How Security Can Keep Pace as IT and OT Converge

The IoT is rapidly maturing, and we’re seeing new use cases emerge every day. It’s transforming health care with applications like patient monitoring and medication delivery. It’s improving manufacturing by accelerating processes and minimizing downtime with predictive analytics and maintenance. It’s also fueling sustainability and efficiency in the energy space and many other industries. Gartner has predicted that more than 25 billion IoT systems will be in use by the end of this year.

As more IoT applications reach maturity, they are driving exciting outcomes across every industry. However, at the same time, the rise of IoT is putting a new focus on operational technology (OT)—and reminding us that security must be part of any successful OT strategy.

Security Challenges Span IT and OT

The power of IoT applications and devices lies in their ability to gather real-time data from the network edge. Although the use cases are highly diverse, IoT has three common security challenges. They must:

  • Authenticate connections
  • Secure the data they are collecting and transmitting
  • Ensure code and operational integrity

For cybersecurity teams looking to safeguard their users, customers and data, these IoT challenges extend across a wide range of environments. Organizations must not only manage IT, but OT security. OT security presents several specific new challenges that aren’t usually associated with IT security—but are nevertheless important for security teams to consider.

By its nature, the IoT extends beyond the usual network perimeter boundaries into many types of environments that might include robots on the manufacturing line, in smart commercial buildings, traffic intersections, agriculture fields, hospitals or even space. Many of these environments present unique challenges for managing security, due to the difficulty of securely communicating with the device in the field.

Another challenge unique to OT is that many of these devices are extremely lightweight and power-efficient. Although these lightweight devices are great for mobility, they often have varying levels of computation power; that can limit the types of security protections they can use. In traditional IT security, limited computation or battery power doesn’t present itself as a challenge.

Finally, organizations must gain insight and fully secure all the components within their devices. IoT applications are based on increasingly complex devices made up of bundles of hardware, software and firmware, and it’s becoming increasingly difficult to ensure that all these components are secure and can be trusted. A software bill of materials (SBOM) could document all code used in the solution, including custom-developed and open source code, to help ensure its security and reliability.

Code signing certificates are another robust mechanism to help maintain the integrity of software and make sure it is not compromised. However, it’s important to note that code signing is less effective without tightly controlled secure processes. A robust code-signing-as-a-service solution can help organizations maximize their visibility into processes and let them use automation to accelerate signing processes and minimize manual steps. Standardizing workflows for code signing and creating separate keys for specific teams can further reduce risk.

Safeguarding IT and OT With PKI

PKI is a security control that is used in both IT and OT environments. As these worlds converge for security teams, PKI is a great starting point to unify the security approaches in an organization across IT and OT. There are many benefits that come from centralizing and uniting an organizations PKI practices.

PKI delivers the high level of trust that is essential to support a wide variety of uses in both IT and OT environments for organizations.

In IT environments, PKI can support use cases such as:

  • Wi-Fi authentication
  • Secure email
  • Secure remote access (VPN)
  • Document signing
  • Code signing
  • Network access control
  • Web authentication
  • Smart cards

For OT, PKI use cases include:

  • Network and server authentication
  • Device-to-device authentication
  • Device-to-gateway authentication
  • Encryption of data in transit
  • Code signing
  • Secure firmware updates

However, like any technology, PKI is not without risks—especially when it is not correctly managed. Organizations may be unaware of which certificates are in use throughout their organizations. Even if they do have a sense of the certificates in use, they may not know when certificates will expire. They also require the ability to revoke and replace certificates when processes or organizations change.

In a recent DigiCert survey, 47% of enterprise IT professionals surveyed said they run across rogue certificates frequently. And as the number of certificates in use grows, potential issues escalate. The typical enterprise in this study currently manages 50,000 certificates and 37 percent have more than three departments managing them.

Unleashing PKI With Centralized Management

Deploying a platform that supports centralized management at scale can help organizations realize the full benefit of PKI in IoT use cases. A centralized management solution can provide the automation to support massive numbers of users while supporting automated renewals. It can provide visibility and audit capabilities that organizations need to fully understand the scope and state of their PKI deployment. It can also offer control via revocation and rights management, so organizations can keep pace with fast-changing business needs.

A successful PKI initiative requires coordination and harmonized practices. Managing disparate PKI certificates is challenging, especially in large enterprises with diverse business units—each with its own separate PKI initiatives. With a centralized approach, these organizations can establish a single organizational policy to govern all their certificates and assure consistent deployment and management.

There’s no doubt that the IoT will continue to expand and evolve at an accelerated pace. With a centralized, consistent approach, organizations can implement a winning strategy that addresses the unique security challenges of IT and OT.

Avatar photo

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 20 posts and counting.See all posts by mike-nelson