IoT Security: Not Just 1's and 0's

Senior executives and Luddite board members are often quick to point out, whenever a discussion turns too technical, that computers are “just a bunch of 1’s and 0’s.” This is like saying that organic chemistry is just a bunch of C’s, H’s, and O’s. The bad news for our executive friends is that with Internet of Things, things (ahem) can get more complex: IoT devices can involve voltage, resistance, and current.

Unless you’ve just emerged from a cave, you know that IoT is the Next Big Thing. In cyber security, for example, it’s hard to find a business plan that does not use IoT growth as justification for hockey stick revenue projections. Certainly, with the ten billion or so newly Internet-connected devices that will need protection in the coming years, such optimism is reasonable; but the associated technology can be challenging.

My friend and colleague Brian Stites from MSI was kind enough to step away from the speeches at the International Conference on Cyber Engagement at Georgetown last month to share his insights on IoT security. He later introduced me to Mark Baggett, VP of MSI – and I was treated to an excellent tutorial on how advanced cyber security solutions for IoT might be considered. I’ll summarize my learnings here for you now:

The MSI guys recommend starting with the Purdue Enterprise Reference Architecture, a layered model that describes the interactions between information technology (IT) and operations technology (OT). The lowest level 0 involves the physical operation of field devices; the next level 1 involves physical sensing, control, and management of devices; and a subsequent level 2 involves real-time HMI operator software – finally some 1’s and 0’s.

IoT security engineers can roughly view the level 0/1 IoT interface as the playing field for OT security, and the level 1/2 IoT interface as the playing field for the associated IT security. A major difference, however, is that the OT interface will typically involve an unpredictable variety of analog behavior, perhaps using the +28-to-0 voltage and 4-to-20 milliamp ranges as means for device-level control and sensing.

What MSI provides is a security mechanism for the OT control loop operating across the 0/1 interface, as well as for the IT-OT interactions across the higher 1/2 interface. Both are programmed to detect anomalies and report them to a management console for the IoT security engineer. This is a familiar architecture, but it involves dramatically different underlying technology.

During our discussion, the MSI guys showed how their approach covers a wide variety of practical IoT Security use-cases ranging from tire sensing and aircraft engine control, to oil and gas flow meters. “For decades, the safety and control systems in most industrial applications were separated,” Mark explained. “But more recently, this has all been tied back together at the IT level, which is where many security issues arise.”

As you would expect, developing security signatures and meaningful behavioral analytic patterns for OT/IT interfaces requires local domain expertise and knowledge. Aircraft engineers might know, for example, that (and OK, I admit that I am reading now from an FAA manual) a 28-volt landing light circuit on an aircraft has 7 amps of current with 4 ohms of resistance. Why anyone would want to hack a landing light is beyond me, but I suspect the MSI solution would stop it.

The net for security pros is that while IoT is easy to mention on marketing charts and financial projections, the underlying technology can be different, challenging, and non-standard to existing IT controls. My advice is to do what we all do when something new and challenging emerges: We take the time to hit the books and learn. If you are being asked to extend your solution to IoT, then you have some real work to do!

The benefits of taking the time to better understand IoT will be obvious for security experts, but I am less optimistic about the prospects for most senior executives and board members. I suspect they will continue to interrupt your presentation on IoT security with the same dumb line about 0’s and 1’s. Perhaps when they do, you should just let it go: Generational turn-over will eventually solve the problem.

Let me know your experiences.