Industry Trends

Addressing the Security Risks of Digital Transformation on IoT and OT With Deception

By Moshe Ben Simon | September 03, 2020

Industry Perspectives

The current universal status for networks is "connected." Beyond traditional computing models, connectivity is the default status for mobile devices and a full range of Smart-X solutions, including cars and transportation systems, appliances, buildings, manufacturing floors, cities, and critical infrastructures. In fact, many individuals live their lives surrounded by IP-based sensors that keep us – and an astounding array of devices – connected and communicating.

You probably keep hearing terms like digital transformation and Industry 4.0, but both are visions and concepts in motion, with reference architectures, standards, and even definitions in a permanent state of flux. Indeed, the only permanent thing is change – and nowhere is that more relevant, or critical, than when it comes to IoT devices and OT networks because with connectivity comes risk.

Of course, sensors and devices were used to manage infrastructures (whether critical or non-critical) 10-15 years ago, when IP networks were already a fundamental part of the internet-connected universe. Medical devices, industrial control systems, manufacturing systems, energy grids, and building sensors have all been connected to IP networks for ages. 

What's Changed about OT? 

The answer is risk. Even while attached to networks, most OT solutions were protected because they were air-gapped away from the corporate IT and public network. Fifteen years ago, even though industrial sensors used IP networks to communicate, threat actors were more focused on the IT infrastructure, where they could get a bigger and faster return on their investment in malware. Going after a basic sensor deployed in an OT network was a LOT of extra work – and for very little in return. And ransomware, which is now used by attackers to hold critical OT systems and IoT devices for ransom, didn’t really get going until 2005, and even then it primarily targeted end-user devices for years. In fact, there was still little interest in targeting SCADA or ICS systems until Stuxnet hit in 2010. 

And because OT sensor and early IoT device functionality were so simple, there was little to exploit. Protecting them primarily involved air-gapping the OT environment from the internet and putting a firewall in front of the OT network to keep IT folks out. Today however, this has all changed. Those basic sensors have now become "smart sensors,” providing a wider variety of capabilities. IoT devices – or Industrial IoT (IIoT) in some environments – have also become more sophisticated. And at the same time, to generate more efficiencies and to ensure an agile response to new market demands, IT and OT networks and devices have begun to converge. All of this has made the OT attack surface become more complicated to protect.

Understanding the Threat Landscape – IoT/OT Security Threats:

Here are some of the primary security threats targeting IoT and OT systems and solutions:

  • IoT/OT sensors are increasingly being connected to IP networks allowing remote access, which means they can also be attacked over the internet from every point on the globe.
  • IoT and OT sensors either use a legacy operating system (on average, 10-15 years old) deployed in a delicate environment that cannot be taken down for updates or patches or a proprietary OS that doesn’t allow the installation of security software. This makes it very difficult to establish traditional security controls like with a regular IT asset.
  • Newer IoT and OT sensors now include a much more extensive range of capabilities, making them more attractive to threat actors. In addition, a new breed of attacker has emerged over the last decade. Hacktivists and cyberterrorists are willing to generate a breach with high-profile impact with no financial gain – such as inflicting economic damage on a business or infrastructural damage to a country or region – to support a political agenda.
  • Many IoT devices are headless, which means there is no "Patch Wednesday" for them since they cannot be updated. Instead, organizations need to rely on proximity controls and zero-trust network access to provide protection.

Ever since the Stuxnet attack of 2010, OT networks have increasingly been under attack. We all remember the Mirai botnet designed to compromise millions of IoT and OT devices worldwide to run a successful DDoS attack against the US internet infrastructure. OT-based cyber attacks have targeted national electrical grids, darkening the homes of hundreds of thousands of individuals. And targeted attacks against IoT/OT devices installed in the water pump stations of a middle-eastern country by a nation-state actor was an attempt to poison the water supply by increasing chlorine levels in water flowing to residential areas. 

Using Deception to Protect Your OT Infrastructure

You are probably asking, if this is the new reality we live in, how can I protect my network from IoT and OT-based threats? Disconnect them? Update the firmware? Apply network access control? Apply network segmentation?  The answer may be YES to any or all of those, depending on your circumstances. But there is another strategy that allows your organization to be much more proactive, and that is by integrating deception technology into your current security stack. A proactive security approach, such as the use of deception technology, does not attack the attacker. Instead, it proactively uses the attacker techniques and tactics against them. The idea is straightforward. Deception technology allows the IT team to “deploy” virtual fake assets over the infrastructure, which generate false data across your endpoint and servers. This fabricated network deceives threat actors, luring them away from your critical assets and preventing them from doing actual harm to your network. But more importantly, because all of your legitimate devices and workflows know that these assets are fake, only unauthorized users, devices, and applications will trigger them.

This strategy is especially effective in mature network environments. Adding deception strategies to SOC solutions, for example, enables IT teams to use deception as a "high fidelity alert source." Because deception technology alerts are only tripped by unauthorized users, devices, and applications, organizations can more effectively use them to establish automation around threat hunting capabilities and incident response.

Even better, the best deception technologies not only protect against known threats, but they are also able to detect, analyze, and defend against zero-day and other advanced attacks, often in real-time. Deception technology enables a more proactive security posture by deceiving the attackers, detect them, and then defeat them, allowing the enterprise to return to normal operations.

Make Deception Technology Part of Your OT Security Strategy

Here are some key reasons why Deception technology should be included in any security stack:

  1. It provides early post-breach detection, often before any severe damage can be done by downloaded malware.
  2. It reduces dwell time of a network breach – now more than six months – by detecting malware designed to quietly probe the network for vulnerabilities while evading detection.
  3. Because it is a failsafe system, meaning it only works when something misbehaves, it effectively reduces false positives.
  4. It can be deployed in most OT environments to gain visibility and control over IoT and other OT devices that cannot be protected using more traditional solutions.
  5. Good detection technology is highly scalable and has little to no impact on normal network performance. 
  6. Setting up and managing a deception solution is simple, and the detection of threats is fully automated.

By deploying deception technology as part of the security stack, it can act as a "high fidelity alerting source" to automate threat detection, response, and remediation.

Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.