IOT Security – It starts with IT and OT
From exploring mobile devices and wearables, the world is just waiting for a tsunami of unprecedented scale – IOT devices. This Internet of Things, essentially having machines to talk to each other and to humans, brings in a volume of devices from the consumers, factories, and everything in between. Any device that has a characteristic, can communicate, and that essentially means that it can be affected, if somebody intends to.
Information technology(IT) has grown leaps and bounds towards multipurpose, standardized protocols – in particular the Internet Protocol ( IP) which means that the network administrators can essentially focus on solving problems that are understandable – even though the problems sometimes can be complex. Newer attacks happen and newer ways are found to solve. Now imagine billions of devices, with individual protocols joining the fray. This comes from the ‘automation network’, essentially called ‘Operational Technology’ networks.
In its simplest form, the Internet of Things ( IoT) essentially is a convergence of Information and Operational technology. In this series, we will take up each aspect of IT and OT and see how the convergence creates new security challenges and nightmares for conventional network and security administrators.
Operational technology essential means Industrial Automated networks, which are traditionally isolated, physically. These networks have grown in their own way. The devices connected to these network has specific purpose, and limited capability in terms of their role either as a sensor, transmitter, recorder or an analyser – ( essentially four roles that combines to monitor) and then command and control ( essentially two roles that combine to manage). The isolationism has been a given for security – that is unless physically intervened, the Automated or the OT network is safe.
Secondly because of limited but specific functionality, and taking the above silo-factor into consideration, the evolution of protocols have become more proprietary and specific than general and standardized. This means that one is dealing with a plethora of protocols – like DataNet and ControlNet. There are finer lower layer protocols as well. Security was never a factor in their evolution. There are limited number of players in the OT league, but some level of standardization is evolving like Z-Wave which has decided on using a particular security protocol which uses AES-128—and Zigbee, who uses another security protocol that’s different, but they also use AES-128 encryption as well.
The convergence of IT and OT brings in three major factors – a) Standardization issue which impacts Network and Security Design in terms of protocols and devices b) Attention of hackers towards existing OT networks c) Scale of vulnerability going up. We will analyse these three in the next blog.