Skip to navigation Skip to content

IoT Integrator Summit: IoT and OT Defense: Similarities & Differences

Minute Read

This presentation was originally delivered during the IoT Integrator Summit on Securing Edge Computing, which took place from July 14-16, 2020. You can  view the full event summary and as well as access additional sessions from the IoT Integrator Summit here.

Following is the recording and a session summary of a talk by Emily Crose, Sr. Industrial Pentester at Dragos.

In this session recording, you will learn more about the differences between OT and IT networks and how to treat each.

Watch the video or peruse the notes from the session below.

 

-- Article continues below --

New call-to-action

Visit the IoT Security Resource Center.

Session Notes

The worlds of IoT and OT are often treated as one and the same, but the differences between these two disciplines are stark. In this talk, we will explore the similarities and differences in strategies to defend both.

Differences and similarities in IoT and OT

Operational Technology is what enables a factory to make widgets whereas Internet of Things is typically widespread consumer technology. Each has its own distinct characteristics. 

Internet of Things

Operational Technology

Easy to patch and typically will do that on their own. 

Requires users to manually load vendor patches. 

Consumer technology. 

Serves a very niche purpose and has to be custom programmed. 

Inexpensive and easy to find. 

Expensive. 

Easy to use, made for users without technology backgrounds. 

Requires specialized knowledge, made for users trained in the industry. 

Decentralized with limited approval processes.

Hierarchical relationships between controllers and levels.

Commercial Off The Shelf (COTS), can be used in many different ways in different places.

Proprietary hardware made specifically for one purpose in one process.

 

While IoT and OT have many differences, they do share one similarity: they are both connected to the internet.


Looking for content from other IoT Integrator Summit Sessions?

Browse all of the session recordings.

IoT Security Event Recordings - Securing Edge Computing


IoT and OT hardware and protocols

Operational Technology hardware is networked and transfers information up to the business. There are many different kinds of OT hardware, here are a few common ones:

  • Programmable logic controller
  • Remote terminal unit
  • Sensors

 

This hardware works in a hierarchical relationship known as the Purdue Model. The information goes through different levels of approval and VPNs to get to the internet. Some levels are automated while others are manual. The Purdue Model keeps information safe and secure by forcing it to go through a long process of authentication.

Similar to how OT devices work through the Purdue Model, IoT devices use BACnet (Building Automation and Control networks) to communicate with one another. BACnet brings all of the components together for one-way flow of data.

BACnet is typically used with environmental controls. For example, thermostats would be governed by BACnet to make sure that temperature, humidity and air pressure levels are where they should be. This protocol ensures that data crucial to the process is staying within its guidelines. 

Threats and solutions in OT

One of the biggest threats to IoT and OT are ransomware attacks. If there aren’t enough security measures or the process is flawed, ransomware attacks are entirely possible in IoT and OT. On the OT side, these attacks can shut down factories for days and weeks. 

Throughout her years of experience in the OT and IoT fields, Emily Crose has learned her share of security lessons. Here are three lessons she shares with the audience.

  1. Security segmentation of devices keeps certain sections of your network and the internet from gaining unauthorized access. This protects your devices and data and also tells you where your devices are geographically. 
  2. Configuration of devices should only detail the minimum data needed. Over-information can reveal inner-workings of your process and sensitive network. 
  3. Defense in depth plays a critical role in protecting internet connected devices. This includes applying network security checks at the ends and in the middle of the information flow.

 

When programming any IoT or OT deployment, you should always make sure to use eyes wide open and  limit access, implement approval points and make data flow one-way.

Q & A from listeners

Emily Crose answers questions directly from our listeners.

Q: How does remote management fit in here?

A: Remote management has always been around in OT context. Operators should focus more on the realities of the network rather than trying to airgap the network. The reality is that there will have to be an overlap in patching and metrics. As long as you are being extra secure and implementing multi-factor authentication and limiting access to only those who need it, then there is no reason why remote management and OT can’t live in harmony. 

Q: Would a better relationship between OT and IoT improve remote management?

A: The relationship between OT and IT has been contentious. This is because OT specialists are not as experienced in the nuts and bolts of the technology due to the technology doing most of the labor. To improve teamwork, IoT employees should approach OT staff understanding what their role is and express interest in what they are doing. 

Q: What do you recommend for single point monitoring?

A: The biggest recommendation for single point monitoring is enterprise monitoring. You could do this through network log management or network traffic collection. You could also use host based log collection and aggregation. If you have a policy like this and you can send this data to a group that is experienced in log traffic analysis. It is also recommended to use robust asset management in OT. 

Q: How can patching concerns be addressed or planned in IoT?

A: Many of these patches are applied transparently in traditional IoT. These devices can automatically update in a safe way by having them out of visibility from the internet in your network. 

Q: Do you have advice for integrators that are confronted with system owners that force IoT security upon OT environments?

A: There has to be a come to the table moment for IoT and OT staff. The two should be able to understand each other's roles, as well as the similarities and differences between them. 

Q: What are your thoughts on combining OT with existing incident response plans but tailored to address the limitations within the OT environment? 

A: This is a great start. Let’s say you have a device that has fallen into a breach condition and you will have to do remediation on the network. The IoT policy may call for a forensic analysis that uses many tools to collect evidence. While the policy is great, it may be too ambitious for what OT technology can do and therefore too ambitious for what OT staff can pull off. The best thing to do is recognize the overlap between IoT and OT and use that information for policies.


Read the Complete IoT Security Guide

Everything you need to know about securing your IoT or IIoT deployment.

Read Now


About Emily

I am an excellent employee with over 7 years of experience in information security. I have proven my worth as a desktop support technician and I am now working on proving my worth as a higher tier technician with interest in the network engineering, electronic forensics, and general information assurance areas. My goals include securing a full time position with a government agency in information assurance or working with a corporation in either information assurance or network engineering.

Specialties: I have a knack for working with Linux servers with experience in working with Debian, and Ubuntu server distributions. I hope to get experience in many other flavors of linux as time goes on.
Not only am I experienced with Linux servers, but I have also worked heavily with Windows server 2000, and 2003, as well as Mac OSX server distributions.

About Dragos

Dragos, Inc. is an industrial cybersecurity company focused on some of the community's hardest problems. The ecosystem our team has built is specifically tailored for industrial environments such as those found in industrial control system (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control System (DCS) environments. Our software platform and services help operators protect infrastructure sites such as power grids, water distribution sites, oil refineries, gas pipelines, manufacturing, and more. The Dragos team exists to safeguard civilization.

Read the complete IoT security guide.

The Complete Guide to IoT Security