The Criticality of the Network in Securing IoT and Critical Infrastructure
By Simon Finn Security is the key to the success of any digital project, whether you are connecting critical infrastructure, industrial Internet of Things (IoT), or delivering data and telemetry to reduce costs and increase revenue. We have long advocated the need for a holistic approach to IoT security, and with it, shared the vital role the network plays in embedding security. To further demonstrate the network’s role, let’s explore how it can help us tackle a series of IoT-related security challenges.
The challenge of securing communications
The first challenge is simply one of securing network communications. By default, any connected device can access anything on the network. This becomes a real problem when viewed with the realization that devices are unable to protect themselves; many devices were not designed with security built in – for example, think of your thermostat or refrigerator. Even if security is a design consideration and a devices initial state is secure, vulnerabilities will be discovered over time. Vendor support lifecycles and patching practices can vary, and it often leaves devices exposed for an extended periods. The logical conclusion to this is that we need to protect the device, and we need to protect other assets from the device.
Many organizations have undertaken extensive work to do broad grained, or macro-segmentation, which is immensely valuable from a security perspective. Yet, how do we isolate and protect devices within these segmented parts of the network, applying the principle of least access? How do we stop lateral movement of malware and reconnaissance activities within these segments themselves?
However, the IoT does represent a problem of scale. Organizations are struggling with the operational scale that is required to manage the explosion of connected devices. Operational overhead such as on-boarding devices and applying the required policy will be significantly exacerbated by the problem of sheer numbers and types of devices.
How the network can help
To deal with problems associated with lateral movement movement of threats and the need to isolate devices, we need to apply network policy as close as possible to the device. This method is commonly referred to as micro-segmentation, and Cisco taken this capability from theory to practice for years now.
To address the issues relating to scale, there are a couple of capabilities that help address these problems. Firstly, we are software defining the network, including its policy controls and segmentation. What this permits us to do is to provision controls centrally, in a fast, scalable and reliable manner. The network can also leverage what it can see, such as device profiling, location and identity, to help inform that policy. This contextual information, gathered by the network, can be also shared with other services and collected from other services. I’ll share more on the value of this in subsequent blog posts.
Secondly, we have been working on defining standards in collaboration with the Internet Engineering Task Force (IETF). For example, RFC 8520: Manufacturer Usage Description (MUD) allows manufacturers to define the policy, saving administrators many hours attempting to discern the appropriate policy to apply to new devices. The standard allows for automation of the entire process.
The network is well placed to act as a gatekeeper for devices, ensuring authentication and enforcing on-boarding workflows. Standards are currently in development, such as Bootstrapping of Remote Secure Key Infrastructure (BRSKI), that will help extend these capabilities by automating the provisioning of strong identity on devices. The network acting as the gatekeeper and orchestrator of on-boarding flows also enables protection of devices whilst in a potentially vulnerable state when first plugged in.
As you can see, the network plays a significant role protecting devices and data. Look for more to come in follow on blogs, as we explore how the network’s capabilities are extended to address other issues associated with securing the IoT.
Source:: Cisco Security Notice