Securing the Internet of Things

National Institute of Standards and Technology NIST 8228 cybersecurity and privacy in the Internet of Things
Key factors for cybersecurity and privacy in the Internet of Things

Information Technology (IT) and Operational Technology (OT) are different in a lot of ways, from their design to their maintenance workflows and more. When IT and OT merge, these differences create all new challenges for cybersecurity.

IT has standards for protecting device security, data security, and people’s privacy, but these standards do not make sense for many connected OT devices. 

In IT, for example, cybersecurity vulnerabilities are the absolute top priority. In OT, operations are the top priority, while network security is a very close second. Ensuring the building is still functioning as expected is critical to maintain physical safety and security, before addressing a network vulnerability.

Last year, the National Institute of Standards and Technology (NIST) released a report called “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” (which you can download for free!). NIST’s paper explores these exact differences and cybersecurity risks. The report is an in-depth analysis of current threats and how IoT devices can or cannot meet those threats head-on. 

The paper really resonated with us, and we were excited to share a cliffs notes analysis of it on our recent webinar

This is a huge opportunity to pull in your IT counterparts and collaborate on cybersecurity standards that make sense for your connected OT devices.

Check out our one-hour webinar where we went through NIST’s report, summarizing what IT and OT teams on the ground should know about their systems and security. We dug into top risks identified in the report, challenges for securing the Internet of Things, and NIST’s recommendations.

  • Defining the Internet of Things: 2:23 – 3:26
  • Cybersecurity and privacy goals: 3:2621:55
  • Cybersecurity for OT is different from IT: 21:5529:05
  • Cybersecurity considerations and recommendations: 29:05 – 41:54
  • Questions: 41:54 – 48:40

Defining the Internet of Things

The Internet of Things has been defined in many different ways over the years, but NIST essentially positions it as the result of IT and OT merging. 

The outcome is smart, connected, operational technology. Now, devices like security cameras, lighting, access control, and more can collect and aggregate data. 

The Internet of Things and Connected Operational Technology

Cybersecurity and privacy goals

Device security, data privacy, and people's personally identifiable information

There are three basic goals for cybersecurity. They are: 

  1. Device Security: Making sure that a device isn’t attacked, and isn’t used to conduct attacks, like a Distributed Denial of Service (DDoS), eavesdropping on network traffic, or compromising other devices’ security. 
  2. Data Security: Protecting the data’s Confidentiality, Integrity, and Availability, also known as the “CIA Triad.” 
    • Confidentiality means that only those who are authorized can access information.
    • Integrity means that information is not altered in between sending and receiving.
    • Availability means that data is accessible whenever it is needed.
  3. Individuals’ Privacy: Protecting the data we might inadvertently collect on people in the built environment. While we collect data about devices, we don’t want to compromise the Personally Identifiable Information (PII) of people who use or interact with those devices. Privacy and protecting people’s data is a growing concern these days, particularly with new laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Protecting individuals’ privacy applies to all connected devices that process PII. 

All of these goals work together for a more secure environment, with different ways to mitigate risks.

For example, the NIST cybersecurity framework provides a great approach for ensuring device security: identify, protect, detect, respond, and recover. 

Broken down further, you might focus your efforts on asset management, vulnerability management, and access management.  

  • Asset management: Know what you have, including the software your devices are running. 

  • Vulnerability management: Identify vulnerabilities in your IoT devices’ software and firmware, and work on getting rid of those vulnerabilities to reduce the likelihood of a cyberattack. 

  • Access management: Manage and mitigate unauthorized physical or logical access to IoT devices.

Learn more about the cybersecurity framework for BAS systems

To maintain data security, you’ll want to focus on stopping unauthorized access and tampering with data, including data at rest and in transit. You should also monitor your connected devices for abnormal behaviour and signs of a breach.

To protect individuals’ PII, it’s important to understand the flow of this information, including any third-party processing. Maintain permissions for this information processing, and help individuals make informed decisions about giving that permission. You might also look at ways to disconnect people’s information from the IoT data. 

Cybersecurity for OT is different from IT

There are a few key ways that cybersecurity for connected OT differs from that of IT. 

First, IoT devices interact with the physical world in a way that IT devices do not. There are a few different implications from that. 

  • More people might have physical access to your IoT devices, given that everything from the thermostat in the bathroom to the security camera in the hallway could be connected. Additionally, devices that were once only available locally could now be available through remote access, providing another access point. 
  • Sensors in public and private spaces can collect huge amounts of data about individuals, with or without their knowledge. 
  • While cybersecurity is a top priority, it is still a close second to making sure devices are operational. That’s because the physical security of people in the building must always come first. If doors, fire alarms, security cameras, and lights aren’t operational, it can have a huge effect on the safety of a building. Consequently, automatic software patching may be ill-advised, because an untested software update could adversely affect the physical environment. 

Second, the ability to access, manage, and monitor IoT devices is still in its infancy. 

  • The IoT devices that do have these features tend to be quite limited, especially compared to what our IT counterparts are used to. 
  • Traditional networking switches are often called “black boxes” because of these limitations. “Black box” devices also might not be serviceable, meaning they can’t be altered, updated, or repaired.
  • That may require manually managing, troubleshooting, and servicing devices. But this makes it incredibly difficult to manage the network, especially as the number of IoT devices grows. 
  • IT tools often don’t transfer over, and likely won’t work for inventory management or monitoring data flow. 

Finally, just as they have limited access, management, and monitoring features, many IoT devices also have limited cybersecurity and privacy features. 

  • Devices that have cybersecurity and privacy features tend to be quite limited. 
  • This may require extra manual effort to minimize cybersecurity risks, which can become excessive as the network grows. 
  • And using IT software is not a copy-and-paste solution, because of a difference in protocols and device behaviour. 

Cybersecurity considerations and recommendations

Cybersecurity is an ongoing journey. We will always be learning, improving our policies, and learning some more. This diagram, adapted from one in the NIST report, illustrates that.

Cybersecurity is an ongoing process

But there are a few considerations NIST provided to improve your cybersecurity procedures. They are: 

  • Understand which devices have IoT capabilities.
  • Know what those IoT capabilities are. 
  • Consider the IoT devices’ environment.
  • Assess risks based on the full context of the IoT device. 
  • Plan ways to mitigate the risk, and determine how to respond to the risk.

A few of our own recommendations to improve your cybersecurity are to:

  • Implement strong segmentation to limit the effect of cybersecurity attacks. This might include VLANs or subnetting, dedicated separate networks, or cellular connections.
  • Opt for IoT devices with visibility and management capabilities. Don’t use unmanaged or “black box” IoT devices. “Black box” devices offer no visibility, and the cheap upfront cost will lead to high troubleshooting costs and cybersecurity risks. 
  • Develop simple cybersecurity policies that staff will actually follow, and install software they will actually use. Create an open dialogue on cybersecurity, so your staff understand the importance of it. And make it clear that staff will not be punished if they bring forward a cybersecurity concern, even if the vulnerability was caused by human error. It’s better to know when a vulnerability arises, so that it can be dealt with.
  • And finally, as NIST also mentioned in the report, be sure to test software before patching it through to the building. Having a few spare devices from the building system that you can test patches on will help ensure that the network won’t be adversely affected by software updates.

There you have it! We’d encourage you to dig into NIST’s report yourself as well, as it goes into even more depth on the differences between IT and connected OT and their security standards. Hopefully this gives you a starting ground to better understand your IoT devices, and how to secure them.  

Recent Blog Posts

By Pook-Ping Yao, CEO, Optigo Networks

June 2, 2020 Vancouver, BC – Optigo Networks, the connectivity, monitoring, and analytics company, now offers a complete networking solution for Operational Technology (OT).

May 26, 2020 Vancouver, BC – Optigo Networks is pleased to welcome Joel Schuster to the company’s board of directors.

Every March for the last few years at Optigo, we’ve taken a moment to celebrate women in tech and building automation.

Information Technology (IT) and Operational Technology (OT) are different in a lot of ways, from their design to their maintenance workflows and more.

Recent Projects

Data center expansion with OTI and Optigo Connect

DATA CENTER EXPANSION

Stack Infrastructure is a portfolio of hyperscale computing data centers. OTI completed work on Phases I and II, and returned for the Phase III build-out of a 4-megawatt data hall and brand new central plant. The Optigo Connect network put in place in Phases I and II was expanded on this project. The team achieved quick roll-out of a large, multi-service redundant network using the Optigo OneView management interface. Going forward, the facility management team can use OneView to remotely monitor equipment, manage power usage, and meet up-time goals.

Optigo Connect MR Soluciones The Landmark

THE LANDMARK

The Landmark is a sophisticated mixed-use high-rise in Mexico. The owners wanted to integrate all OT systems in the skyscraper, while maintaining separate networks for each application. The Landmark is the fourth joint project between Optigo Networks and MR Soluciones. Together, these companies provide robust services to meet any challenge.

Australian Bureau of Statistics at 45 Benjamin Way with Delta Building Automation

45 BENJAMIN WAY

Delta Building Automation (Australia) had a big job renovating the Headquarters for the Australian Bureau of Statistics (ABS) at 45 Benjamin Way. The building owner wanted to improve the building’s energy use and increase their National Australian Built Environment Rating System (NABERS) score to more than 4.5 stars, out of a possible total of six. Securing the network both internally and externally was a big priority, as well.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker looked at Penn State University’s Navy Yard network, he saw huge issues. The system was busy and loud, to the point where the overrun network was bringing down the entire building. Because this was happening on the MS/TP network, pinpointing the problem would mean boots on the ground to segment and test the chain, piece by piece.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.

 

Torre Manacar Mexico City Optigo Connect

TORRE MANACAR

When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.

short

SHORT PUMP TOWN CENTER

Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.

BOULEVARD MALL

BOULEVARD MALL

Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.

Visual BACnet tech support team

TECH SUPPORT TEAM

One tech support team at a manufacturer purchased an account with Visual BACnet in April 2017, for technical problems around the world.

Aster Conservatory Green Optigo Connect

ASTER CONSERVATORY GREEN

The Aster Conservatory Green is a community comprising 352 residences across 24 low-rise buildings. The buildings use advanced surveillance and access control technology, including 40 HD video cameras and 60 FOB-access-tele-entry points for access control.