"What kind of firewall do I need for the HVAC system?" This was an actual question one of my clients, a cybersecurity professional, received from a facilities manager last year. My client didn't even know the heating, ventilation and air conditioning system needed a firewall until the call came in; apparently, the new HVAC system included smart sensors that were communicating across the corporate network. As for which firewall would be appropriate? He hadn't even begun to consider the problem.
The facilities manager was doing the right thing by checking. The problem was that my client didn't have the faintest clue that facilities was implementing IoT, much less have a predefined answer ready for that question, or have an IT/OT convergence strategy in place.
This scenario crystallizes the challenges of implementing IoT securely. Most enterprises don't have a unitary owner of IoT; IoT projects are typically split across business units, and the responsibility often falls to operational technology (OT) groups first, rather than to IT. IT teams are often the last to learn that a new IoT initiative has launched. And IT teams can't secure and manage something unless they first know it exists.
Although OT teams typically have a good understanding of the business requirements of an IoT initiative, where they're likely to be weak -- as the aforementioned scenario illustrates -- is in the area of infrastructure.
Like any technical initiative, IoT has requirements for networking, computing, storage, data management and, of course, security. The business units and operational technology folks are typically poorly equipped to understand, let alone deliver, these infrastructure components.
As indicated by the call to my client, OT teams typically only have the most rudimentary knowledge of the enterprise's cybersecurity architecture, framework and policies and how these all apply to IoT. IT, meanwhile, has only the most rudimentary understanding of which IoT initiatives are underway. This "air gap" must be addressed before enterprise technologists -- whether OT or IT -- can securely, quickly and effectively deploy IoT. But where to begin?
Close the 'air gap' with an IT/OT convergence strategy
The first step is organizational. IT and OT teams have to begin working together, which means spending time together, sharing information and aligning efforts. Our research at Nemertes found that organizations are most effective when IoT is led by an effective IoT evangelist, whether a corporate executive, such as the CIO, or a visionary business leader. This evangelist should be empowered to create a center of excellence or tiger team -- comprising IT, OT and business stakeholders -- which reviews projects and processes.
The second step is technical. Once that team is in place, it should develop a reference architecture for IoT infrastructure, including cybersecurity. It should specify companywide standards for IoT cybersecurity, networks, computing resources, storage and data management. Security questions to ask include the following:
- Which flavors of wireless connectivity are acceptable -- and secure enough -- for what types of sensors and monitors?
- Do virtual LANs provide adequate separation and security for IoT traffic?
- How is IoT data secured?
- Where should encryption happen?
By reference architecture and specify standards I mean providing actual technical validation, via hands-on testing, that the infrastructure delivers the right level of performance. We're talking about setting up a test lab in which various infrastructure components can be shown to work effectively and securely. Then, when OT and business teams launch a new IoT initiative, they can select the right infrastructure with confidence.
The third step is operational. Once the reference architecture is developed, two problems remain. First, how does the organization continually refresh and update the architecture to keep current with evolving IoT technology? If the enterprise has an effective architecture process, IoT becomes just another facet of that architecture. If not, the enterprise will need to develop one.
Second, how does the organization clearly differentiate roles and responsibilities for operating IoT? Obviously, OT will want to maintain control of the business-specific components of an IoT initiative. Equally obvious, IT should maintain responsibility for infrastructure operations. But where, precisely, will IT and OT teams draw the line between business-specific components and infrastructure operations? The answer is specific to each IoT use, so there should be a process in an enterprise's IT/OT convergence strategy to clearly and quickly assign responsibilities and handoffs.
Implementing these three steps -- appointing an IoT evangelist, developing and validating an IoT infrastructure reference architecture, and addressing the challenges of updating architecture and sanely dividing the operations between IT and OT -- will help organizations quickly, effectively and securely deploy and operate IoT initiatives.