Earlier this month I attended Cisco’s Internet of Things World Forum in Dubai (disclosure: Cisco is a client of ZK Research). One of the things I liked about the event is that it showcased a wide variety of uses cases across a number of different vertical industries. Some were in the ideation phase, some were early stage, and some fully deployed. While many of the use cases were quite different, there was one point of commonality, and that’s the need for security.
The Internet of things (IoT) poses quite a different challenge for security and IT professionals. Traditional cybersecurity is becoming increasingly difficult even though most IT devices being connected have some basic security capabilities. Now consider the operational technology (OT) being connected to our company networks to enable IoT. These are devices like medical equipment, factory floor machines, drills, shipping containers, and other things that have no inherent security capabilities and the most basic network functions.
The stakes for IoT security are high, too. We’re rapidly moving into a world where everything is connected and automating more and more functions. There are significant privacy and security concerns related to this that make security mandatory. So, given the importance of security and the fact that IoT creates new security risks, what’s the best way to secure the environment?
To help answer this question, I interviewed Jeff Costlow, Security Architect for Tempered Networks, a company that specializes in securing business-critical systems and vulnerable endpoints, including industrial systems – one of the early uses cases for IoT.
The first bit of advice Jeff had was to build security into the design of the system. He compared it to the cost of fixing bugs in software. The cheapest, most cost-effective phase to find bugs is in the design phase. Once the software is in Q&A, the cost increases by a factor of 10. In production, it’s another 10x increase in cost.
Similarly, with IoT, trying to secure the system after it’s in production can be extremely time-consuming, complicated, and expensive. Building security into the design phase is still likely to be complex, but it gives you the time to ensure the environment is properly secured.
Part of the process is to understand the environment and assume the worst. For example, no one could have predicted Heartbleed and Shellshock, but companies could have planned for the scenario of the web servers being breached.
Another step Costlow mentioned, and, from what I have seen, this is something most organizations do poorly, is gathering information about the OT technologies and understanding the security lifecycle for each device. This means building knowledge of how the devices are patched, how firmware is updated, and what’s required. If a device requires a path to the Internet to be updated, then that device needs some kind of path to the Internet to allow that to happen. The next step would be to understand how to provide that path without putting the business at risk.
One strategy to accomplish this is to enable network segmentation. If the network is partitioned into secure segments, or zones, then the IoT devices could be isolated from the traditional IT devices. One benefit of segmenting the IoT endpoints is that OT could continue to manage all of their devices without requiring support from IT or putting IT at risk. If a path to the Internet is required, then that could be granted, and if the device is somehow breached, the devices in that segment are the only ones impacted. The zone can be quarantined and remediation steps can be taken without incurring the risk that other systems, IT or OT, are infected.
At the end of our conversation, Jeff Costlow reiterated that no matter what security measures are taken, the earlier in the deployment cycle they are implemented, the more impactful and cost-effective they will be. As the old axiom goes, it’s always better to measure twice and cut once.