Posted by: Greg Ness | July 30, 2019

The New Network Security Equation We’re Discovering by Accident: IT<IIoT

Right after we celebrate the birthdays of two of the most destructive cyber attacks ever launched (WannaCry and NotPetya) a disturbing VxWorks advisory is issued for billions of IoT devices, and perhaps millions of them are unpatchable. There is a simple, fundamental equation that no one seems to grasp when it comes to IT skills, resources and capabilities: IT<IIoTIT IIoT (1)

It’s clear the digital era we’re being pulled into is creating a massive attack surface; and there are not enough people, training courses and/or funds to deploy another layer of traditional firewalls, access control and segmentation solutions fast enough to keep up. And the security and networking cartels would rather sell you more of the same (see below):

Archimedius Traditional Networking at Scale

This stack is DOA for IIoT.  It’s too cumbersome, complex, expensive for the digital era we’re entering (of billions of connected devices, many of which are easy targets to get inside a network).  And, even worse, none of these solutions were architected for the demands of IIoT. An upcoming paper by unencumbered network infrastructure analyst Gabe Lowy spells out the critical shortcomings of the current network security stack:

Traditional firewall and VPN solutions were not architected for Industrial Internet of Things (IIoT) initiatives.  They were designed to protect against earlier generations of malware.  As such, they are no match for the IIoT threat environment.

      – Gabe Lowy, “Securing Critical Infrastructure against Cyberattack” – August 2019

His five requirements (availability/resilience; scale; visibility; management; and security) will certainly stir the pot with the traditional network stack vendors. I’ll share a link to the paper in August when it’s published.

It is readily apparent the network security stack has arrived at the same place it was in the 1990’s, with the advent of the firewall in response to primitive worms and viruses attacking small pockets of connected networks (what we called the information superhighway). Yet that highway was nothing compared to today’s emergent digital era.

What the New Equation Means in Terms of Risk: “We’re not in Kansas Anymore”

What’s at risk beyond the new ability to compromise physical spaces, from lighting, to water, employee/customer access, patient care and diagnosis, production lines and transportation?  The basic tenants of the digital era… or some could say the tenets of western civilization itself. Hyperbole, you say?  Well, read this sobering report​ on the prospects for cyber war based on Richard Clarke’s new book (The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats) and how this new reality levels the playing field between the “superpowers” and the isolated upstarts once solely obsessed with nuclear weapons:

In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyberwar offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace.

– Fast Company Editors reviewing Richard Clarke and Robert Knake’s The Fifth Domain

A new approach is needed. But first we have to realize that IT<IIoT.

The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.

Future In Review: See You There?

I’ll be talking about this paradox at Future in Review on a panel entitled: IT isn’t ready for IIoT with Steve Fey, CEO of Totem Building Cybersecurity; Anne Hardy, Chief Security Officer at Join Digital; and Derek Harp, Founder of CS2AI.

FiRe2019

Advertisements

Responses

  1. https://www.fifthdomain.com/opinion/2019/08/01/how-to-best-protect-military-industrial-control-systems-from-cyberattacks/ Military IIoT vulnerabilities: “The Department of Defense relies on an estimated 2.5 million industrial control systems in more than 300,000 buildings for the real-time, automated monitoring and management of utility and industrial systems which support military readiness and operations. It is in our national interest to ensure these systems are safeguarded. However, they are highly vulnerable.”


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: