In the last blog, we examined how security is threatening the economic promise of the “Industrial Internet of Things” – also part of Operational Technology. Further, we suggested that “IIoT security is, paradoxically, both completely different from regular IT security and also very similar”. Certainly, that needs some serious explanation. Let’s get to it.
Faced with the exact types of challenges now facing the industrial internet, the traditional internet quickly adopted several key security technologies – endpoint security, generically labeled “antivirus”, internet firewalls with network address translation (pioneered by members of our founding team), and intrusion detection technologies. Some of these things work well, some not so well. So of course, there’s also been an explosion of other technologies to address smaller and smaller gaps in our defense.
One technology was Network Access Control, which another of our founders helped create. The most promising new one, in our opinion, is broadly termed “behavioural analytics”. Essentially, these products try to find unusual, and therefore potentially dangerous, events in the background noise of everything that is happening on your network.
Why won’t these exact technologies work to protect our industrial internet? Well, some of them can- sort of. And some of them just don’t make economic sense the way they are currently deployed in corporations. Let’s dive into what this means.
One important point is that “endpoint security” – in any of its forms – is just too heavyweight for many industrial devices. The very, very inexpensive endpoint is driving many of the innovations in IIoT today – a $20 sensor just doesn’t have the horsepower to defend itself. It must rely in on the network for its security.
Another complication – the success of the internet was driven by an important concept – standards compliance. We settled on TCP/IP, UDP, HTTP, HTTPS, and a handful of other protocols (mostly for email). Vendors all adopted these standards and all kinds of systems were suddenly able to talk – PCs, Macs, phones… It was beautiful.
The industrial internet is a collection of more esoteric protocols that were not designed to be interoperable. There are at least three different “IP” protocols used by industrial control systems that really can’t talk to each other. There are even more things going on when you consider that the edge of the IIoT world is a hodgepodge of last mile tech like zigbee, 6LoPAN, LoRA, and more.
So the bottom line here is that regular firewalls, etc, don’t really understand these protocols. Your vendor may move their lips about “Ether/IP” support, but it’s very shallow. Many of these protocols can’t even be forwarded by traditional VPNs and routers. Clearly, specialized solutions are required.
Another huge problem is the economics of security. We recently talked to a CISO in the healthcare space about how he is protecting his devices. He expressed extreme concern – even borderline ranting – about his team’s advice to “just put a firewall there”. Even if this solution worked – medical devices are more standards compliant that many factory ones – he balked at the cost and complexity of deploying so many hard to manage devices in his network.
Factory lines, power plants, and building control networks are some of the most walled-off places in the world. They protect themselves by separating themselves from the world. The economics of deploying a huge stack of devices like those used in corporations is just a non-starter. Each factory line gets a firewall, intrusion detection system, etc, etc? These costs simply can’t be borne by most businesses, even if they believe these solutions will protect them. Which currently, they can’t.
So where does all this leave us? How is industrial security like traditional IT security, if it’s totally not? I’ll cover that in our next blog.