A Sense of Security Blog

A Better Approach to Securing IoT Systems in ICS Environments

Authored by Sanjay Raja, (March 16, 2017 – Somerset, NJ)

The Internet of Things (IoT) is disrupting the thinking of what is actually networked. Its enabling greater centralized control and management over more and more services. A category of IoT is focused squarely on enabling Industrial Control Systems (ICS) associated with manufacturing and utilities to take advantage of IP-based networking.

Unfortunately, the caveat is that when we move to non-proprietary communication and network technologies for these systems and use more off-the-shelf commercial operating systems, we also expose them to additional cyber risk. One of the more recent examples in the U.S. is the discovery of a  Russian hacking operation, Grizzly Steppe,  detected by the NSA within a Vermont utility company. Luckily, nothing was disrupted or stolen, but this example shows how vulnerable these systems are.

In the past, organizations would have a strong separation between traditional IT infrastructure and operational technologies, thus the terms IT and OT as distinctly separate, to strictly control access to the OT network. While there has been this hard separation of IT/OT networks, they are both increasingly using similar commercial IP network and operating system protocols which is softening that separation.


Used to be that a strong perimeter was enough to separate IT and OT

With this shift, we now have an expanded attack surface which has made critical systems much more exposed to threat actors. The level of risk to these systems parallels the security risks introduced by Enterprise Mobility and VM/Cloud technologies. With so many variations in IoT systems and devices, many organizations rely on network segmentation policies and changes to maintain separation between IT and OT networks. However, as IoT grows, one should expect to see thousands of dynamically configured network segments at any given time. Introducing software-defined networking (SDN) to ICS leverages network visibility and context alongside access policies to apply dynamic network segments at any time to improve on-demand network performance and availability. From a security standpoint, it helps to segment the network where it like having thousands of dynamically assigned security escorts through the network making sure authorized users can travel across the right network resources to access to the right applications and data based on defined policies.


Let’s make sure you can get where you are authorized to go safely and quickly with no detours

But how do I know I have the right access policies in place? How do I know the segmentation rules are working effectively to restrict inappropriate flows between and within IT and OT networks, without inhibiting the right users and applications? Most implementations rely on a lot of upfront planning. But once you are ready to flip the switch, there’s always the worry of misconfigurations that can lead to the accidental denial of resources or incorrect exposure of sensitive systems to unauthorized or even malicious users.

The National Institute of Standard and Technology (NIST) has a special publication called the Guide to Industrial Control Systems (ICS) Security1, that provides excellent guidance on the implementation of network segmentation for ICS. The first step to securing these environments is having effective methods for complete network discovery, mapping and monitoring of changes in real-time across IT and OT networks. It then also becomes critical to test and validate segmentation policies to guarantee availability while still restricting access. Lumeta Spectre can help ICS organizations both protect and optimize the segmentation of IT and OT networks. Lumeta offers companies Cyber Situational Awareness, providing unmatched real-time network context into dynamic network elements, endpoints, virtual machines and even cloud-based infrastructure paired with threat intelligence. In addition, Lumeta can help IT and OT teams validate segmentation polices and monitor for unexpected paths, lateral movement or any sort of changes, all in real-time. To learn more about common blind spots in stopping attackers and other challenges with securing ICS infrastructure,  download the Lumeta Solution brief for Securing IoT-ICS and a contact us for more info at: info@www.lumeta.com.  To learn more about Lumeta Spectre, go to http://www.lumeta.com/products/spectre/.


1 NIST Special Publication 800-82 Revision 2