Over the past few decades, we've seen cyberthreats evolve from tools to smart weapons, extending their reach as botnets that develop into advanced persistent threats and kill chains.
As IoT matures, the focus in cyberwarfare has turned to protecting devices. Traditional IT and operational technology (OT) are converging, and cybersecurity professionals must explore better ways to protect both domains.
An evolving threat landscape
The threat landscape has changed dramatically, and attacks are increasingly sophisticated. Bad actors may launch coordinated attacks that attack key infrastructure. Nation-state attackers launch ransomware attacks that use weaponized cryptography. Malware propagates from threat actors to sensors, controllers and actuators.
As attacks become more complex, industrial environments are increasingly vulnerable. Most brownfield and greenfield devices in these deployments lack cyber resilience by design, which leaves organizations unprepared.
What distinguishes threats in 2022 from earlier attacks? Fundamentally, the difference is that today's hackers have a better understanding of how to sidestep detection and prevention controls. Traditional IT security was built with a focus on examining network traffic and utilizing rules-based firewalls, threat intelligence, and policy-based intrusion and anomaly detection.
It is challenging to adapt these IT security strategies for OT, as devices and humans have dramatically different vulnerabilities. Unlike the predictable behavior of devices, human psychology is tougher to proactively address.
Aligning security to industry trends
Device protection requires an approach based on a horizontal platform of transitive trust, together with a vertical pillar of integrated trust. For an effective strategy, organizations must align security to several industry trends.
1. Digital transformation
Digital transformation for IoT devices applies AI and machine learning (ML) to enhance operational efficiency and digital privacy, as well as enable data sharing. AI requires intelligence in both the network and devices to support continuity and runtime integrity of services in automation-powered industrial applications.
ML offers operational efficiencies, as it builds observations for evidence-based abductive reasoning models, condition-based maintenance for longer service life, and telemetry for quality improvements and design innovations.
2. Zero-trust security
A zero-trust model for security applies a volume, velocity and variety challenge for real-time, low-latency line-of-business applications. Volume refers to devices, cryptographic keys, and certificates for device identification and authentication. Velocity refers to automation to support protective measures for transfer of ownership, as well as key and certificate lifecycle management. Zero-trust models also support a variety of global cryptographic algorithms, utilizing an abstraction layer and restricted key usage.
3. Supply chain trust
Building trust in the supply chain is the third key trend. The supply chain attack surface is highly elastic, with many visibility gaps. Blind spots can range from silicon fabrication facilities to OEMs, device owners and operators, and connected devices.
Protection requires a horizontal trust chain beginning at the root of trust, with manufacturer- and device owner-issued identifiers, as well as cryptographic key usage based on the principle of least privilege. Supply chain security also requires a configurable software offering and certificate authority (CA). These offerings should not require cloud platform or CA lock-in to facilitate easy migration and optimize cost management.
4. Digital twins
AI initiatives also support digital twins for quality improvements and design innovation that build on telemetry and state synchronization. Organizations must plug security gaps between virtual and physical systems. They should also take steps to prevent compromises of the virtual digital twin by hackers that could enable them to expose the actual physical system.
Organizations should also enable event-based synchronization, with regular transfer of accurate and tamper-resistant data with low latency. IT teams synchronize the configuration state for trustworthiness with platform attestation and coordinate software updates with supply chain provenance.
5. Application security by design
Line-of-business applications should integrate security measures from the get-go. Their design should meet compliance requirements and risk management objectives, from resource-constrained sensors and actuators to controllers and edge gateways that extend into cyberspace.
As part of this security by design, applications should include protective controls for data protection and privacy, device authentication, remote recovery and integrity monitoring.
An ecosystem approach
In OT environments, the risk model is based on compliance, security and safety considerations. Unlike threats, every risk has a measurable cost and benefit. For example, a compromised factory key compromise might result in a device recall or truck roll to remediate the issue.
Hackers are familiar with most detection and prevention tools and methods. Given the volume of events with low signal-to-noise ratio and the cost of post-breach forensics to generate threat intelligence, traditional cybersecurity strategies are simply not sustainable.
As IoT use cases mature, IT and OT ecosystems require close alignment. OT security brings together network operations centers, security operations centers (SOCs), device management systems (DMSes) and application management systems. Organizations should seek to give SOC operators supply chain tamper resistance, device intelligence and indicators of risk for remote maintenance and recovery of OT devices.
For DMS operators, capabilities such as authenticated device identifiers for secure onboarding, on-device protection of cryptographic artifacts, secure boot sequence and integrity monitoring options offer comprehensive protection.
The IoT ecosystem, workflows and technologies at its foundation require a collaborative mindset that extends from the silicon vendor to manufacturers, operators and service providers to prevent and diffuse cyber attacks.
About the author
Srinivas Kumar is the VP of IoT solutions at DigiCert, a leader in digital security. In this role, Kumar architects solutions to accelerate the convergence of IT and OT in emerging markets. Kumar frequently publishes articles on digital transformation, contributes to cybersecurity standards, and speaks at industry conferences about application security by design to protect connected brownfield and greenfield devices.