical) devices. For example: pumps, valves, elevators, or rail systems. OT is an important element in environments like factories, refineries, power grids, power plants, etc.
With IoT, we connect these traditional OT devices to the Internet. When we talk about IoT and security in this lesson, keep those OT environments in mind.
Let’s discuss some of the security challenges we face with IoT.
Some IoT devices are never updated because they are in use 24/7. Updating devices means we have to temporarily shut down a critical system like an assembly line. It’s also possible that a device is too old and doesn’t receive any updates from the vendor.
Compromise of an IoT device could result in injury or impact the environment. For example, a compromised device could mess with railway signalling and make two trains collide. Another example is a pipeline where an attacker opens a valve and releases chemicals into the water supply.
Some environments (like a power plant) are closed systems so data confidentiality is critical.
A security incident that takes down a server is bad. A security incident where the network goes down is even worse. When a statewide power grid fails or is compromised, we are talking about a whole different level of trouble.
We have IT and OT. These are two different worlds that now overlap thanks to IoT. Implementing a security model that both teams accept can be a challenge. In IT, when we detect an attack we usually block something so that we isolate the attack. When an OT team detects an attack, they might prefer to keep the process running and deal with it during a maintenance window. Stopping a process can cause safety concerns.
A threat is a possible danger to a person or environment. Threats can be natural, malicious, environmental, or by accident. Security people are mostly interested in threat vectors and countermeasures. A threat vector is a route or path an attacker uses to attack a target. For example:
- Mobile devices
- Remote access
Many IT networks use a “medieval castle” security strategy where they implement security at the border of their network.
The Internet is not a safe place. It’s one of the most important threat vectors for IT networks.
We have users at our IT network who access the Internet and visit malicious websites that infect their computers. Malware could then spread to the rest of the network. You could use a web proxy and anti-virus on user devices to protect your network against this kind of attack.
There are also attackers from the Internet who look for open ports and try to connect to servers that are exposed to the Internet. Attackers try to attack servers using known software vulnerabilities to gain administrative privileges. You can protect yourself against these types of attacks with firewalls, an IPS, and updating your operating systems and software to the latest versions as soon as possible.
WAN circuits connect our IT network to other sites like branch offices or business partners. These WAN circuits are considered safe but if a remote site is compromised, it could also affect our main network. Like our Internet connections, you need to protect your WAN circuits with firewalls and IPSes.
Any business uses e-mail for internal and external communication. E-mail uses old protocols that were never created with security in mind. There is no authentication when an external sender sends you an e-mail. This is why e-mail is so attractive for phishing attacks and malware in attachments. You can guard yourself against e-mail attacks with anti-virus, services that scan e-mail contents, and DNS checks.
We use IPv4 and IPv6 for our IoT networks so we face the same issues as normal IT networks:
- Rogue devices
- Man-in-the-middle attacks
- Fragmentation attacks
However, IoT security is a whole different game. With IT, it’s about data and information. With IoT it’s about the physical world. Instead of manipulating data, we can manipulate the physical world.
The number of threat vectors for an IoT is much larger compared to an IT network.
Number of Devices
The number of devices increases drastically. An IT network with 1000 users might have 100 servers, that’s 1100 possible threat vectors. A factory with 1000 workers might have 100 servers and 10000 sensors. That’s 11000 possible threat vectors.
Devices are small inexpensive devices with little to no physical security. Devices can be stolen.
Some devices have limited processing capability while encryption algorithms require processing power.
How are you going to update 10000 devices when you discover a security exploit? Does the vendor even release updates?
Protocols like Modbus and Profinet were designed for programmable logic controllers (PLCs) and other devices with minimal compute resources. These protocols were designed with efficiency, not security, in mind. We used these protocols on closed networks but with IoT, everything is connected.
Most OT engineers are concerned with connectivity but are not always up-to-date with IT best practices. If you use wired connections for your devices then you should secure your switches. Engineers might be familiar with the basics of switches (like VLANs) but not have enough knowledge about important security options like 802.1X and NAC.
IoT Security Strategy
An IoT security strategy needs to take three items of properly designed IT networks into account:
Let’s take a closer look at these items.