How the hard-won lessons of IT are helping IIoT leapfrog to a better state of security
Every IIoT customer I speak to wants the strongest possible security. But who inside the customer's organization will execute and own the process?
Every industrial Internet of Things (IIoT) customer I speak to wants the strongest possible security. But who inside the customer’s organization will execute and own the process? In meeting after meeting with customers building IIoT capabilities, I encounter a natural but sometimes tense uncertainty between IT and OT/LOB professionals when it comes to IIoT security. That uncertainty is itself a security vulnerability because it delays essential security deployment.
In a recent blog, I explored significant differences between enterprise IT and OT, and how ABB bridges them in our quest to be the most trusted cybersecurity partner. Among those differences:
• Availability: IT considers 99 percent uptime acceptable, while OT requires 99.999 percent up-time – the difference between 8.76 hours and 5.25 minutes of annual downtime.
• System life: IT systems are refreshed, on average, every three to five years. OT systems, by contrast, last 10 to 15 years.
• Patching: IT patching/updates can be done whenever updates are available, but OT patching/updates risk interrupting strategic, revenue-generating industrial operations.
There are many other IT/OT differences as well – such as varying approaches to the cloud – but all differences are subsumed by the universal need for the most resilient IIoT security available. The critical importance of strengthening industrial IoT security ASAP was recently underlined when malware known as Triton or Trisis, engineered specifically to sabotage industrial control systems (ICS), necessitated the precautionary shutdown of a key oil and gas facility in the Middle East. Earlier, Crash Override (also aptly known as Industroyer) targeted the Ukrainian electric utility Ukrenergo, causing a blackout in Kiev.
While the convergence of digital IT and physical OT is driving the 4th Industrial Revolution on a macro level, within individual companies the IT/OT perplex is hindering development and deployment of IIoT security. A recent Forrester survey of IT and OT/LOB leaders showed IT and OT managers evenly divided on whether IT or OT is responsible for security, according to InformationWeek’s DARKReading. As an alarming result of this standoff, reports Forrester, an unacceptably large number of companies – 59 percent – are willing to “tolerate medium-to-high risk in relation to IoT security.”
I believe that’s wrong, as well as dangerous. The uncertainty generated by OT/IT friction is a major se-curity vulnerability because it delays protecting a company’s defining assets. The key to swift, effective action is a holistic approach that harmonizes the talent, commitment, knowledge, and capabilities of IT and OT professionals.
The big idea: Leapfrogging to an advanced state of IIoT Security
Our approach is to help industrial companies use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security – expertly architected and deployed to meet OT’s differentiated requirements. A good analogy is emerging economies that never built extensive landline communications or traditional energy grids that can now simply leapfrog aging infrastructure and go right to wire-less/digital telecom and distributed energy grids.
If one thinks of OT systems as another form of data center – the heavily protected core of enterprise IT – there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT. Among them:
Separation of end-point networks
IT has learned the security advantage of separating end-point networks of PCs and mobile devices from the core data center. As people carry their company laptops around, they can get hooked on the addictive drug known as free Wi-Fi connection anywhere. Free, but dangerous. Those end points can easily become compromised.
So IT has developed ways to erect a “border crossing” that separates end-point networks from the data center until PCs and laptops pass rigorous vetting. Not just user names, passwords, and authenti-cation codes, but complete border-crossing-style background checks: Where have those machines been? What have they been doing? What software is loaded on it? Levels of access to the data center are provided in keeping with the results of a machine’s background check.
The number of users, and therefore end-point machines, is smaller in IIoT than in enterprises, but the same separation, vetting, and “border crossing” background checks can be used to strengthen IIoT security.
Data centers are comprised of networks of multiple machines. Traditionally, when users access the data center via one machine, they can also access multiple machines. But in most cases there’s no need for users to have that kind of access. The traditional approach was to protect the data center with a fire-wall. But new threats prove a firewall isn’t enough. The problem is too much unnecessary access.
Via micro-segmentation, security officers study the interrelationship of machines to determine which machines must talk to which other machines, and restrict access to necessary connections only. This materially reduces vulnerability and potential damage.
Much as we’d like to, it’s impossible for anyone to guarantee 100 percent fail-safe IIoT security. So we harden what we can, and reduce attack surfaces to the bare minimum. By dividing networks into physically independent micro-segments, we build security walls within security walls – on the assumption that bad guys will be able to get through one or two, but not all of them.
I’ve framed this post as a fraternal “come together” call for professionals in IT and OT/LOB, but I know it’s not that simple. There are significant differences between the two, and it would be foolish to tell OT professionals how much they have to learn from IT. And yet, what unites people in IT and OT – companies’ fundamental need for IIoT security – is, or should be, stronger than what divides us.
As someone who started out in the IT world, I’ve brought IT-derived security ideas to my OT colleagues within ABB with humble awareness that OT presents unique challenges in a unique environment. With that understanding, we’ve been able to learn from and support each other. I’m doing the same with OT and IT professionals at ABB customers, working to combine our mutual experience, expertise, and innovation to craft the most powerful, trusted and effective IIoT security.
 ForeScout, Forrester IoT Survey and Thought Leadership Paper, November 8, 2017