IIoT security: How to securely connect legacy OT systems
The internet of things (IoT) has turned the industry’s traditional security model of isolationism on its head. Suddenly, devices and systems, until now segregated by physical locks and operational air-gaps, are easily accessible.
“In IT, servers are locked away in data centers where only background-checked staff can enter the building. In OT, environments are air gapped and isolated from IT networks. In IoT we are deliberately bridging the OT/IT divide, potentially or inevitably altering the nature of isolation,” explains Jay Thoden van Velzen, director of IoT security at SAP.
In industrial settings, connecting legacy control systems to IoT platforms presents significant security challenges because of the way information and operation technologies (IT and OT) have developed. “Connecting this equipment can solve many problems, but integrating the existing infrastructure presents unique security risks,” comments Michela Menting, research director in digital security at ABI Research.
The two systems lack interoperability, “especially in manufacturing”, she notes. “Until recently, companies could not connect IT and OT.” Part of the reason for this is that OT systems have stood still, and aloof, while IT has become more sophisticated.
“Automation of the manufacturing floor is happening, but there is still a dependency on old technology. What they are really doing is bolting new technology onto a lot of older systems without really reviewing the overall security aspects of it altogether,” says Senthil Ramakrishnan, lead member of technical staff at AT&T. “
AT&T has come across manufacturers running OT systems on Windows 98. Menting reckons some are still making use of Windows 3.1, from 1992. Industrial IoT is a double-edged prospect for manufacturers and supply chain businesses, at once gleaming with opportunity and shaded with risk.
“The real value is in the combination of machines and control systems in OT networks. That is also where the biggest dangers lie – where manipulation of the sensor feed can trigger adverse affects in the IT and OT environments, or even a compromise of the two,” comments van Velzen.
It is essential enterprises carefully manage legacy OT equipment out of the door, says Jaya Baloo, chief information and security officer at KPN. “If you build something new, you have to throw away something old. You build maturity from the start, so anything you introduce to your system will last the course. That is where you start,” she says.
Once the networking landscape has been mapped, it needs to be connected up and locked down. The primary way enterprises, particularly in heavy industry and critical infrastructure, achieve this is by air-gapping their IT and OT systems. But the term has lost its meaning with the rise of IoT.
“The term gets thrown about a bit. In a practical sense, we tend to find the air gap is not a gap at all. Especially as the various OT environments are looking to be managed remotely, and the data analytics of the various systems are being aggregated in a common system that both the IT and OT systems communicate with,” says Brett Kelsey, chief technology strategist at McAfee.
An authentication layer is required, at every layer in the IoT stack. Where OT equipment is too expensive to replace, and too old to secure, and where limited-functionality devices are used, then identity and authentication must be a step removed, in the gateways that aggregate data from the sensors. Above this, the same model of identity and authentication must be evident in the transport encryption in the network and the cloud layer itself.
Stéphane Quetglas, enterprise IoT marketing manager at Gemalto, says there is no excuse for enterprises setting out industrial IoT deployments, no matter the vintage of their OT systems. “It is perfectly possible to start now. You don’t have to revamp your whole factory,” he says recommending a staggered approach to establish and expand the business case for factory automation.
For an in-depth look at this topic, download the report “Industrial IoT security – the pitfalls and practicalities of securing manufacturing and supply chain IoT systems.”