Today let’s talk about IoT as a plurality. I suspect that you may have recently heard the phrase that “words matter,” and when talking about something as broad and diverse as “IoT” it really does indeed matter. It matters because correctly defining what you are speaking about, and to whom, will help to drive towards the right area of focus when describing IoT security. So let’s jump in.
We view the IoT as consisting of three major pieces: IT, OT, and CT. IT is what you think it is: data center, cloud, the enterprise network (and its connected devices), mobile devices and so on. OT refers to operational technology or industrial networks. You’ll hear terms like ICS (industrial control systems), SCADA (which is actually a subset of ICS), IIoT (Industrial Internet of Things). For our purposes here, they all refer to the same thing. Think manufacturing plants, power substations, oil rigs, and so on. Lastly, CT refers to consumer technology, which would consist of things like wearables and the connected home.
In this column we will be focusing on the OT and a bit on IT, particularly healthcare. We won’t spend time on CT devices we see at home like Alexa or Google Home in this post.
There are industries whose “things” are not applied to a frequently repeatable process. While engines in an automobile assembly plant are always placed within a chassis, not every hospital patient gets an MRI. Your electrical utility won’t alter its voltage or frequency at your home based on specific appliances but you can avoid waiting in line at Starbucks for your cold pressed coffee.
Now let’s break down OT even further and propose some typical attributes that drive specific security use cases.
If you work in a mature discrete unit-manufacturing environment, say an auto manufacturer, your plant floor may have been built out by a set of specialized integrators. Your company specified the need for a means of painting auto parts. Paint Part Inc. responded, brought in its own assembly line. They put it together and showed you where you could plug it into the rest of the plant. From a networking perspective somebody just dropped in a huge subnet with little to no documentation as to what is within. By the way, if there are multiple of those I’ll bet they looked identical from a network perspective. NAT away and get back to re-integrating later perhaps?
What powers that auto plant however looks rather different. Your electricity likely comes from a couple of diverse sources – coal or gas-fired generators or maybe hydropower? Those might look like fairly simple manufacturing plants. Getting the power to you however is relatively simple, well-controlled, and understood. Utilities have been doing “WAN”s for many decades. On the other hand they attract a good amount of regulatory attention and there are all kinds of helpful guidelines to tell you how to do things. Once you get past the squirrels, security needs are fairly well defined.
The medical field has its own unique challenges. From a network and security perspective it could be the closest to what you may have experienced in the IT side. Most everything is talking TCP/IP. Lots of PCs and tablets. Wireless all over. Personal ID concerns, credit card PCI needs, and highly mobile, life-critical equipment going up the elevator, out the door and coming in another door from that remote clinic via an ambulance. Dynamic like nothing else you’ve seen. Sounds exciting!
There is so much more for each of these different environments that describe their needs from a security context, and so many other environments we did not discuss. So much more related to their networks, the people who work there, the *things* at play, and how it all comes together. The point is that in these worlds, again purposely plural, the IoT is highly variable and so it will help greatly to recognize that we are charged with securing it all.
*What’s the most unique IoT scenario you’ve seen? We’d love to hear about it in the comments.