What to consider when mapping out a security strategy for IoT and OT

Cristina De Luca -

July 15, 2022

IoT and OT technologies, solutions and capabilities are quickly becoming part of the fabric of organisations’ information infrastructure. They represent an evolving threat vector that is rapidly creating new classes and types of threats and vulnerabilities that greatly expand the surface of concern for organisations using them. These threats and vulnerabilities need to be analyzed and integrated into an organization’s information security and risk management strategies and planning to effectively meet information security and risk requirements, goals and objectives.

Security Operations Center (SOC) teams face several challenges in monitoring IoT/OT networks, including:

  • Lack of visibility: Security teams lack visibility and insight into these networks, even at the most basic level of understanding what devices they have and how they’re connected to each other (asset inventory).
  • Lack of expertise to understand incidents involving specialized industrial equipment, protocols, and behaviours.
  • Siloed organizations: There is often very little communication between IoT/OT and security teams — and a lack of a common vocabulary to describe suspicious or unauthorized behaviours.
  • Need for enterprise-wide view: To detect modern multi-stage attacks, we need to evaluate and link information across all of our data sources, including both IoT/OT assets (PLCs, HMIs, historians, etc.) and IT assets (desktops, servers, firewalls, identities, applications such as SAP, and cloud services).

In an article published this week by ISACA, John P. Pironti, president of IP Architects, presents five key points that every enterprise should consider when developing an integrated security strategy for IoT and OT.

  1. IoT and OT asset discovery and network segmentation – IoT and OT devices are produced by multiple manufacturers on multiple open source and proprietary operating systems, and each has varying levels of computing power, storage, and network throughput. Each IoT and OT endpoint should be identified and profiled, added to an asset inventory and continuously monitored for its health and security.

    In his view, devices should be segmented into separate network virtual local area networks (VLANs) and have access control lists (ACLs) applied that limit their traffic paths to known sources, destinations, ports and protocols wherever possible. They should also be supported by network firewall proxies that can enable deep packet security inspection (and, in the case of encrypted traffic flows, secure socket layer [SSL] and transport layer [TLS] decryption capabilities) and intrusion detection capabilities as traffic passes between VLANs and network segments, including Internet access.

  2. Continuous monitoring of IoT/OT threats – Threats and vulnerabilities associated with IoT and OT devices and systems must be constantly monitored and require adjustments and tweaks compared to traditional security monitoring tools and techniques.

    IoT and OT devices generally generate a limited amount of log and telemetry data, especially security-centric data. Effective IT and IoT security monitoring start with understanding what is expected and the normal behaviours and telemetry these devices should generate. Once baselines are established, margins of error and thresholds for action should be developed using a risk-based approach to limit false positive rates generated by IoT and OT devices. Data points, metrics and device telemetry data can be added to security incident and event monitoring (SIEM) solutions to enable organisations to improve their security visibility and monitoring of their information infrastructure.

  3. IoT and OT device data collection – IoT and OT devices likely collect, store, process, and transmit a significant amount of nonpublic personal information (NPPI), personally identifiable information (PII), and, in the case of healthcare settings, personal health information (PHI), whether intentionally or unintentionally. These data are vulnerable to exploitation and have the potential to be used by adversaries to obtain information about an individual or organisation. As these devices are not easily recognised by the data they collect or interact with, it is important to have a full understanding and disclosure of how the device operates and the data it works with. Only then can a proper risk and information security analysis be performed.

  4. IoT and OT Manufacturer Risk and Security – Enabling network connectivity for devices that traditionally have not incorporated IT into their function and design requires manufacturers to develop new features, provide new support functions, and integrate security features into their IoT and OT solutions. Manufacturers may not realise the risk and security considerations, impacts and/or requirements they must consider, which creates the opportunity to produce vulnerable devices.

    It is important that risk and security professionals develop methods, practices and evaluation criteria to assess IoT and OT devices prior to their introduction into an environment or connection to internal and external networks. A comprehensive threat and vulnerability analysis should be conducted to identify possible, probable and material impact threats. This analysis can be used to inform risk and security professionals and operators of the possible material threats and vulnerabilities in an IoT or OT device so that they can be considered in a risk assessment prior to the introduction and use of a device.

  5. Patching, configuration management and maintenance – IT security hygiene is essential to any successful security and risk strategy. Key elements of IT security hygiene include patching, configuration management and system maintenance. The introduction of IoT and OT devices has the potential to make this daunting task exponentially more difficult for many organisations. It is essential that IoT and OT devices can be centrally managed, configured and maintained to ensure that effective and appropriate risk and security measures can be implemented and maintained.

Therefore, having a hosted monitoring solution allows you to have access to all the information you need to ensure the availability and reliability of your infrastructure and network. Bringing IoT data into a larger monitoring concept that also includes OT and IT is not only beneficial but necessary.