The convergence of information technology (IT) and operational technology (OT) to secure the Internet of Things (IoT), the Industrial IoT (IoT) and OT solutions will eventually follow the route towards continuous surveillance that the IT world navigated over the past two decades.
The imminent risks with connected devices today are not IT-, IoT- or OT-specific problems to categorize. The fundamental cracks are the grade of technology and level of protection embedded in these devices before they are deployed in the field and provisioned for operation by conventional device management systems. Operational risk (OR) management requires attention to device security by design, and not just device function by purpose.
Pinholing the perimeter defenses (demilitarized zone) exposed the air gapped and segmented enterprise networks to external users for remote access, and to internal users for cloud-hosted services. This confluence of public and private ecosystems led to a cascade effect of security controls, from network traffic inspection for intrusion detection and prevention (the network operations center, or NOC), to security information and event monitoring systems (the security operations center, or SOC), platform hardening checklists, vulnerability assessment standards (NIST SCAP/CVEs, STIG, STIX/TAXII, et al), and ultimately endpoint-based countermeasures for detection and prevention of landed malware and resident exploits. The operative phrase for IT SOC was threat intelligence.
IT outsourcing, data center virtualization and cloud bursting led to securing the cloud (with cloud access security brokers, multi-factor authentication) and security in the cloud (with full stack hardening, process isolation, secure enclaves, cryptographic encryption of data lakes). With the migration of applications and data to public, private and community clouds, privacy and confidentiality concerns emerged. The software-as-a-service (SaaS) model shifted the onus of security to SaaS vendors as the guardians of multi-tenancy. The cloud became the home away from home for users and applications. The operative phrase for cloud SOC was “visibility and control in the fog.”
The emerging wave of digital transformation across industry sectors from industrial control systems to healthcare, manufacturing, transportation, public utilities, critical infrastructure and defense requires a paradigm shift. Unlike enterprise IT endpoints (user workstations, server farms, and network elements), the needs of OT are radically different. OT requires runtime operational integrity monitoring, field device hardening (of brownfield and greenfield devices), and supply chain risk management. These are not standalone solutions. They require a holistic and interconnected suite of specialized risk controls and countermeasures. The cloud is now homing in on devices. The operative phrase for OT SOC is risk intelligence.
IT-OT convergence will require traditional IT SOC teams to operate outside their comfort zone with OT field operators. Digital transformation requires collaboration between silicon chip vendors, original device vendors, certificate authorities, managed security service providers and cloud platform vendors. Digital transformation is fundamentally about life cycle management of a diverse set of devices (from Linux/Windows/Mac OS platforms to VxWorks/FreeRTOS/QNX RTOS platforms, tablets and smartphones) from the manufacturing line to field deployment, device health monitoring and condition-based maintenance.
The frictionless surface for artificial intelligence (AI) and machine learning (ML) in OT applications begins with an intelligent device designed for tamper resistance, trusted content delivery, attested metrics and remote recovery. The vast investments in digital transformation and 5G require value creation from embedded trust in devices to a low latency services platform at edge gateways for OT economics at scale and ROI. While CISOs and CIOs implement a strategic plan with security controls to optimize workflow and manage threats, CTOs and product security architects must design with protection controls to transform devices and manage risks. Security is a control, but trust is a chain.