The Uphill Road to OT/IT Convergence

By Srinivas Kumar
Chief Product Officer & Chief Technology Officer at Mocana Corporation

blog-operational-information-technology-convergence-IoT-security
 

Across all the major industry sectors, chief risk officers, product managers, solution architects and subject matter experts have to confront the economic, political, intellectual and commercial challenges of industrial and non-industrial IoT with a subjective assessment of the following fundamental introspections.

The Road

1) As the end user of IoT devices, where do I start with digital transformation of brownfield and greenfield devices?

Should I begin with hardening of greenfield devices, in-field or at the point of manufacture, for coexistence with legacy brownfield devices? Then proceed with hardening of legacy RTOS based devices through a device vendor initiated update cycle.

2) As a CISO, how should I budget for device hardening and risk management? What are the capital and operational expenses that I should plan for?

Device hardening requires planning to coordinate updates through the device vendors and line of business application developers as part of an update cycle. A risk management service requires a hosting platform, on-premise or in the cloud. The operational aspects of the risk management service must provide long-term cost reduction with remote orchestration and SoC for security, monitoring, and recovery.

3) Should I manage the transformation program beginning at the device level though OEMs, or directly through device vendors, or at the services level through managed security service providers?

This may require a multi-phase approach depending on my target environment and compliance requirements. The quick start zero-coding first phase may be to work with equipment and device manufacturers to instrument the device platforms. The next step may be to work with a managed security service provider for subscription-based services for instrumented devices. The final step may be to coordinate with device vendors and application developers for ubiquity across device platforms for a unified approach, and a "single pane of glass."

4) Which industry standards for cybersecurity are driving my focus in operational technology (OT) for digital transformation?

  • NIST 800-53
  • NIST 800-63-3
  • NIST 80-2
  • IEC 62443
  • ISA 84
  • NERC-CIP
  • FIPS
  • FCG
  • ISO 270001

5) Which risks in OT do I consider as imminent and worthy of attention?

  • Device Tampering
  • Device Cloning
  • Insider Threats
  • Supply Chain
  • Nation State Attacks
  • Ransomware

6) Which capabilities do I believe device owners/operators would benefit the most from for OT/IT convergence and a unified workflow?

  • Network Intrusion Detection (Deep Packet Protocol Analysis)
  • Malware Detection (Sandboxes, Memory Introspection)
  • Threat Intelligence (Signatures, Expressions, Grammar)
  • Device Hardening (at Manufacture)
  • Device Hardening (in Field)
  • Zero Trust Infrastructure

7) Which mitigation actions do I believe would offer substantial cost savings to device owners/operators in OT after a cybersecurity related incident?

  • Forensic Analysis
  • Log Analysis
  • Device Offboarding (Quarantine)
  • Device Recovery

8) Which countermeasures do I believe would make brownfield (legacy) devices most secure?

  • Network Traffic Encryption
  • Messaging Integrity with Lightweight Cryptography
  • Network Firewalls
  • Anomaly Detection
  • Allow Lists
  • Network Segmentation

9) Which countermeasures do I believe would make greenfield devices most secure?

  • Secure Transport Protocols (TLS, IKE/IPsec, SSH)
  • Post Quantum Ciphers
  • Secure Element as a Root of Trust
  • Secure Memory Enclaves
  • Mutual Authentication
  • Zero Trust (Fingerprints, Certificates)

10) Which controls do I believe would make OT devices most secure?

  • Anti-Virus
  • Code Signing (of Binaries)
  • Supply Chain Provenance (Tamper Resistance)
  • Platform Attestation (at Boot)
  • Mutual Authentication

11) Which types of audits do I believe would make OT devices most compliant with cybersecurity standards?

  • Scan & Harvest to Detect Deviation from Baseline
  • Risk Reports
  • Device Discovery
  • Track & Trace Updates (Software, Firmware, Configuration)

12) Which types of security controls do I believe makes inter-device communications most trustworthy?

  • Mutual Authentication
  • Immutable Device Identity for Onboarding (Enrollment)
  • Key Lifecycle Management (Protection & Rotation)
  • Certificate Lifecycle Management (Renew, Rekey, Revoke)
  • Post Quantum Cryptography

13) Which types of OT devices do I believe require protection controls?

  • Air Gapped
  • Edge Gateways
  • Resource Constrained
  • Brownfield (Legacy)
  • Wired
  • Wireless

14) Which restrictions do I believe are consequential for device vendors in the fragmented global market of IIoT/IoT?

  • Open Source Security Controls
  • Export Controls on Technology
  • Import Controls on Technology
  • Cloud Platform Vendor Lock-in

15) What would be the most effective long-term strategy for device vendors for productization and secure interoperability with emerging technologies?

  • Open Source Security Components
  • Build a Proprietary Solution
  • Build a Standards Based Solution
  • Buy a Standards Based Commercial Solution

The Climb

In the end, the primary use cases and industry specific needs will drive the desired solution. The overarching objective of digital transformation however must be to connect OT devices in cyberspace with embedded safety and protection countermeasures for scalability, visibility, control, and a "single pane of glass" for field operators. This will necessitate a horizontal platform with core capabilities and intrinsic functions to address:

  • Device Tampering
  • Device Cloning
  • Device Hardening
  • Zero Trust Infrastructure with Mutual Authentication and Secure Elements
  • Device Recovery
  • Track and Trace Updates
  • Supply Chain Provenance
  • Network Traffic Encryption with Pathway to Post Quantum Cryptography
  • Standards & Compliance (e.g. NIST, IEC, NERC-CIP)
  • Network Segmentation

The Escalator

Mocana’s solution architecture based on the operations, analytics and development platforms provides a framework for the seven habits of trustworthy devices, the five degrees of protection, and the three rings of resilience required for OT/IT convergence.

The Seven Habits of Trustworthy Devices

blog-seven-habits-trustworthy-devices-cybersecurity

The Five Degrees of Protection

blog-five-degrees-protection-cybersecurity

The Three Rings of Resilience

blog-three-rings-resilience-cybersecurity

Download This Blog