The Gray Area Between IoT and OT: Managing Risk
Updated: Sep 22, 2020
Part 2 of 2, by Francis Cianfrocca
The Internet of the near-future will contain ever-more connected devices doing everything from full-biometric payments to connected car, with security that is only marginally better than we have today.
The world’s businesses simply won’t let security concerns slow or stop a multi-trillion dollar global transformation. There will be significant changes to security over time. As often happens, the changes will be initially surprising, but obvious in retrospect after they arrive.
Expect to see risk-based approaches to security for the near-future’s cyber-physical systems, incorporating concepts from military battle-space planning, such as OODA loops and resiliency. These will increasingly take the place of today’s standard vulnerability-management approaches, both for cost reasons and because the threat landscape is just too fluid.
There’s a possible role for smart devices themselves to contribute to the overall security, but I don’t expect it to come through the authentication chips and secure-boot-attestations that people have been working on for the past few years. Basic economics works against the notion of adding powerful compute stacks, with sophisticated security capabilities, to billions upon billions of connected devices.
I think many devices will be engineered with voluntary behavioral constraints. Devices will start having “foundational beliefs” burned into their silicon that will operate like ethical constraints do in human populations.
And there will be large-scale artificial intelligences looking to assign instantaneous risk scores to large sectors of network space, regardless of the device populations they contain. The global response to the COVID pandemic has already accelerated this trend. The AI will actively seek to counter observed threats by carving out “safe” network spaces, possibly through automatic overlays. This general concept is applicable in organizational cyberspaces as well as in national infrastructures.
Users and device makers will simply assume that security is happening “above their heads,” courtesy of their network and hyperscale-computing providers. Novel technologies will enable the cyberspaces of the near future to become increasingly self-defending.
This change is inevitable: it just won’t be possible to train enough expert practitioners in today’s reactive cybersecurity technologies to meet the demand. As technologies improve, CISO organizations will change and shrink, just as “chief electrification officers” did in the early 20th century.
The Difference Between IoT and OT
As you think through the transformations, you can see the big difference between IoT and OT: Fixed-plant, four-walls OT will take 10-20 years to radically change from what it is today, because of the capital-replacement cycle.
My colleagues and I have done a great many cyber-risk assessments for industrial organizations. We’ve walked many plants where there is a handful of people, often only one, who designed all the automation 10 or 15 years ago. They’re still in charge because no one else knows what they know about those plants. Many of these people are in their 50s now, so they have a good ten more years to go.
Extensive deployments of classical reactive security technologies won’t work. They’re far too expensive, for one thing. More importantly, there is a lack of skills to manage them, especially in the remote locales where industrial operations are often sited.
This means that securing these environments will be all about installing some light perimeter defenses, and then carefully monitoring the east-west traffic in these networks to detect lateral moves and recon. In essence, the strategy is to detect and disrupt bad activities early in their cycle, and eventually even to predict them.
At InsightCyber, we’ve been preparing for this doctrinal change for several years now. We are getting tremendous interest from CISOs who see it as a way to get ahead of ever-increasing threats with ever-shrinking budgets.
Radical Changes for IoT
Moving from fixed-plant OT to the far more dynamic world of IoT and “converged” IT/IoT, the desire to a reactive to a proactive posture is even more compelling. The sheer scale of the cyber-physical world, coupled with the potentially huge safety and privacy impacts of breaches, mean that risk-management will inevitably supplant vulnerability management.
This space is already full of security vendors pushing various types of anomaly-detecting AI. What we hear from customers and partners is that the existing efforts fall short because they just don’t provide enough visibility. There’s only so much you can learn from network-traffic analysis, even augmented with decent machine-learning. But most vendors don’t really have anything else to offer.
A number of additional sources of knowledge, including integrations with line-of-business systems, are needed to make this really work. And this requires solving a number of challenging problems, relating to analytics-at-scale, cognitive visualization technology, and qualitative data normalization.
But at InsightCyber, we’re already seeing the benefits to customers of this new approach. So keep watching this space for more news!
Francis Cianfrocca is Founder and CEO of InsightCyber.