IoT Security Requirements for OT

Distributed Denial of Service (DDoS) attacks that take down well-known websites are alarming wake up calls for organizations with limited security. Many of these attacks take advantage of vulnerabilities in home-connected IoT devices.

These attacks are making home users and operational technology (OT) users fearful as IoT devices become more prevalent on all types of networks. According to a security panel at a KMC conference, the code written for these attacks is not advanced, but it does pose a threat due to its widespread availability. The hackers released the malware code online for the public, so anyone with bad intentions has a fast start to launching their own DDoS attack.

Home networks and OT networks share some attributes that make them easy targets for hackers, especially around security. Typically, the general attitude is that what happens on these networks is so mundane that no one would put resources into launching an attack. That cavalier thinking poses a real threat.

“The malware community is waiting for unprotected devices and openings,” says Jennifer Gilburg, director of strategy at Intel’s IOT Security Group. “Applying a few best practices from IT is a good start toward preventing these types of attacks.”

Adding Layers of Protection for IoT

Smart DVD players, Internet-enabled cameras and IP security systems are among the home devices that are easy prey for hackers. When home owners add this equipment to their networks they rarely change the manufacturers’ default password, or they choose a password that is much too easy to guess, such as their address, last name or 1234.

Home owners aren’t the only ones ignoring password-protection best practices. BMW took the easy path for security in its connected car and regretted it. The automaker assigned the vehicle identity number as its identification code, making it vulnerable to hacks during session management.

“Simply changing the password can push the security posture up 90 percent,” said Gilburg.

As more devices join the OT network, managers can learn from what’s happening to home owners and make their networks safer with these extra precautions.

Change passwords (using a combination of a phrase, upper case and lower case letters, numbers and symbols is more secure than a word)
Schedule port scans
Create staging environments
Conduct reliability and remote PIN testing
Close all open ports
Allow hot code patching
Threat model every device
Create an access governance strategy
Consider PKI for authentication

Security Is a Safe IoT Entry Point for Solution Providers

This list is far from comprehensive, but it’s a good place to start. For longtime IT personnel, these practices are well known and common starting points when testing new network infrastructure. They are much less known within OT. Among OT providers at the conference, the gap between IT and OT is achingly wide. Many expressed the difficulty of finding someone in IT to help them with their IoT projects and a lack of understanding about IT security requirements.

Intel has developed an IoT reference architecture to bring intelligence to endpoint things by enabling edge analytics, standards compliance, and direct-connect cloud control. The vertical security layer (right) secures all layers, which is critical for satisfying the security tenet.

Intel Security architecture

Photo credit: Intel® IoT Platform Reference Architecture white paper

OT expects that manufacturers will build the necessary security into their solutions. But the OT manager often doesn’t have the expertise to test every integrated solution and may miss some security requirements that IT expects. The risk for managers—and the business—is real, as IoT projects are in danger of becoming delayed or possibly shut down if IoT devices do not meet IT security requirements.

Solution providers who understand IT security can find a strong foothold in IoT deployments for industrial, smart building, manufacturing and other operational environments. Security is awash with acronyms and technologies that are unfamiliar to the managers leading these projects. Resources, such as the guidelines from the Department of Homeland Security, the Industrial Internet Consortium, OpenFog Consortium and others can help organizations begin to understand the layered approach that IT expects from IoT devices, architectures and deployments.

Reviewing IoT devices, designing secure IoT architectures, testing device security and educating the OT team on security are premium, high-margin services for solution providers in IoT deployments. In most cases, the decision makers (building and facility managers, line managers, quality control managers and operations managers) have no IT or security expertise and are looking for support, so they can move their IoT projects forward.

Learn more about security on the Intel® IoT platform.