So you want to connect IoT or OT traffic into your corporate network. Some things to consider.

Introduction

This short paper focuses on a number of methods to secure a network, where Operational Traffic (OT) and other traffic may share the same physical infrastructure.

Pharmaceutical Specific Risk (see diagram)

The cost in R&D in researching new drugs is very large. The amount of time that a company can then market and sell that drug under patent is limited. Therefore, they tend to keep the details secret, as long as is possible, before patent protection expires. The above diagram is from the Journal of Pharmaceutics and Nanotechnology.

Out of Scope

This short paper does not discuss the standard network security measures that a corporate IT department will already have in place. The focus of this short paper, is on the impact of Operational Traffic (OT) being introduced into an existing corporate IT environment. The impacts considered are; security and performance.

Process Data at the Edge or Centre? (the FOG)

If we move data to the center for processing, we send a lot of traffic. We also move sensitive information around a network. This also means if a network is slow, or it fails, and if the end-points are dumb, then the IoT/M2M/OT solution fails.

Modern IoT/M2M end-points can include a powerful processor, with substantial RAM, a hard disk, and so can provide an autonomous solution. This reduces network traffic, removes the security threat of data on the network, and makes the application impervious to network issues. Such devices cost approximately ￡8.00 (eight GB Pounds each).

However, there will be occasions where, after data is processed, certain decisions may need to be validated by a central decision making authority, be that a human, or computer.

Microchip and Texas Industries I.C’s used in “Endpoints”

I am quite experienced with the Microchip RN4870, and I am just starting to review the T.I. CC3220 I.C. I’ll summarise them as follows; the RN4870 is a traditional PIC, uses an 8 bit CPU, and is configured using scripting. Fairly limited in terms of memory and storage. Having said that, I do like it, and it's robust, simple, and powerful - if you know Low Level Languages/Machine Code/Logic.

The CC3220 is new to me. A 32 Bit modern ARM Cortex CPU, lots of RAM and Storage. Two separated CPU areas for application and network management. Programmed (usually) using an “Eclipse type” IDE, called Code Composer Studio, and I’m writing in C++. A well thought through security suite, that is far too detailed to review here, but see this link to learn more; https://www.ti.com/lit/an/swra509a/swra509a.pdf

The CC3220 allows very complex edge-processing to take place. In real terms, this is an autonomous end point, that would only need to connect to the center to share data, or to receive authority to take action, in particular situations.

For an enterprise wide IoT/OT/M2M type solution, the CC3220 will allow developers to write code that can use the central business processing environment, when appropriate. But to add many extra features and functionality, executed autonomously at the edge. i.e. in theory you could have a legacy (industrial) application that you want to upgrade, but for whatever reason you are reluctant to change it. As an option you could add new functionality, at the edge, which delivered new data, or functionality to the core, with only minimal changes at the center.

Network Performance

If you need to use the corporate network, for new OT traffic, then one danger is you slow down the whole network. Some things to consider, and avoid;

• Use VPN’s for security (further down) but also to limit the traffic to (say) 10% of the available bandwidth.
• Polling or Interrupts. Consider regular polling, and using interrupts, for exemptions.
• Don’t schedule XXX,000 updates, all “on the hour” etc, or you’ll introduce huge spikes.
• Use high powered, autonomous edge devices (see TI CC3220 further down). It’s a little like Grid-Computing, where you use the “Map & Reduce” tactic, but this time it’s not for scalability/performance, but instead is to minimize traffic across the network. i.e. do the processing at the edge, and (mostly) use the network for “command & control”, or other updates. i.e. MAP/Reduce used to be the tactic of sending small parts of a program to multiple nodes (edge points) where the data was. Then using the thousands of nodes execute the program (usually on a JVM) then the answers were "reduced" or sent back to the central site.
• Data Back-Up, or Centralisation. Schedule any data ingestion, at times when the corporate network is quiet.

Endpoint Security

Using a Network Security Server

Corporate IT security. This type of Endpoint Security is standard, and enforces security polices, e.g. authentication, passwords, geo-fencing, however;

• What if an IoT/M2M/OT type device is compromised.
• The traffic sent is not unusual, so no anomaly is noted.
• However, the data is erroneous? Instead of opening a valve, or closing a sluice gate, the opposite happens? Note. I have two security patents that defend against this. IoT Sensor Security, using Logic & A.I. - Patent 1715544.1 and Controlling a CPU using hardware breakpoints & external Logic & A.I. - Patent 1719610.6. My second design allows hundreds of hardware break-points, not the normal small handful.

Standard, Modern, Industrial Connection Devices

There is a wide range of end-points, from large networking vendors. This should make an end-to-end networking solution, easier to deploy. On the other hand, you limit the capability of your core IoT/M2M/OT technology, to whatever such a networking vendor will support.

Industrial Control – Using Old Desktop OS Systems

In some organizations these can be based on very old, unprotected desktop operating systems. Up until recently these machines were stand-alone, and would never connect the corporate LAN, let alone any WAN/Internet type connection. Some of these machines, will be very old Windows 98, XP type systems.

Securing Old Desktop OS Systems

If these must be retained, and used, then they can their security can be improved. The steps are summarised as follows;

• Remove all applications, not needed to run core application
• Apply any security patches available
• Run in user mode, if possible, i.e. do not run in system administrator mode
• Lock down the old OS, as much as is possible
• Clone using Acronis (as an example)
• Virtualize using VMware (possibly VMware Player, due to age)
• Secure Access using UltraVNC (due to age, as an example)
• Host on a Hypervisor
• Implement Corporate Security at the Hypervisor level

Note. Most Cloud providers will not allow such an old OS VM to be hosted in their environment. This tactic is designed simply to enclose a vulnerable desktop type platform, on a more modern commodity platform, using a hypervisor, and locking that down as much as you can. It's not ideal, but better than running a Windows 98/XP desktop on your network?

Bespoke OT/IoT/M2M Endpoints

Some OT originating devices will be based on “bespoke” devices. These need careful and detailed testing and analysis. I am not going to consider "hobby type" boards.

M2M/IoT Hub

Implement (if practical) a commercial grade M2M/IoT Hub. One that is supported by corporate IT. Implement all corporate IT security features. These are manufactured by major networking firms, and so can offer a degree of security.

Medical Devices using Bluetooth

Imagine if a hacker accessed a medicine dispensing/drip device? What if they changed the settings? What if they have spoof’d the MAC address of a “white-listed” and paired Bluetooth device. And/or hacked in to a system admin terminal, and uses their security details? (One of my IoT Security Patents defends against this, see IoT Sensor Security, using Logic & A.I. - Patent 1715544.1)

OT Traffic Sizing

Set max bandwidth, QoS in switches, so that any traffic from an OT-VLAN, is limited to a percentage of the available bandwidth, say 10%. Or, put another way, the corporate IT network will always have 90% of the bandwidth available, even if there is a problem with the OT network.

Network Segmentation

Typically segmented using; Firewalls, SDN’s, and VLAN’s. The main benefit being to limit any breach to that network segment. These areas are explored as follows.

VLANs

Separate your network, such that the OT traffic and regular IT traffic uses separate VLANs.

VLAN Attacks

1.      Basic Hopping VLAN Attack

2.      Double Encapsulated 802.1q VLAN Hopping Attack

3.      VLAN Trunking Protocol Attack

4.      Media Access Control Attack

5.      Private VLANs Attack

6.      Spanning Tree Attack

The above can be avoided by the correct system administration configuration, see below;

VLAN Configuration Hardening

1.      Manage switches in as secure a manner as possible (SSH, permit list, etc.)

2.      Always use a dedicated VLAN ID for all trunk ports

3.      Be paranoid: Do not use VLAN 1 for anything

4.      Set all user ports to non trunking

5.      Deploy port-security where possible for user ports

6.      Have a plan for the ARP security issues in the network

7.      Enable STP attack mitigation (BPDU Guard)

8.      Use private VLAN where appropriate to further divide L2 networks

9.      Use MD5 authentication for VTP (if VTP absolutely needed)

10.  Use CDP only where necessary

11.  Disable all unused ports and put them in an unused VLAN

Note. The above is from an article in SANS, see; https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090

Encryption

What type of encryption is used, to protect data at rest, and in transit?

Protocols

What programming or message processing protocols are used.

Physical End-Point Security

How are the end-points secured? Are they remote, low cost devices, which may be easily removed, and stolen? Is any data stored on the device? Are there any measures within the device to automatically delete all data?

• if the device is disconnected from a network, or loses power, or sense a violent change in position, what happens to the data?
• is the data within the internal storage, automatically removed, over-written, destroyed?
• on loss of connection, a heartbeat is lost, and an automatic alert, sends an email/alarm to local site security.
• CCTV cameras etc, could be programmed to focus in on that area.

i.e. if someone steals the device, all they have taken is an ￡8.00 device, with no data.

Comments/Remarks

I can see some holes in the above. I seriously welcome any comments. This is too wide an issue for me to fully cover. But I want to learn. Please add any comments.

Thanks

Mike