IT security strategy is unfeasible to protect Industrial IoT Networks
post-template-default,single,single-post,postid-17315,single-format-standard,bridge-core-2.0.9,ajax_fade,page_not_loaded,,qode_grid_1400,qode-theme-ver-24.0,qode-theme-bridge,qode_advanced_footer_responsive_768,qode_header_in_grid,wpb-js-composer js-comp-ver-6.4.1,vc_responsive

Why IT security strategy is unfeasible to protect Industrial IoT Networks

IT security strategy

Why IT security strategy is unfeasible to protect Industrial IoT Networks

When talking about the Industrial sector, what is the most important thing to achieve? I am almost certain that most people’s answer would be to preserve operational continuity and user safety. However, what if we added cyber security to this equation, how would your answer change?

Well, I think that the answer would remain the same, but does the same answer fit if we move the question to the IT domain? Probably not! The answer at this point would be more related to maintaining consistent policies and control across the organization and to protect sensitive applications and confidential data from unauthorized access.

To briefly try to sum up the key difference between IT and OT, it is possible to argue that IT is centred on an organization’s front-end informational activities, while OT is focused on their back-end production.

If we stopped here this would already be enough to understand that the two scenarios are profoundly different, not only from a technological point of view, but also procedural and regulatory, and how these differences affect cybersecurity.

Hard times to face

In fact, if it is true that today it is no longer possible not to deal with cyber security, it is also true that the concept of feeling safe is blurred. The reason is that the level of security mostly comes from the perception of the risk we face in our everyday actives, and this has more to do with psychological aspects rather that technological choices.

And it is precisely in this scenario that one might be tempted to adopt the same security measures, effective in the IT department, for the entire factory, making a big mistake.

Nowadays, in general, the approach to security is driven by the purchase of appliances for any security purpose, firewalls, IPS, antivirus, managed switches, etc … this results in having defensive tools that can be used to deal with the wide range of threats and malwares running on the network.

Talking about firewalls

It is quite common to find an extensive use of firewalls in the Industrial network. This is for sure useful, but I would like to point out that security based on firewalls is a perimetral security, and it is effective only where the boundaries of the network are known and within the network there are hosts that can be protected. This is not the case of an Industrial network, that is considered borderless, in fact it is very difficult to draw a network perimeter due to the continuous presence of external operators with their own equipment and VPN tunnels for remote maintenance, moreover most of the hosts within the OT network are impossible to be protected, PLCs, sensors, actuators, CCTV cameras etc … are in fact unprotected black boxes.

Sometimes this perimeter protection strategy is taken to the limit by placing a firewall in front of each device to be protected, for example in front of each working center. However, this clearly invasive strategy gives IT the problem to install, configure and maintain this plethora of firewalls scattered throughout the industrial network and could create operational continuity problems for the OT. In fact, what could happen if a PLC programmer or industrial electrician during their job face a problem due to the perimeter security? What do you suppose could happen in front of a misplaced firewall or misconfiguration that can result in a delay of their work or an operational downtime? I am willing to bet that the firewall would be removed with the connivance of the company’s OT operators. The only implemented defence is hence dismissed.

Does Detection mean Protection?

Other defensive strategies are based on Intrusion Detection or Prevention System (i.e., IDS, IPS), this is a well-defined approach based on identifying threats while they are trying to get in or if they have already entered during the forwarding within the network. This approach to cyber security is indeed very effective in IT networks, where if a threat or incorrect behaviour is found an automatic remediation is put in place, bounding and isolating the threat. But can you use the same strategy in an industrial IoT domain? Well, let’s always keep in mind that operational and business continuity is the first goal of any OT manager, productivity comes first, with the safety of the operators obviously, and it would be somewhat strange to implement an operational strategy that can automatically stop the production because a software may have identified a questionable presence or movement in the network. Needless to say, only supervised security systems can be operative in an industrial environment and this bring us back to the constant dependence of the OT department on the IT department.

Therefore, security strategy based on detection methods can only be partially effective, continuously subject to the actions of the users, IT support and constantly exposed to new threats and malware such as zero-day.

Virtual LAN are just smaller LAN

Last but not least, I want to mention VLANs, that in broad terms are just smaller LAN, thus there are still the same problems faced in LAN but only in a smaller form. Don’t get me wrong, VLAN are an essential part of any industrial network, but VLAN are effective on network architecture and cannot be considered a security strategy. Approaching security only keeping in mind network segmentation results in a weak definition of network zones and nothing more.

So, is an IT security strategy  feasible and effective in protecting an IoT Industry Network? The short answer is no.

The boundary conditions that regulate the industrial sector are profoundly different and it doesn’t matter how many firewalls, IPS, VLAN, tunnel or defensive service you have in place, without knowledge and continuous supervision and management, OT security will result in a weak rabble of equipment. This turns the focus on one hand onto you, on your ability to make the best use of the tools you have available, and on the other hand on user actions to strictly follow best practice and security procedures. In fact, it doesn’t matter how simple, intuitive, and automated the tools you have in place are, management ability and user actions always play a fundamental role.

However, as a famous expression goes “the blanket is short”, trying to define stringent security procedures to minimize malware attacks results in creating operating conditions in which operators are unable to do their work efficiently and consequently disregard, bypass or remove the cyber security protections that hinder them. It is well known that the stricter the protection you try to get the more involved in the security you have to be, and in an Industrial sector this represents a continuous challenge to operational continuity.

So, at the end of the day, which strategy is a best fit for you, what are the boundary conditions that make OT security different from IT security and what conclusions can we take.

Just a little hint, in industry it is necessary to move the attitude to protect to a mindset in which prevention comes before detection, keeping in mind the goal of preserving operational continuity and user safety.