As networking technology charges ahead it’s getting more difficult to categorise groups of networked things we think of as IT, OT, and IoT. Is there a difference any longer? Let’s find out.
GIVEN the many recent cyber security incidents involving non-traditional computing, and the propensity to call anything that’s not a computer IoT, it seemed timely to write an article discussing the 3 different classes of technology, their key differences, and their differing vulnerabilities and security management requirements. There are many reasons for this blurring, not the least of which is that many technologies that traditionally operated on a ‘dumb’ machine now run on a computer, and that there’s a lot of uncertainty about what’s under the hood of these devices.
I do want to highlight up front that the comments in this article are broad generalisations and intended to drive thought and contemplation of one's specific environment rather than to suggest how we fix the world. Let’s begin with the easy part – information technology. IT can be broadly thought of as traditional computing – servers, workstations, applications, networking, laptops, smart phones etc. It's generally well understood with regards to security, management, etc.
Business IT teams are typically mature, most modern applications and operating systems having mechanisms for protection, detection, and updating. As much as there are people who object to mechanisms such as forced automatic updates in Windows 10, operating system updates are part of the ASD top 4, now the essential 8, for a reason.
There are so many good resources for information security management, if you're not reading or learning from them, it's unlikely that anything I write will make a difference either so I shan’t comment on security IT much further.
Next comes the Internet of Things. NIST recently released its Network of Things definition document (Special Publication 800-183) for IoT devices. It's tricky to compress a 25-page document to a few lines, however, the essential aspects of IoT are that they consist of:
* Sensors that communicate with each other and a central data platform
* A software service that analyses data from these devices
* A decision process or trigger based on the data analysis.
They're typically sold as ‘smart’ thingies and would include devices such as smart thermostats, smart watches, fitness trackers, and smart lights. There is also a raft of smart stuff that has me ask myself ‘what on earth were they thinking?’ such as internet-connected sex toys. IoT devices have some degree of on-board computing capability, and are designed to be part of a broader ecosystem to function effectively. From a security perspective, there is a very broad attack surface to be managed, much of it often outside of the user’s control.
Figure 1 – Network of Things Decision Tree – From NIST Special Publication 800-183
The device may be susceptible to a variety of attacks including physical attack, or a direct remote attack on the device via its communications channels. The communication between the device and the network may be susceptible – the Bluetooth communication between a fitness tracker and a smart phone could be eavesdropped or intercepted; the Wi-Fi communication between a smart light globe and a wireless router could be compromised.
The network devices that control the communication channel could be compromised – many routers allow you to monitor all traffic or a smart phone with spyware installed would let an attacker view anything on your device. There's the communication back to the cloud service which may operate across a variety of platforms or mediums. Finally, there's the cloud service itself over which we typically have no control. IoT devices send data to the cloud services where it is typically stored and analysed.
Even if we have good security controls for our smart devices, how do we ensure adequate security from the cloud providers? Alternatively, our smart devices mostly become dumb devices if we opt out of the cloud service.
Security literature is full of vulnerability disclosures (responsible or otherwise) of compromised IoT devices & systems. The main limitation is the attacker’s imagination.
Lastly, there's Operational Technology (OT) which can be thought of as IoT without the smarts or dumb connected devices. This typically comprises of more traditional technology devices which have connectivity to a central server and are largely non-reliant on cloud services. This includes technologies such as basic IP video systems, Building Management Systems, older smart home, or automation systems, as well as manufacturing equipment, power production, traffic lights and other critical infrastructure (CI)
Unlike IoT, which has computing all the way to the edge, OT typically either connects dumb sensors to a controller as is the case with programmable logic controllers (PLC's) used for manufacturing equipment or building automation; or have networked devices connected to a command and control server such as IP video systems, or access control systems. That doesn't mean, there's no computing power in the networked devices, but they're largely set and forget. A notable exception would be a CCTV camera with edge analytics which sits closer to the IoT side of the fence.
If we consider IoT to be challenging to secure because of its newness, OT is similarly challenging to secure because of its age. When much of this technology was designed, network connectedness was never considered and security has by and large been bolted or layered on rather than built in. Protocols in the OT world are mostly unencrypted, and frequently lack any authentication mechanisms or similar security features. PLC's haven't changed all that much since they were programmed via a serial cable, yet they are now connected to IT networks where the level of risk to which they are exposed is greatly increased.
Mechanisms to update firmware on these devices are typically manual, and carry a very real risk of "bricking" the device. Securing OT is unarguably challenging, but increasingly important both for the protection of the OT as well as for the protection of the IT environments to which they are connected. The increasing publicity around and frequency of attacks on critical infrastructure, OT, and IoT all increase the likelihood of these systems being attacked.
The key aspects of securing OT are the same as securing any other environment:
– Understand your threats and your vulnerabilities.
– Evaluate the threats and vulnerabilities against your risk appetite
– Patch the unacceptable vulnerabilities that you can
– Deploy controls to mitigate those that you can't.
– Monitor the environment for anomalous behaviour
– Repeat the process.
Finally, it’s important to consider security with respect to the OT environment not only as the target or victim network, but also as the attacking network. With OT environments often far more poorly secured that IT environments, it's possible an attacker may hack into your OT environment to launch an attack on your IT environment. ♦
By Simon Pollak
Views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity. Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology). Simon contributes to <I>SEN<I> discussing all things cyber and converged security. Follow him on https://twitter.com/SimonPollak or https://au.linkedin.com/in/simonpollak