Sunday, June 28, 2020

IoT Security

Data in an organization is important. It can differentiate an organization from its competitors.

A properly designed IT network provides:

  • Data confidentiality: ensure that data is only visible to authorized users. We achieve confidentiality by using encryption.
  • Data integrity: ensure that data is only modified by authorized users. We maintain integrity with checksums and hashing algorithms.
  • Data availability: ensure that the network is always available. We achieve this with proper network designs and redundancy.

Confidentiality, integrity, and availability are familiar to most of us. You see these three terms everywhere when we talk about security.

Security is difficult enough for IT network. It’s even harder for Operational Technology (OT) networks. OT is the hardware and software we use to monitor and control physical (critical) devices. For example: pumps, valves, elevators, or rail systems. OT is an important element in environments like factories, refineries, power grids, power plants, etc.

With IoT, we connect these traditional OT devices to the Internet. When we talk about IoT and security in this lesson, keep those OT environments in mind.  iot-security.mp4

IoT Challenges

Let’s discuss some of the security challenges we face with IoT.

Software Updates

Some IoT devices are never updated because they are in use 24/7. Updating devices means we have to temporarily shut down a critical system like an assembly line. It’s also possible that a device is too old and doesn’t receive any updates from the vendor.

Physical Safety

Compromise of an IoT device could result in injury or impact the environment. For example, a compromised device could mess with railway signalling and make two trains collide. Another example is a pipeline where an attacker opens a valve and releases chemicals into the water supply.

Confidentiality

Some environments (like a power plant) are closed systems so data confidentiality is critical.

Scale

A security incident that takes down a server is bad. A security incident where the network goes down is even worse. When a statewide power grid fails or is compromised, we are talking about a whole different level of trouble.

Conflicting Priorities

We have IT and OT. These are two different worlds that now overlap thanks to IoT. Implementing a security model that both teams accept can be a challenge. In IT, when we detect an attack we usually block something so that we isolate the attack. When an OT team detects an attack, they might prefer to keep the process running and deal with it during a maintenance window. Stopping a process can cause safety concerns.

Threat Vectors

A threat is a possible danger to a person or environment. Threats can be natural, malicious, environmental, or by accident. Security people are mostly interested in threat vectors and countermeasures. A threat vector is a route or path an attacker uses to attack a target. For example:

  • Users
  • Mobile devices
  • Applications
  • Remote access
  • E-mail

IT Networks

Many IT networks use a “medieval castle” security strategy where they implement security at the border of their network.

Internet

The Internet is not a safe place. It’s one of the most important threat vectors for IT networks.

We have users at our IT network who access the Internet and visit malicious websites that infect their computers. Malware could then spread to the rest of the network.  You could use a web proxy and anti-virus on user devices to protect your network against this kind of attack.

There are also attackers from the Internet who look for open ports and try to connect to servers that are exposed to the Internet. Attackers try to attack servers using known software vulnerabilities to gain administrative privileges. You can protect yourself against these types of attacks with firewalls, an IPS, and updating your operating systems and software to the latest versions as soon as possible.

WAN

WAN circuits connect our IT network to other sites like branch offices or business partners. These WAN circuits are considered safe but if a remote site is compromised, it could also affect our main network. Like our Internet connections, you need to protect your WAN circuits with firewalls and IPSes.

E-mail

Any business uses e-mail for internal and external communication. E-mail uses old protocols that were never created with security in mind. There is no authentication when an external sender sends you an e-mail. This is why e-mail is so attractive for phishing attacks and malware in attachments. You can guard yourself against e-mail attacks with anti-virus, services that scan e-mail contents, and DNS checks.

IoT Networks

We use IPv4 and IPv6 for our IoT networks so we face the same issues as normal IT networks:

  • Smurfing
  • Rogue devices
  • Man-in-the-middle attacks
  • Reconnaissance
  • Spoofing
  • Fragmentation attacks
  • Sniffing

However, IoT security is a whole different game. With IT, it’s about data and information. With IoT it’s about the physical world. Instead of manipulating data, we can manipulate the physical world.

The number of threat vectors for an IoT is much larger compared to an IT network.

Number of Devices

The number of devices increases drastically. An IT network with 1000 users might have 100 servers, that’s 1100 possible threat vectors. A factory with 1000 workers might have 100 servers and 10000 sensors. That’s 11000 possible threat vectors.

Physical Security

Devices are small inexpensive devices with little to no physical security. Devices can be stolen.

Processing Power

Some devices have limited processing capability while encryption algorithms require processing power.

Software Updates

How are you going to update 10000 devices when you discover a security exploit? Does the vendor even release updates?

Protocols

Protocols like Modbus and Profinet were designed for programmable logic controllers (PLCs) and other devices with minimal compute resources. These protocols were designed with efficiency, not security, in mind. We used these protocols on closed networks but with IoT, everything is connected.

Staff

Most OT engineers are concerned with connectivity but are not always up-to-date with IT best practices. If you use wired connections for your devices then you should secure your switches. Engineers might be familiar with the basics of switches (like VLANs) but not have enough knowledge about important security options like 802.1X and NAC.

IoT Security Strategy

An IoT security strategy needs to take three items of properly designed IT networks into account:

  • Confidentiality
  • Integrity
  • Availability

Let’s take a closer look at these items.

Confidentiality

We ensure confidentiality with encryption. We need to think about the type of data our IoT devices transmit and define the requirements for that data. For example, the temperature sensor data in a factory might not require encryption. On the other hand, the temperature sensor data from a device in a nuclear power plant should be encrypted.

Integrity

Integrity is important if you want to ensure that data is not manipulated while in transit. This is important because:

  • Incorrect data can influence your control application:
    • Fake data from a smoke detector can trigger a control application to enable all lights and disable the elevators.
    • Fake data could cause a motor to keep running and break down.
  • Incorrect data can influence your analytic application.

Availability

Availability takes priority over everything else. This is because the IoT network often impacts the capability to generate revenue. When the IoT network of a factory is down, you waste a lot of resources:

  • Loss of production goods.
  • Wasted man hours.
  • Waste of raw materials.
  • Possible penalties for failing to meet customer SLAs.

Components

We have four components we should include in our IoT security strategy:

  • Network Access Control
  • Network Segmentation
  • Network Visibility
  • Secure Remote Access

Network Access Control

Many applications we use on IT networks have integrated authentication. For example, if you try to access a network share on a file server then you have to enter your credentials. Even if an attacker gains access to a network, they still have to overcome the security of the application. OT systems were developed for closed networks so there are almost no built-in security or authentication mechanisms.

Cisco created a framework to secure the IoT environment. The framework contains four components:

  • Authentication
  • Authorization
  • Network Enforced Policy
  • Secure Analytics: Visibility and Control

Let’s take a closer look at each component.

Authentication

On IT systems we authenticate users with a username and a password, certificate, or biometrics. IoT devices also require access to the network so we use authentication to verify the identity of an IoT device. We need a form of authentication without human interaction. For example:

  • RFID
  • Shared secret
  • Certificates
  • MAC address
  • Identity bound to device hardware

Certificates are secure but IoT devices might not have enough memory to store certificates or enough processing power to validate certificates. 802.1X and 802.1AR are two options.

802.1AR defines a unique identifier (called DevID)  that is cryptographically bound to a device. We can use this to authenticate devices. Unlike MAC addresses, you can’t spoof a DevID.

We can use 802.1X and NAC for devices that don’t support any decent authentication type. With NAC we can restrict devices by using VLANs and dynamic ACLs.

Authorization

Authorization defines what a device can do once it’s connected and authenticated to the network. We can use NAC for both authentication and authorization. NAC can detect the platform, OS, installed patches, anti-virus definitions, and traffic patterns and decide what the device is allowed to do on the network.

Network Enforced Policy

This component includes everything that routes and transports endpoint traffic securely over the network. It includes control, management, and data traffic.

Secure Analytics: Visibility and Control

This component defines services where all elements (devices and infrastructure) could work together to provide data we can use for visibility into the network. Thanks to big data systems, we can process large volumes of data in near realtime. We can process and analyse data to detect anomalies and threats.

Network Segmentation

Our IoT devices require connectivity to the network but we should restrict it. We can do this with network segmentation.

The Purdue model was adopted from the Purdue Enterprise Reference Architecture (PERA) model and used as a concept model for Industrial Control Systems (ICS). The model explains how to segment devices and equipment into hierarchical functions and bring IT and OT together. Here’s what it looks like:

Purdue Model

Here  is an explanation of each level:

  • Enterprise Zone:
    • Level 5 (Enterprise): this level has enterprise applications like ERP or CRM and services like Internet access, VPN, etc.
    • Level 4 (Site business planning and logistics): this level contains manufacturing facility IT services like scheduling systems, material flow applications, local IT services, manufacturing execution systems (MES), etc.
  • Industrial Demilitarized Zone: this is the DMZ zone we use for IT networks. It contains web, application, terminal servers etc.
  • Industrial Security Zone:
    • Level 3 (Site manufacturing operations and control): this level contains all functions required to manage the work flows to produce end products. It includes production scheduling, control optimization, security management, and IT services (DHCP, LDAP, DNS, etc).
    • Cell/Area Zone:
      • Level 2 (Area supervisory control): control room, controller status, and control-related applications.
      • Level 1 (Basic control): consists of controllers that direct and manipulate the manufacturing process. Its function is to interface with level 0 devices.
      • Level 0 (Process): this level contains sensors and actuators that are used in the manufacturing process.

The Purdue model segments between layers but is still vulnerable to east/west traffic. When an IoT device is infected, it can still infect devices in the same level. You can use security mechanisms like private VLANs and ACLs to prevent or restrict device-to-device traffic.

Fog or edge devices need to communicate northbound. We can inspect this kind of traffic with firewalls and IPSes.

Network Visibility

Visibility of our network traffic has changed throughout the years. We started with access-list or firewall logs and later added IDS/IPS systems to detect security incidents. Nowadays, we feed this information into a security information and event management (SIEM) system which aggregates relevant data from multiple sources.

Another great tool is NetFlow. Many network devices like routers, switches, and firewalls support NetFlow. We can use it to collect, analyze, and visualize all flows from IoT devices. We can use the flow data to create a baseline of normal network traffic. When a device is compromised, it transmits data that is irregular from our baseline traffic. This is helpful to detect anomolies from an attack in our network traffic.

Secure Remote Access

When a device fails, an engineer might have to travel on-site to fix an issue. This is time consuming so many organizations prefer remote support. This is a common scenario for IT networks but it’s a different story for IoT networks. With IT networks, we often use a VPN to access servers or network devices on a remote network. These servers and devices are in the Enterprise network area of the Purdue model.

Access to critical OT devices might require more security. Unlike IT networks where we only have data, these OT devices can influence the physical environment. An engineer could remotely shut or enable a robot or elevator, which might not be safe to do. Someone could get injured.

Nobody should be allowed direct access to the Industrial Security Zone. A better option is to use a jump box in the industrial DMZ. A jump box is a dedicated computer with all the tools you need to manage devices in the OT part of the network. The remote engineer connects to the jump box (through VPN) and works together with an on-site engineer.

The on-site engineer can launch a screen share session on the jump box and makes sure the physical environment is safe. The remote engineer can then safely start or stop the device.

Conclusion

In this lesson, you learned about IoT security:

  • Well designed IT networks provide confidentiality, integrity, and availability of data.
  • Security is difficult for IT networks but even harder for OT networks.
  • Some of the challenges for IoT networks are:
    • Devices are in use 24/7 and never updated.
    • Physical safety is important since devices can influence the physical environment.
    • There are so many devices.
    • Traditionally, OT networks have been closed networks but now we connect them to the Internet.
  • IoT networks have many more threat vectors than IT networks. There are so many devices.
  • An IoT security strategy must take into account: confidentiality, integrity, and availability and should include these components:
    • Network access control
    • Network segmentation (Purdue model is common)
    • Network visibility
    • Secure remote access

I hope you enjoyed this lesson. If you have any questions, please leave a comment.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)