When I was in grade school, my best friend had a favorite saying whenever he disagreed with somebody’s observation that two things were really similar. “It’s the same, only different,” he would quip. Though this phrase was mostly intended to be flippant and evoke an emotional response from the recipient, I’ve finally found a topic where his phrase is 100 percent legitimate; IoT security. That’s because when it comes to securing IoT, we’re not talking about a single, homogeneous network, but rather the extended network which comprises both Information Technology (IT) and Operational Technology (OT) environments.
While existing IT networks have included cloud and perimeter security for many years, OT environments have traditionally been air gapped from the Internet, and therefore only required physical security components to ensure a high level of secure access and safety for plant personnel. And since IT and OT networks were completely separate, the radical differences in their approach to security didn’t make much of a difference – users of each simply lived in blissful isolation. But IoT is changing all of that!
In the IoT paradigm, IT and OT are necessarily conjoined and connected to the outside world. As such, IT and OT professionals will need to work together to drive pervasive security across the extended network. Since OT gains its connectivity through the existing IT environment, IT should retain control by applying a consistent level of security across the extended network, using many of the same tools it has traditionally employed for the IT environment. However, though the tools will be the same, IT must also recognize that OT environments are inherently different; therefore, security policies will need to be applied differently in each of the respective environments, even for the same specific threat, to reflect their differentiated needs.
In other words, the security solution across the extended network needs to be the same … only different!
Join me at Cisco Live 2014 which will be held May 18th-22nd in San Francisco, California. I will be discussing the security ramifications of IoT, providing practical advice and guidance on how you can embrace IoT without sacrificing security, and how IoT can even help you improve your security posture. You can join me for an informal table topic I will be hosting during lunch on Monday, May 19th, or you can register for my technical breakout session on Thursday the 22nd, BRKSEC-2005 – The Internet of Things: a Double-Edged Sword. How Can You Embrace it Securely? Or better yet join me for both! If you want a more personalized conversation, you can also schedule a one-on-one session throughout the week through Cisco’s Meet the Expert program. I hope to see you there!
Jeff,
How I wish I could be in San Fransico at Cisco Live but no chance I’m afraid. So here is my twopence worth.
There are some interesting challenges in combining operational and IT environments and the challenge can come from some unexpected directions e.g. where secure zones are actually defined in terms of the assets multiple third party maintainers look after rather than on information security principles. Or maybe, as in the case of one of my clients, the same network technologies are used in control and information applications (in some cases supporting SIL 2 systems).
The key in this case is to STOP such systems from communicating except in specific and auditable ways. We are making progress and we are starting to get our heads around some of the issues and find the International Society for Automation ISA 95 / 99 models most useful in developing our thinking.
In general IT departments deal with services (some common)using an ITIL approach so the kit and software deployed will have a service wrap and agreed service levels, whereas industrial automation projects will often move from commissioning staright into maintenance. This is fine where the various systems are discrete and not shared but the ITIL approach is really needed where some infrastructure is shared if only to make sure, as a minimum, that there is effective change management and security management.
Of course whatever security solutions we put in place will have to be capable of handling the high bandwidths associated with real-time HD and 4K CCTV streams.
I look forward to seeing the output from the conference.
Thank you for the detailed response John! Wow, I really wish you could come to Cisco Live, as well – I’d love to sit down with you and discuss this further!
Your comments really highlight one of the most important issues when it comes to IoT security. As you correctly point out, there is no “one OT environment” … rather, most OT environments are comprised of multiple disparate (and often proprietary) systems. Of course, where we may disagree is that they need to communicate with one another. That’s not to say that there aren’t cells or zones that need to be air gapped due to their sensitive operations or particularly high value, but to truly reap the benefits of IoT, most of the OT systems will need to converge to take advantage of the shared intelligence. Those OT systems will then need to be converged with IT systems for comprehensive end-to-end intelligence across the organization.
Of course, if you do all this, you need to take a radically different approach to security – and that was the point of this post.
Let’s keep the discussion going … I’d love to hear other perspectives, especially from the OT side of the house!