The current universal status for networks is "connected." Beyond traditional computing models, connectivity is the default status for mobile devices and a full range of Smart-X solutions, including cars and transportation systems, appliances, buildings, manufacturing floors, cities, and critical infrastructures. In fact, many individuals live their lives surrounded by IP-based sensors that keep us – and an astounding array of devices – connected and communicating.
You probably keep hearing terms like digital transformation and Industry 4.0, but both are visions and concepts in motion, with reference architectures, standards, and even definitions in a permanent state of flux. Indeed, the only permanent thing is change – and nowhere is that more relevant, or critical, than when it comes to IoT devices and OT networks because with connectivity comes risk.
Of course, sensors and devices were used to manage infrastructures (whether critical or non-critical) 10-15 years ago, when IP networks were already a fundamental part of the internet-connected universe. Medical devices, industrial control systems, manufacturing systems, energy grids, and building sensors have all been connected to IP networks for ages.
The answer is risk. Even while attached to networks, most OT solutions were protected because they were air-gapped away from the corporate IT and public network. Fifteen years ago, even though industrial sensors used IP networks to communicate, threat actors were more focused on the IT infrastructure, where they could get a bigger and faster return on their investment in malware. Going after a basic sensor deployed in an OT network was a LOT of extra work – and for very little in return. And ransomware, which is now used by attackers to hold critical OT systems and IoT devices for ransom, didn’t really get going until 2005, and even then it primarily targeted end-user devices for years. In fact, there was still little interest in targeting SCADA or ICS systems until Stuxnet hit in 2010.
And because OT sensor and early IoT device functionality were so simple, there was little to exploit. Protecting them primarily involved air-gapping the OT environment from the internet and putting a firewall in front of the OT network to keep IT folks out. Today however, this has all changed. Those basic sensors have now become "smart sensors,” providing a wider variety of capabilities. IoT devices – or Industrial IoT (IIoT) in some environments – have also become more sophisticated. And at the same time, to generate more efficiencies and to ensure an agile response to new market demands, IT and OT networks and devices have begun to converge. All of this has made the OT attack surface become more complicated to protect.
Here are some of the primary security threats targeting IoT and OT systems and solutions:
Ever since the Stuxnet attack of 2010, OT networks have increasingly been under attack. We all remember the Mirai botnet designed to compromise millions of IoT and OT devices worldwide to run a successful DDoS attack against the US internet infrastructure. OT-based cyber attacks have targeted national electrical grids, darkening the homes of hundreds of thousands of individuals. And targeted attacks against IoT/OT devices installed in the water pump stations of a middle-eastern country by a nation-state actor was an attempt to poison the water supply by increasing chlorine levels in water flowing to residential areas.
You are probably asking, if this is the new reality we live in, how can I protect my network from IoT and OT-based threats? Disconnect them? Update the firmware? Apply network access control? Apply network segmentation? The answer may be YES to any or all of those, depending on your circumstances. But there is another strategy that allows your organization to be much more proactive, and that is by integrating deception technology into your current security stack. A proactive security approach, such as the use of deception technology, does not attack the attacker. Instead, it proactively uses the attacker techniques and tactics against them. The idea is straightforward. Deception technology allows the IT team to “deploy” virtual fake assets over the infrastructure, which generate false data across your endpoint and servers. This fabricated network deceives threat actors, luring them away from your critical assets and preventing them from doing actual harm to your network. But more importantly, because all of your legitimate devices and workflows know that these assets are fake, only unauthorized users, devices, and applications will trigger them.
This strategy is especially effective in mature network environments. Adding deception strategies to SOC solutions, for example, enables IT teams to use deception as a "high fidelity alert source." Because deception technology alerts are only tripped by unauthorized users, devices, and applications, organizations can more effectively use them to establish automation around threat hunting capabilities and incident response.
Even better, the best deception technologies not only protect against known threats, but they are also able to detect, analyze, and defend against zero-day and other advanced attacks, often in real-time. Deception technology enables a more proactive security posture by deceiving the attackers, detect them, and then defeat them, allowing the enterprise to return to normal operations.
Here are some key reasons why Deception technology should be included in any security stack:
By deploying deception technology as part of the security stack, it can act as a "high fidelity alerting source" to automate threat detection, response, and remediation.
Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.