I talk and write a lot about the benefits of connecting more things to enterprise networks, and the most frequent concern that I hear is the worry that deploying an industrial IoT will open up thousands more security holes to the network. With an understanding of the new threats and important defenses that come with the IoT, industrial organizations need not let fear prevent them from leveraging the transformative possibilities of Internet of Everything.

New vulnerabilities from IoT

As we light up more and more assets in every industry from transportation to healthcare, we see a new set of challenges to protecting personal privacy, securing intellectual property, and ensuring public safety.

  1. The sheer number of machines and sensors on the network adds another order of magnitude to the attack surface.
  2. Often, these machines and sensors are connected in an irresponsible manner (circumvent firewalls, inadequate authentication protocols).
  3. One-size-fits-all security policies will not work across the varied types of devices and information flow scenarios.

Connect Industrial Control Systems with Care

Now that many of our most critical data streams and business processes will be IoT enabled, security plays a more important role than ever before. Retail has gotten significant media for widespread security vulnerabilities in 2014. And in the coming years, as the mission-critical industrial control systems of energy and manufacturing operations go online, even more care is needed to stay ahead of malicious attackers

The US government organization, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT, part of the Department of Homeland Security), recognizes increased vulnerability of critical infrastructure due to IoT that has been deployed without proper security configuration. ICS-CERT advises the following to protect internet-connected critical infrastructure:

• Protect control systems behind next-generation firewalls.
• Test, then apply updates and patches to ICS software as soon as possible.
• Understand the types of vulnerabilities (authentication flaws were #1 in 2013).
• Keep up to date with industry-specific vulnerabilities. For example, the FDA has published best practices to prevent unauthorized access to network-connected medical devices

This case study shares how one of the world’s largest oil & gas companies utilizes these best practices to fend off physical and cyber threats to meeting the world’s demand for energy.

Design Security into Your IoT
The Internet of Things generates massive datasets that can be used for greater operational efficiency and smarter business decisions. When teams design how to collect and analyze this data from thousands of endpoints, they should also design how to secure that data all the way from the edge to the cloud.

This week, Cisco released the 2015 Annual Security Report. This report provides guidelines on how to apply structure and rules to protect privacy of IoT-generated data being handled globally, and a new look at how Network Access Control has evolved to securely provide network access to IoT devices. In short, security needs to be built into both your enterprise IoE network and into the products and services you provide to customers. For more IoT and IoE-specific threat landscape and security strategies, visit the Internet of Everything Security website.

Cisco IoT security model_Tony Shakib Blog 1.22

Next week, I’ll join my colleagues Kip Compton and Mike Flannagan for the Internet of Things keynote at Cisco Live Milan. Together, we’ll show how a well-designed secure network allows companies and governments to unlock the value of the Internet of Everything while protecting against vulnerabilities both old and new. If you won’t be in Italy next week, you can still watch online, Tuesday January 27 at 5:15 a.m. PST / 8:15 a.m. EST / 14:15 CET.




Tony Shakib

No Longer with Cisco