OT and IT and Security by Design
Credit to Author: James Cabe| Date: Thu, 12 Oct 2017 12:50:59 +0000
This is part two of a two-part series. Read part one here.
Boy Scouts was more than simply a fun time. It was a learning experience that doesn’t get talked about much, mainly because of the funny socks and overly tight shorts. I went to my first campout in the piney woods of Texas. Mom wanted me to make friends easily, so she packed a bunch of granola bars in my new backpack so I could share them with the other scouts. When I set up my tent, I thought I was being neat and clean when I put my backpack under my cot (makeshift bed). I then went out to play capture the flag at dusk, ate dinner by the campfire, told stories and finally got peckish enough to run back to my tent for the granola bars. When I got to my tent, my clothes had been scattered on the ground and the granola bars were nowhere to be found. I started to get upset and angry that someone had gone into my tent and taken them. I looked around, asked accusing questions to people in other tents and scoured the area for clues. It was then that I noticed a little trail that started about five feet from the tent and followed it.
I found the first wrapper. Then others.
I followed a trail of gluttony to a small alley behind the trading post set up at the center of the camp. It was there that I found the largest raccoon I had ever seen in my life. It stood up and I pulled out my trusty knife. Take some advice from a country kid: Don’t ever try to fight a raccoon. You will lose.
That means any size of raccoon.
The same advice applies to hackers. It’s the reason why so many people are against offensive counter-hacking. It can cause more issues than it solves. The granola bars in my story are representative of the current state of modern IoT devices. They are chewy and easy to eat. There are multiple ways to access and use them. And when they’re sitting under your cot, or attached to the public areas of your network, they cannot be easily defended. The best defense would have been for me to hang them far out of reach. In network parlance, that means that I should have segmented them from everything else I had (if for no other reason than to have saved my clothes). I should have wrapped them in a plastic bag to keep the smell contained, and I should have hung them high in a tree or in my tent. I believe that IoT needs the same sort of defense. IoT devices are especially vulnerable to attack. Deception technology, segmentation with next-generation firewalls, monitoring and application control will be the only thing that helps resolve this issue.
And that’s just from the hackers.
Preventing territorial knife fights with security by design
Because they have traditionally had clear borders and full control of their respective areas, OT and IT people tend to be nearly as territorial as the raccoons. But as the line between IT and OT continues to blur, issues arise that sometimes render these teams unable to work together to implement a common solution, such as security measures, segmentation and monitoring.
This is the sort of knife fight that most management will not want to step into. If not handled carefully, politically mandated demarcations between the two teams can introduce large gaps in what needs to be an airtight protection strategy. Especially for infrastructure that necessarily crosses the boundaries between the OT and IT domains.
One of the biggest examples of the problems that can be created by this is DVRs and security cameras. The latest physical security technology has moved away from traditional co-ax connectors and old-style analog CCTV to fully networked Ethernet connectivity. And it’s not been pretty. These new systems have been hacked so many times that there are whole websites dedicated to tracking the hacked and easily accessible ones.
But it’s not just physical security systems that are the problem. Attacks targeting HVAC remote controls are so common they have been dramatized in television shows. Researchers have shown in large public forums that robotics and their control systems can be manipulated remotely. Even transportation represents a fairly large attack surface due to Wi-Fi access and the vulnerable control systems installed in cars and trucks. Driverless cars and the autonomous trucking of goods and services are on the horizon, and they will not just change an entire industry, they will expose organizations and average citizens to a whole new range of risk.
The dark alley in this case isn’t behind the trading post. It lurks on the dark net and in the dark corners of your networks where most companies do not think people can reach into. But they can, and they will. Which means digital resources get compromised. All because you haven’t put your granola bars up high enough.
What we’re talking about is protection by design. The networks of today’s digital businesses now span a variety of ecosystems, from IoT to the cloud, and cross between traditionally isolated IT and OT domains. As do threats. Today’s cyberattacks are more sophisticated than ever and use complex network environments to avoid detection. To respond effectively, traditionally isolated security tools need to be woven into a single expert system that can span and adapt to the new borderless and highly distributed network. Such an integrated security fabric approach can see into all the dark corners, correlate what it finds and automatically respond to threats everywhere, all at the same time and at digital speeds.
Before today’s smarter raccoons can make off with all your stuff.
Original article was published in IoT Agenda and can be found here.
Our white paper on “Understanding the IoT Explosion and Its Impact on Enterprise Security” provides more details on the security risks of IoT and what organizations can do to address them.