In August 2019, hackers shut down critical infrastructure systems within Bahrain's Electricity and Water Authority. Unlike the usual thefts or breaches that have, unfortunately, become too common, this attack was on a different scale, targeting operational technology (OT) devices.
OT involves hardware and software that monitor or control physical devices, which is entirely separate from the IT world that mostly deals with computing technology. OT devices are typically purpose-built and vendor-specific, and they sometimes come with their own proprietary operating system. However, the line is starting to blur.
As enterprises seek to collect information from OT devices to optimise and modify the manufacturing process, many appliances are brought online. And here lies the problem: None of them were prepared for the new environment or the OT security challenges that came with it.
OT systems used to work in isolation. As such, there was no need for the same kind of security required for IT devices.
"Their operators historically relied on an air gap between the networks of devices, but those gaps no longer exist," explained Jeff Hussey, CEO of Tempered Networks, based in Seattle. At the same time, the IT infrastructure is not prepared for the massive scale of OT devices joining its network. The TCP/IP protocol is 45 years old and primarily created for connectivity, not OT security. The IT/OT convergence has thus expanded the attack surface exponentially.
"Traditional solutions were architected to protect smaller, simpler networks connecting servers and endpoints, which are frequently updated as security vulnerabilities are discovered," Hussey said. "These shortcomings are notable, because traditional OT devices are typically much less secure than IT endpoints, are harder to patch [and] update, and allow for remote control of critical infrastructure -- in addition to data exfiltration. It's no longer about just losing data, but also losing control of buildings, factories, hospitals and even cruise ships."
According to former Wall Street infrastructure analyst Gabe Lowy, the current firewall and VPN layers only protect north-south network traffic, such as incoming internet connections, but they leave out east-west communication. This means once hackers manage to penetrate a network, they can escalate their attack and access the entire system. In cases where traditional security tools are used, the resulting network becomes too complex -- and complexity is always in the hacker's favor, as it leaves more opportunities for them to exploit.
New Ways Of Protection
The Internet Engineering Task Force tackled the shortcomings of TCP/IP with host identity protocol (HIP). It is an IPv4- and IPv6-compatible trust protocol that only responds to connections that have been authenticated and authorised, effectively enforcing microsegmentation. Microsegmentation achieves east-west protection without relying on firewalls -- but, as Hussey explained, there is a shortcoming.
"Traditional approaches to microsegmentation are really shims, which add more complexity to the stack in exchange for enhanced east-west protection," he said. "But inner firewalls, segmentation shims nor VPNs [and] ACLs [access control lists] can scale effectively for industrial IoT demands."
Also, as precious as security is, changing an entire network of devices would require a significant upgrade, which can be very expensive and time-consuming.
Instead, Tempered Networks, a secure networking company, developed a platform that functions as an overlay for converged infrastructure. This means enterprises can keep their existing network and security stack in place, but deploy an industrial IoT micro-segmentation overlay to protect those endpoints which are high-risk and hard to update. Thus, there will be minimum impact on existing firewalls, intrusion prevention and access control services, and IIoT devices can be easily protected and cloaked from remote, malicious reconnaissance and malware.
The technology, which was used in Boeing for 12 years before becoming commercialised, places a centralised management on the HIP, which allows it to control communication, authentication and authorisation rules from a single location.
IoT will continue to grow, and businesses will find more value in bringing their devices online and enjoy the automation that follows, or the analytics and data they can collect. But because the existing technologies were not prepared for this, CIOs need to be aware of the new lurking challenges that come with OT security and how to solve them. Otherwise, they will walk on thin ice.