Information Technology (IT) and Operational Technology (OT) are different in a lot of ways, from their design to their maintenance workflows and more. When IT and OT merge, these differences create all new challenges for cybersecurity.
IT has standards for protecting device security, data security, and people’s privacy, but these standards do not make sense for many connected OT devices.
In IT, for example, cybersecurity vulnerabilities are the absolute top priority. In OT, operations are the top priority, while network security is a very close second. Ensuring the building is still functioning as expected is critical to maintain physical safety and security, before addressing a network vulnerability.
Last year, the National Institute of Standards and Technology (NIST) released a report called “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” (which you can download for free!). NIST’s paper explores these exact differences and cybersecurity risks. The report is an in-depth analysis of current threats and how IoT devices can or cannot meet those threats head-on.
The paper really resonated with us, and we were excited to share a cliffs notes analysis of it on our recent webinar.
This is a huge opportunity to pull in your IT counterparts and collaborate on cybersecurity standards that make sense for your connected OT devices.
Check out our one-hour webinar where we went through NIST’s report, summarizing what IT and OT teams on the ground should know about their systems and security. We dug into top risks identified in the report, challenges for securing the Internet of Things, and NIST’s recommendations.
- Defining the Internet of Things: 2:23 – 3:26
- Cybersecurity and privacy goals: 3:26 – 21:55
- Cybersecurity for OT is different from IT: 21:55 – 29:05
- Cybersecurity considerations and recommendations: 29:05 – 41:54
- Questions: 41:54 – 48:40
Defining the Internet of Things
The Internet of Things has been defined in many different ways over the years, but NIST essentially positions it as the result of IT and OT merging.
The outcome is smart, connected, operational technology. Now, devices like security cameras, lighting, access control, and more can collect and aggregate data.
Cybersecurity and privacy goals
There are three basic goals for cybersecurity. They are:
- Device Security: Making sure that a device isn’t attacked, and isn’t used to conduct attacks, like a Distributed Denial of Service (DDoS), eavesdropping on network traffic, or compromising other devices’ security.
- Data Security: Protecting the data’s Confidentiality, Integrity, and Availability, also known as the “CIA Triad.”
- Confidentiality means that only those who are authorized can access information.
- Integrity means that information is not altered in between sending and receiving.
- Availability means that data is accessible whenever it is needed.
- Individuals’ Privacy: Protecting the data we might inadvertently collect on people in the built environment. While we collect data about devices, we don’t want to compromise the Personally Identifiable Information (PII) of people who use or interact with those devices. Privacy and protecting people’s data is a growing concern these days, particularly with new laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Protecting individuals’ privacy applies to all connected devices that process PII.
All of these goals work together for a more secure environment, with different ways to mitigate risks.
For example, the NIST cybersecurity framework provides a great approach for ensuring device security: identify, protect, detect, respond, and recover.
Broken down further, you might focus your efforts on asset management, vulnerability management, and access management.
Asset management: Know what you have, including the software your devices are running.
Vulnerability management: Identify vulnerabilities in your IoT devices’ software and firmware, and work on getting rid of those vulnerabilities to reduce the likelihood of a cyberattack.
Access management: Manage and mitigate unauthorized physical or logical access to IoT devices.
Learn more about the cybersecurity framework for BAS systems.
To maintain data security, you’ll want to focus on stopping unauthorized access and tampering with data, including data at rest and in transit. You should also monitor your connected devices for abnormal behaviour and signs of a breach.
To protect individuals’ PII, it’s important to understand the flow of this information, including any third-party processing. Maintain permissions for this information processing, and help individuals make informed decisions about giving that permission. You might also look at ways to disconnect people’s information from the IoT data.
Cybersecurity for OT is different from IT
There are a few key ways that cybersecurity for connected OT differs from that of IT.
First, IoT devices interact with the physical world in a way that IT devices do not. There are a few different implications from that.
- More people might have physical access to your IoT devices, given that everything from the thermostat in the bathroom to the security camera in the hallway could be connected. Additionally, devices that were once only available locally could now be available through remote access, providing another access point.
- Sensors in public and private spaces can collect huge amounts of data about individuals, with or without their knowledge.
- While cybersecurity is a top priority, it is still a close second to making sure devices are operational. That’s because the physical security of people in the building must always come first. If doors, fire alarms, security cameras, and lights aren’t operational, it can have a huge effect on the safety of a building. Consequently, automatic software patching may be ill-advised, because an untested software update could adversely affect the physical environment.
Second, the ability to access, manage, and monitor IoT devices is still in its infancy.
- The IoT devices that do have these features tend to be quite limited, especially compared to what our IT counterparts are used to.
- Traditional networking switches are often called “black boxes” because of these limitations. “Black box” devices also might not be serviceable, meaning they can’t be altered, updated, or repaired.
- That may require manually managing, troubleshooting, and servicing devices. But this makes it incredibly difficult to manage the network, especially as the number of IoT devices grows.
- IT tools often don’t transfer over, and likely won’t work for inventory management or monitoring data flow.
Finally, just as they have limited access, management, and monitoring features, many IoT devices also have limited cybersecurity and privacy features.
- Devices that have cybersecurity and privacy features tend to be quite limited.
- This may require extra manual effort to minimize cybersecurity risks, which can become excessive as the network grows.
- And using IT software is not a copy-and-paste solution, because of a difference in protocols and device behaviour.
Cybersecurity considerations and recommendations
Cybersecurity is an ongoing journey. We will always be learning, improving our policies, and learning some more. This diagram, adapted from one in the NIST report, illustrates that.
But there are a few considerations NIST provided to improve your cybersecurity procedures. They are:
- Understand which devices have IoT capabilities.
- Know what those IoT capabilities are.
- Consider the IoT devices’ environment.
- Assess risks based on the full context of the IoT device.
- Plan ways to mitigate the risk, and determine how to respond to the risk.
A few of our own recommendations to improve your cybersecurity are to:
- Implement strong segmentation to limit the effect of cybersecurity attacks. This might include VLANs or subnetting, dedicated separate networks, or cellular connections.
- Opt for IoT devices with visibility and management capabilities. Don’t use unmanaged or “black box” IoT devices. “Black box” devices offer no visibility, and the cheap upfront cost will lead to high troubleshooting costs and cybersecurity risks.
- Develop simple cybersecurity policies that staff will actually follow, and install software they will actually use. Create an open dialogue on cybersecurity, so your staff understand the importance of it. And make it clear that staff will not be punished if they bring forward a cybersecurity concern, even if the vulnerability was caused by human error. It’s better to know when a vulnerability arises, so that it can be dealt with.
- And finally, as NIST also mentioned in the report, be sure to test software before patching it through to the building. Having a few spare devices from the building system that you can test patches on will help ensure that the network won’t be adversely affected by software updates.
There you have it! We’d encourage you to dig into NIST’s report yourself as well, as it goes into even more depth on the differences between IT and connected OT and their security standards. Hopefully this gives you a starting ground to better understand your IoT devices, and how to secure them.