Network engineers face a number of challenges when deploying Internet of Things (IoT) initiatives. Come back to the Cisco IoT blog over the next few weeks as we dive into the top three IoT challenges, and best practices for conquering them.

First up, the biggest challenge in IoT by a longshot: security.

IoT security threats differ significantly from security threats in traditional IT environments: in traditional IT, security concerns are focused first and foremost on protecting data. Attackers can steal data, compromise data, and hold it ransom. Recently, they are just as interested in stealing compute power for malicious cryptomining activities.

While these security concerns exist in IoT, they also go further, extending beyond the data and into the physical world. At minimum, an IoT security incident can inconvenience people or interrupt operations, causing millions of dollars of damage within a few short hours. At worst, these attacks can damage systems that control a physical process and even put lives at risk. Consider the following examples:

  • The infamous Stuxnet attack in 2010 leveraged multiple zero-day flaws in Microsoft Windows software. The objective was to detect and corrupt PLCs running Siemen’s Step7 software so as to reprogram these with malware to cause the fast-spinning nuclear centrifuges under their control to literally tear themselves apart. The end result of this attack saw one-fifth of Iran’s nuclear centrifuges destroyed.
  • We saw the first successful cyberattack on a power grid in 2015 when cyberattackers gained control of multiple Ukrainian power stations, resulting in the loss of electricity to over 225,000 residents for periods of up to six hours. This complex and multi-phased attack not only gained control of SCADA systems, allowing foreign actors to remotely switch off substations, but also included a DoS attack on the call center so that consumers were unable to call in to report issues or to receive updates of the status of the blackout.
  • In 2017, an attacker deployed ICS malware, dubbed Triton, designed to manipulate industrial safety systems so as to cause operational disruption of critical infrastructure. The attacker’s specific targeting of the Safety Instrumented Systems (SIS) suggest an interest in causing a high-impact attack with physical consequences (an attack objective not typically seen from cybercrime groups). Analysis of the incident lead the investigators to believe this was the work of a nation-state preparing for a broader attack.
  • In 2019, a ransomware attack on Norsk Hydro, one of the world’s largest manufacturers of aluminum, forced the company to switch to manual operations in a bid to contain the breach. The attack cost the company $52M and resulted in a worldwide increase of the price of aluminum.

These incidents show how critical—and challenging—security can be in IoT scenarios.

Preventing and Containing IoT Security Threats

In the examples above, security breaches could have been prevented entirely—or, at the least, significantly contained—using a network security best practice: segmentation. Segmentation is one of the most effective network design principles to deploy for security. It’s a universally accepted networking axiom – but if so, why don’t organizations fully segment their networks?

The answer: it’s complicated.

To reduce costs, organizations have converged their data, voice, and video networks onto a shared physical infrastructure. More recently, IoT devices have also been added to the same IP network. However, it’s necessary to maintain logical separation between these services for security and management purposes. To do so, network engineers typically segment the network using VLANs. This process requires multiple steps, touchpoints, policies, and user interfaces. At a high level, network engineers must create groups in Active Directory, define policies, execute VLANs/subnets, and implement the policy.

The complex nature of segmentation not only makes the task a tedious one, it also increases the risk of human error. For example, access control lists (ACLs) on network devices are often tens of thousands of lines long. They are difficult to manage and understand due to poorly documented reasons for each line in the entry. If there’s one discrepancy for ACLs from one device to another, there’s a potential vulnerability and an attack vector that can be exploited.

Bringing Cisco Security to IoT

Given the key role network segmentation plays in protecting network assets, it’s critical that network administrators can segment the network efficiently and effectively. At Cisco, we simplify segmentation by applying intent-based networking to the enterprise network. This specific expression of intent-based networking is called Software Defined Access (SDA).

Software Defined Access eliminates the need for network administrators to speak the language of access control lists or group policies in order to identify which network devices can talk to each other. With a few simple clicks and drag-and-drops of the mouse, network administrators can establish separate virtual networks for voice, data, guest access wireless, BYOD, IoT, and more. This year, we extended these capabilities all the way to the IoT edge — so that parking lots, distribution centers, manufacturing facilities, airports, seaports, etc. can all be managed from the same single pane of glass as the carpeted enterprise, namely Cisco DNA Center.

Using Cisco DNA Center, a centralized management dashboard, network administrators can provision networks across the enterprise and ensure that devices assigned to one virtual network can’t talk to the devices on another virtual network. In fact, the devices on one virtual network can’t even see the other virtual networks. As far as they’re concerned, the virtual network they are connected to is the one and only network that exists or that has ever existed. That means IoT devices assigned to an IoT virtual network can only communicate with other devices assigned to the same virtual network and nothing (and no one) else. Such logical separation is called macro-segmentation.

However, SDA offers an even more granular policy option to network administrators.

In macro segmentation, any device within a virtual network can by default talk to any other device in that same virtual network. So, if video cameras, temperature sensors, and badge readers all assigned to a single “IoT Virtual Network”, these devices – by default – would be able to communicate with each other. Such communication can present a security issue – If a single device is compromised, attackers will use that device to scan the network for other devices that may provide a further foothold into the organization (Watch how this is done). That’s where micro-segmentation comes in.

In Cisco DNA Center, network administrators can easily create micro-segmentation policies that define which devices can speak to other devices within the same virtual network. (Watch the demo, Cisco Extended Enterprise with DNA-C.) Administrators can also configure the policy to send an alert if those devices attempt to communicate with unauthorized devices, which could be indicative of a potential security attack. In our example above, video cameras can be configured to speak only to other video cameras, and if they try to speak to the temperature sensors or badge readers, an alert will be issued.

The ability to segment the network on both a macro and micro level with SDA is a great solution to both preventing and containing a security breach. It easily scales to address the needs of the enterprise network and now Cisco customers can apply these same concepts to their IoT networks. Furthermore, they can do so efficiently and effectively using the same management interface they use for the enterprise network. Want to learn more? Check out our on-demand webinar, Cisco IoT: Drive Transformation in the Public Safety, Oil and Gas, and Manufacturing Sectors. And don’t forget to check back on the Cisco IoT blog for the other top challenges facing enterprise IoT.