Physical + cyber security in a converged IT + OT world
Enterprise and governments are struggling to maintain their complex IT infrastructure in the face of ramping security pressures and rampant attacks. The Internet of Things (IoT) is set to magnify this complexity, introducing billions of connected devices that sense and control the physical world. The resultant convergence of IT and operational technology (OT) infrastructures will significantly expand the threat landscape.
In his On Tanks vs Tractors IoT blog last week Anton Chuvakin from Gartner “philosophized” that anything that is on the Internet should be built as a machine of war. His message was that tractors must be designed to be robust and run safely with lots of operational resiliency, however when building tanks (or anything connected to the Internet) you must go beyond that and include deliberate attacks in your design requirements. So extending on Anton’s thought bubble, it is now accepted (particularly after events like the recent car jacking) that we must build all distributed networks to be resilient in the face of targeted attacks. Security and resilience
- cannot be afterthoughts, tagged on at the end of development; they must be designed in from the beginning
- must not be compromised by functional ease-of-use or even privacy needs; they must be prime considerations and address the full attack continuum (before, during and after attack)
- must be integrated into the network fabric holistically – embracing both physical and cyber security environments and spanning both IT and OT worlds
The IoT transformation is still embryonic, and clearly security and resilience have been become the gating factor for IoT proliferation. Cyber and physical security technologies have largely converged at the device level (wireless sensors and actuators, IP cameras etc.). However we have yet to agree on open standards to enable us to craft physical and cyber security IoT solutions that can interoperate resiliently in this new converged environment.
Similarly we are only just starting to develop a comprehensive suite of architectures that can span this converged world. Let alone to consider the regulations that will be needed for governance. Unfortunately security and resilience in IoT are not homogenous concepts, and workable solutions and regulatory models will vary by market, by sector, by geography, by application. One example where industry has developed a workable model for handling IT and OT security is in the contained field of branded credit card transactions where the PCI DSS standard is used global. However this model has little applicability in the medical or auto markets.
So we have a long way to go, but the imperative here is that customers select solution partners who are addressing these challenges. Opengear solutions have all been designed to integrate physical and cyber security to increase overall security posture with little or no human intervention required. They span from the cloud, through the fog to the devices at the edge, and empower the customer to meet the growing security challenges of this converged IT + OT world.