Will OT/IT Convergence Force a TCP/IP Transformation?

So much has changed since the creation of the TCP/IP stack. Work on the stack began in 1973 and the first public WAN was initiated in 1982 (see this timeline for a great point of reference). About a decade later network security solutions started appearing in response to various emerging threats.

The “first automated worm appeared on the ARPANET in 1988,” the same year CERT (Computer Emergency Response Team)  came into existence. About this time a NASA employee is credited with creating the first “virtual firewall” in response to a virus.

“…before the 90s, the concept of having a network of computers was fairly uncommon. And, there was a considerably small number of people in the populace who even had access to the internet. So, security at that time was really not a major concern or focus.” – InformationSecurityBuzz

Fast Connectivity Led to Hyper Growth

Sponsorships Available

Sponsorships Available

Sponsorships Available

The TCP/IP stack made it easy for millions and then billions of devices to connect over just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices connected by 2025. It would be one thing if all of these connected devices were communicating on consolidated pipes where defense in depth could be enforced. But that’s not the case.

Hyper Growth has Led to Escalating Complexity and Stack Fatigue

That was then. This is now. While the high growth in connectivity is part of the security problem, the rise of complexity fostered by layers of manually-tuned solutions is driving up costs and demands for security skills well ahead of the supply. Hence the expression expense in depth (versus defense in depth) cited way back in 2012 when these problems were in their infancy, at least compared to today.

Want evidence of stack fatigue? A recent ESG survey found firms reporting problematic shortages of security skills increasing to more than half of those surveyed, up from 42% in 2015. No one is shocked anymore by the skills gap, even as the level of information security spending passes $114B in 2019: more devices + more manual processes = more skilled pro shortages.

“Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek. And for every ten cyber security job ads that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply.” – Jeff Kauflin, The Fast-Growing Job With A Huge Skills Gap: Cyber Security – Forbes

As the gap grows between rising complexity and declining protection, CISOs are forced to expend larger levels of resources simply to preserve protection. Beyond the increase of high prfile (and unreported) successful attacks, there is yet another problem, CISO churn (see CISO careers: Several factors propel high turnover- by Mekhala Roy for SearchCISO):

If the CISOs aren’t demonstrating that their investments and controls are having a positive impact on the organization, their requests for larger budgets or reprioritization of business priorities become more challenging as the years progress, making another job opportunity more enticing.

OT/IT Convergence means New Potentials for Attack Vector Sprawl

Against this backdrop of rising complexity, declining protection, skill shortages and CISO turnover comes a new and more potentially lethal development: the convergence of entire networks of operationally critical one-to-many sensors and control infrastructures with the internet and already overwhelmed enterprise networks.

OT/IT convergence introduces a new sprawl of attack vectors beyond anything a firewall or segmentation solution was ever architected to protect is the next challenge for the TCP/IP stack.

Wondering if your O/T project is at risk?  Read more about the three warning signs of a smart building cyber security failure.

Remember the “dimes” scene from Blazing Saddles when a toll booth in the middle of the desert stops Hedley Lamarr’s army? It’s the ultimate attack vector metaphorical satire.

Perhaps TCP/IP was too good at its mission of establishing radical growth in connectivity, albeit with little regard to security. If so, then the convergence of OT/IT infrastructure won’t be well served by the extension of overtaxed information security infrastructure into complex, noisy and critical sensor and control infrastructures, many of which have never been (or cannot be) patched.

A “Grim Gap” between IT and OT Isolation Requirements

This point and others are well made in A Grim Gap, including conflicting processes and priorities between OT/IT, from security versus safety trade-offs to the nature of the devices connected, especially when it comes to common field devices and networks:

Weiss said he has repeatedly warned… existing cybersecurity and safety standards do not adequately address the security and authentication vulnerabilities of legacy field devices and their networks.

– Sonal Patel, A Grim Gap: Cybersecurity of Level 1 Field Devices, Power

Harbor Networks published a similar insight:

“The tools we are working with today to put sensors on networks were not designed to handle the diversity of devices becoming networked, the scope of new capabilities, the need to carefully manage power requirements, and the massive volume of data-points generated from device interactions.” 

Yet Harbor acknowledges that a few players are flirting with a potential solution. That’s not very comforting as more building and industrial control systems are already being optimized with network and Internet connectivity.

If not TCP/IP layered with defense in depth for smart buildings (for example), then what?  That’s the question, because anything that increases stack fatigue will only widen the gap and produce incremental, declining outcomes. So perhaps it needs to be augmented with a new layer developed for the new control systems and IIoT era.

Host Identity Protocol, anyone?

Check out, for example, what the team at a top Midwest university did to secure and isolate hundreds of smart buildings in days without having to add staff. Disclosure: I connected with the team at Tempered Networks late last year. It gave me the chance to meet the systems design specialist on the building automation team who used a microsegmentation solution based on Host Identity Protocol, a more modern protocol created within the aerospace and national security community to address TCP/IP security shortcomings. He has an amazing and timely story.