Job One: Securing IoT
Recently, I participated in the panel on Internet of Things (IoT) security as part of the Automation Perspectives media event hosted by Rockwell Automation, just prior to Automation Fair 2015 in Chicago. It is clear that the ability to deal effectively with security threats is the No. 1 make-or-break factor for IoT adoption. With this reluctance to implement IoT, companies will not benefit from the growing number of powerful IoT use cases that are emerging across all industries, which includes the digital revolution in manufacturing, where there is an identified 12.8 percent profit upside over three years for manufacturers that digitize.
IoT is now part of the very fabric of industry and the public infrastructure, including such essential services as transportation, the power grid, the water supply, and public safety. When these systems are compromised, the damage can go far beyond financial loss. Some examples in years following the Great Recession:
- 2008 – A 14-year-old Polish boy hacked a local tram system, disrupting traffic, derailing trams, and injuring 12 passengers
- 2009 – Due to a failure in the automated control system, a Washington D.C. Metrorail train struck the rear of a stopped train, resulting in death and injury
- 2014 – An overflow of wastewater at a water treatment plant was due to suspected unauthorized employ access
In recent years, there have also been hacks on nuclear power plants, transportation systems, and connected cars. No one wants their company to show up on the front page of the paper as a cyberattack victim. In addition to the physical impacts, attack vectors on IoT security can cause losses that are less immediately perceptible—but very real and lasting—including downtime, brand damage, breach of trust, and theft of intellectual property.
Historically, ownership of IoT security has fallen squarely on operational technology (OT) organizations, which have taken the approach of “security by obscurity”—the physical separation of production operations and industrial networks from enterprise networks and the Internet. However, the Stuxnet virus attack showed that physical isolation could be bridged with a simple USB drive; the virus then spread to the wider world when an engineer whose laptop was infected in the plant went home and connected to the Internet.
The old model of security by isolation has collapsed. Not only is it ineffective, but it is no longer practical in terms of industrial networking component availability nor opportunity costs. The move to open standards, IT-OT convergence, and powerful new use cases require an open flow of data between IoT end points, the enterprise IT infrastructure, and the cloud.
Increasingly, OT is adopting the same security measures developed for enterprise IT systems during the past decades, evolving them for OT requirements. New attack vectors are surfacing amidst the crevices of IT and OT practices and can be addressed in a unified way. The new model essentially “merges” IT security and OT practices and then adapts that new architecture to suit all of the new IT+OT paradigms and use cases.
The original focus of IT-OT convergence was on securing the perimeter of the network to prevent both internal and external security breaches. Today, we are not only concerned with what we can do before, to deter an attack, but also actions that can be taken during and after the attack to reduce time to discovery and to quickly assess and minimize negative impacts. Some of the main challenges of securing IoT deployments include the scale of the problem—with 50 billion devices expected to be connected by 2020—as well as the diversity of environments, cultures, ownership, and skill sets that exist. Legacy hardware and software that are not designed for security continue to dominate existing systems. Additionally, new use cases such as connected vehicles require new approaches to identity verification, for example.
So, how should organizations approach IoT security? According to the 2015 Data Breach Investigations Report, most security breaches exploit well-known vulnerabilities where companies have not implemented available fixes. The first step, therefore, is to implement existing best practices. Thus, I recommend the following:
- Converge: Adopt a single security architecture. Chief Information Security Officers (CISOs) should expand the enterprise IT security architecture to include OT in a way that respects both IT and OT and the new converged model. We need to leverage the expertise that has developed over decades of dealing with IT security and augment it with the OT-relevant use cases, best practices and requirements. A new security paradigm is emerging, built on an open, unified architecture, with cross-vendor interoperability and automated, risk-based self-defense and self-healing capabilities. A fragmented organizational and architectural approach will only strain already-stretched security resources and needlessly open vulnerabilities that can be addressed by a unified approach.
- Collaborate: Enterprise partner ecosystems need to work together on common architectures, incorporating OT requirements into the technology provider’s product portfolio by offering ruggedized versions and incorporating specific industrial protocols, or up-time requirements, for example. The collaboration between Cisco and Rockwell is an excellent example of collaboration around a unified, standards-based IT-OT technology and security architecture.
- Consolidate around standards: Vendors and enterprises alike need to leverage IT industry standards and best practices in OT. We need to continue to bring OT use cases to traditional standards bodies, and to fill in the gaps between industry-specific and horizontal standards organizations.
- Consider an industry approach: As an industry, we need to work together to address security requirements for new IoT use cases. For example, the Cisco Security Grand Challenge is a global, industry-wide initiative to bring the security community together to address securing IoT. Existing industry players should also look for promising security startups to fund, especially in the areas of vertical applications and web security.
Cisco has been working for years to secure IoT deployments by embedding security capabilities throughout the network, and has recently extended its Security Everywhere strategy deeper into the cloud, network, and endpoints. This sort of platform-driven approach improves visibility across the entire network—not just on a piecemeal, device-by-device basis—to enable protection before, during, and after attacks. As IoT moves large volumes of data beyond the plant floor and across an expanding ecosystem, agile, automated, and secure IT architectures will be an essential component of success.