Skip to main content

CITIES

IoT and OT Security: Decreasing the Attack Surface

OT security

When it comes to IT, everyone knows that cybersecurity is crucial; you leave data unprotected at your peril. But what about OT? The boundary between IT networks and OT networks isn’t as distinct as it once was, and that means protecting your OT is now also incredibly important. Think of the environments where machines are linked to physical safely, like factory floors—or hospitals. But how does a plant manager go about preventing cybercrime?

Part of the solution may be in FPGAs. And if you’re not already familiar with the term, you will be soon. We’ll talk about FPGAs, among other things, with Louis Parks, CEO of Veridify Security, a developer of security IP and tools; and Mark Frost, FPGA Security, Communications, and Configuration Technical Marketing Manager. They’ll discuss the challenges of OT security, the role of FPGAs in addressing those challenges, and even some non-cost options for protecting your OT network right away. Because the vulnerabilities are everywhere, and the bad actors will find them.

What are some of the challenges you see in the security landscape today?

Mark Frost: It’s clear that there’s been a rapid expansion of connectivity between devices. We’re seeing the boundaries of OT and IT networks blurring, and I think many people have just not considered the security implications there, especially of older networks connected to newer ones. The prevailing thought seems to be, “This seems to be working, so everything is okay.” But we’re seeing more and more cyberattacks these days, so it’s something people need to be paying attention to now. 

What makes OT security especially challenging?

Louis Parks: The short answer is that OT networks have been around for decades, but they’ve typically been naturally air-gapped, or disconnected, from the outside world; they’re running buildings, industrial sites, etc. On the other side of the picture, IT networks have always been developed and defined in a very secure fashion—firewalls, VPNs, malware detection—because of the perceived value of the data in HR, accounting, patient records, etc.

The challenge is that we are all looking to better utilize platforms, buildings, industrial PLCs, etc., so these things are now being connected to IT and OT networks for better visibility. I want to look at my building in Chicago from San Francisco or from New York. Now you’re connecting a very secure platform, your IT network, to a very insecure platform, your OT network. You’re increasing the attack surface, and that’s all a hacker really needs.

The other challenge is that, unlike the very homogenous IT environment—a Windows, a Linux, an Apple environment—in the building world there are many different protocols from many different vendors. Also, you’re working on 32-bit or smaller devices that have little or no room for security, and yet are gateways into the system now.

Why do the solutions available today fall short when it comes to OT?

Louis Parks: What are the problems? First of all, at a very high level there could be two really different goals. In the IT space the goal of cybersecurity is to protect data and keep the devices on the system under control. In the OT world the goal might just be to keep things functioning—think of a hospital. In a utility operating in an OT world it could be safety. IT security is a pretty mature market space. So guess what? A lot of the OT cybersecurity solutions we see come from the IT market space, and there’s a divergence between what the IT products that are entering the OT space are made to do, versus what the OT world actually needs.

I want to add the important point that anything you’re doing to secure your network is a good thing. But the typical security tools we see are primarily network based; in the IT world it’s pretty important that an IT director or CESO knows if you brought a device from home and plugged it into the network. A big no-no in a lot of operations. In the OT world they’re not really thinking about people bringing thermostats from home and plugging them in.

The IT tools now being used typically do give you visibility, which is a good thing. They give you monitoring, detection, and alerts; but they’re not protecting the data—because nobody would think of transmitting open text on an IT network—and they’re not stopping attacks. Also, if you do learn of an attack, in the IT world you have network people, IT people, sitting there ready to respond. In the OT world you may be calling a plant or building manager and saying, “Hey, on the 23rd floor we see unidentified data traffic on your HVAC system.” Not really actionable by them.

“On the #IT side: patches, firmware updates—those are weekly events. In the #OT world in some cases they’re nonexistent. So the ability to move the processing to the edge with an #FPGA is huge” – Louis Parks, @Veridify via @insightdottech

Please explain what FPGAs are and the role they play here.

Mark Frost: FPGA stands for Field-Programmable Gate Array. It’s a bit of custom hardware that you can program and set up in certain ways. We see use cases in very high-speed applications where people have got super high-speed data they want to process, or in applications where you need very low latency or high determinism. Often industrial applications will have those particular requirements.

Also, FPGA is really good for custom IO. For example, if you want to interface to this MRI machine over here and this motor drive over there, you can’t buy something off the shelf to do that; that kind of interfacing application needs some custom hardware, and that’s where FPGAs really shine.

We see them across all the applications, but again, particularly in the industrial space. In my group we’ve tried to think about how FPGAs can be suitable in this application, so some of our solutions have an industrial bent to them. We’ll think about things like functional-safety applications, and also longevity; OT networks are often designed and installed to last for 20 years. And the nice thing about the FPGA is that you can update it in the field; should some security hole be found, you can update that in the FPGA as well.

Louis Parks: On the IT side: patches, firmware updates—those are weekly events. In the OT world in some cases they’re nonexistent. So the ability to move the processing to the edge with an FPGA is huge. And that’s one of the powers of an Intel® FPGA—we don’t have to guess at everything today and just hope we’re good for the next 10, 15 years. We can address it.

What security strategies are you seeing out there?

Mark Frost: In the past, FPGA people have tended to rely on a security concept that is “security-through-obscurity.” FPGA was quite a niche product then, and there was no real published data about, say, how to properly configure the devices. However, there’s been massive growth recently, and people using FPGA devices now really need to start considering their security policies.

But it’s kind of mixed. Some people have gone to town, and they tend to be the ones who have really big security teams to work with. We have other customers with really small teams—maybe they just have one engineer to do everything. So the question is, how do we make it easier for them to start implementing some basic security features?

Louis Parks: Another issue we see is that the building or plant manager responsible for the system may not have the security background for protecting data that the ITs have. But the IT side may not see it as their purview to protect the HVAC system.

Another thing is that network segmentation—which is a common response from these network tools—works well in the IT world: I’ve got a bad data situation on a server here, and I can isolate it until I either replace the server or move the operations over. But if it’s operating a portion of a hospital, I may not be able to isolate it the same way.

So our focus at Veridify has been to take something like an Intel® FPGA, and provide security at the edge to protect the devices. We are also trying to give a proactive solution that doesn’t require the replacement of previously installed technology. An Intel® FPGA running our technology can be placed in front of a device as a security gateway, providing all of the authentication and data encryption you’d expect on an IT network, but running it almost like a VPN over an OT network.

How do Intel® FPGAs help support IoT security efforts?

Mark Frost: Our main task here is as an enabler. We’re trying to be a jack-of-all-trades across all these different verticals, so our devices are designed for many markets. We try to think about basic device features that will support security—that foundational base—that then people like Louis and his team can plug into.

But we have to do the right thing in the foundational base; we have to have the right hooks into the device. We have to think about things like functional safety-data packages, for example; about specific silicon features, real-time processing, and all this other stuff that Veridify can then build upon.

Louis Parks: Intel has a focus on security, on securing firmware data—things running on the FPGA. We then extend that by looking at how a device interacts with the devices around it, which is our focus. That communication between devices creates, in essence, what we often think of as the IoT.

How can organizations be successful at addressing OT networks?

Louis Parks: There is a range of monitoring tools out there that will give you the ability to look at your network, and that network-level strategy will give you some capability. There are also protocols out there that do add security; but some of those can be difficult to implement, because implementation or management isn’t necessarily seen as a priority for them.

Ours is a device-level focus; we’ve basically packaged cybersecurity in a box. When you plug in one of our edge devices, it auto-onboards. Recognizing that there’s limited availability of IT and cyber skills—particularly in the field or at the edge—we’ve done a zero-touch process. With Intel as a partner, that has been our focus.

But there are some non-cost things you can do today. Think about: Where are my risks? What would the risk be if somebody entered this part of my network? Is that critical or not? So make an evaluation. Do you have a backup of your OT network—your building system, your plant/factory? Nobody would ever think of not having an IT-network backup.

You mentioned a partnership with Intel; what has been the value of that relationship?

Louis Parks: We have a lot of expertise—my partners are mathematician cryptographers—so we bring that, plus engineering to the lab. But our product, DOME, came into being because Intel came to us and said, “There is a challenge in how devices at the edge of a network are managed, and we think you have a platform that could solve it.” So they not only bring us to opportunities and sectors, but, more importantly, they expose us to the issues that we then have to address.

And there’s no substitution for the reach and the depth of the Intel team. Their support in developing protocols, in developing solutions, and in helping us bring those to the market space—it’s invaluable. Thank you, Mark!

Mark Frost: You’re welcome. And, from our point of view, our primary aim is to sell silicon. We rely on partners like Veridify, because we can’t do that without these really cool solutions that appeal to the marketplace. We do what we can to help extend the reach of Veridify into these global markets through our sales networks and our channel networks, but it’s the work of these guys and their solution that’s the exciting part, really.

Any final thoughts you’d like to leave us with?

Louis Parks: I think everybody should be thinking about security. Unfortunately, security threats are a potential in the world we live in. I think people should look for solutions, and understand not only what those solutions can do for them, but also their own ability to use and manage them. Also, no single solution is going to do it all. So even when you’re successful, please keep working, keep looking; this is an ongoing process.

Mark Frost: I agree—don’t ignore security stuff. Things as simple as authenticating and encrypting the configuration data for your FPGA are two very simple things to do that could make a huge difference to the security of your FPGA implementation. Many of the most high-profile security breaches we’ve seen in the past were quite innocuous at the start, and still many people are thinking, “It’s not going to happen to me.” We’re here to help.

Related Content

To learn more about OT security, listen to Demystifying OT and IoT Security and FPGAs: With Veridify. For the latest innovations from Veridify, follow them on Twitter at @Veridify and on LinkedIn.

 

This article was edited by Erin Noble, copy editor.

About the Author

Christina Cardoza is an Editorial Director for insight.tech. Previously, she was the News Editor of the software development magazine SD Times and IT operations online publication ITOps Times. She received her bachelor’s degree in journalism from Stony Brook University, and has been writing about software development and technology throughout her entire career.

Profile Photo of Christina Cardoza