How Security Can Keep Pace as IT and OT Converge
The IoT is rapidly maturing, and we’re seeing new use cases emerge every day. It’s transforming health care with applications like patient monitoring and medication delivery. It’s improving manufacturing by accelerating processes and minimizing downtime with predictive analytics and maintenance. It’s also fueling sustainability and efficiency in the energy space and many other industries. Gartner has predicted that more than 25 billion IoT systems will be in use by the end of this year.
As more IoT applications reach maturity, they are driving exciting outcomes across every industry. However, at the same time, the rise of IoT is putting a new focus on operational technology (OT)—and reminding us that security must be part of any successful OT strategy.
Security Challenges Span IT and OT
The power of IoT applications and devices lies in their ability to gather real-time data from the network edge. Although the use cases are highly diverse, IoT has three common security challenges. They must:
- Authenticate connections
- Secure the data they are collecting and transmitting
- Ensure code and operational integrity
For cybersecurity teams looking to safeguard their users, customers and data, these IoT challenges extend across a wide range of environments. Organizations must not only manage IT, but OT security. OT security presents several specific new challenges that aren’t usually associated with IT security—but are nevertheless important for security teams to consider.
By its nature, the IoT extends beyond the usual network perimeter boundaries into many types of environments that might include robots on the manufacturing line, in smart commercial buildings, traffic intersections, agriculture fields, hospitals or even space. Many of these environments present unique challenges for managing security, due to the difficulty of securely communicating with the device in the field.
Another challenge unique to OT is that many of these devices are extremely lightweight and power-efficient. Although these lightweight devices are great for mobility, they often have varying levels of computation power; that can limit the types of security protections they can use. In traditional IT security, limited computation or battery power doesn’t present itself as a challenge.
Finally, organizations must gain insight and fully secure all the components within their devices. IoT applications are based on increasingly complex devices made up of bundles of hardware, software and firmware, and it’s becoming increasingly difficult to ensure that all these components are secure and can be trusted. A software bill of materials (SBOM) could document all code used in the solution, including custom-developed and open source code, to help ensure its security and reliability.
Code signing certificates are another robust mechanism to help maintain the integrity of software and make sure it is not compromised. However, it’s important to note that code signing is less effective without tightly controlled secure processes. A robust code-signing-as-a-service solution can help organizations maximize their visibility into processes and let them use automation to accelerate signing processes and minimize manual steps. Standardizing workflows for code signing and creating separate keys for specific teams can further reduce risk.
Safeguarding IT and OT With PKI
PKI is a security control that is used in both IT and OT environments. As these worlds converge for security teams, PKI is a great starting point to unify the security approaches in an organization across IT and OT. There are many benefits that come from centralizing and uniting an organization’s PKI practices.
PKI delivers the high level of trust that is essential to support a wide variety of uses in both IT and OT environments for organizations.
In IT environments, PKI can support use cases such as:
- Wi-Fi authentication
- Secure email
- Secure remote access (VPN)
- Document signing
- Code signing
- Network access control
- Web authentication
- Smart cards
For OT, PKI use cases include:
- Network and server authentication
- Device-to-device authentication
- Device-to-gateway authentication
- Encryption of data in transit
- Code signing
- Secure firmware updates
However, like any technology, PKI is not without risks—especially when it is not correctly managed. Organizations may be unaware of which certificates are in use throughout their organizations. Even if they do have a sense of the certificates in use, they may not know when certificates will expire. They also require the ability to revoke and replace certificates when processes or organizations change.
In a recent DigiCert survey, 47% of enterprise IT professionals surveyed said they run across rogue certificates frequently. And as the number of certificates in use grows, potential issues escalate. The typical enterprise in this study currently manages 50,000 certificates and 37 percent have more than three departments managing them.
Unleashing PKI With Centralized Management
Deploying a platform that supports centralized management at scale can help organizations realize the full benefit of PKI in IoT use cases. A centralized management solution can provide the automation to support massive numbers of users while supporting automated renewals. It can provide visibility and audit capabilities that organizations need to fully understand the scope and state of their PKI deployment. It can also offer control via revocation and rights management, so organizations can keep pace with fast-changing business needs.
A successful PKI initiative requires coordination and harmonized practices. Managing disparate PKI certificates is challenging, especially in large enterprises with diverse business units—each with its own separate PKI initiatives. With a centralized approach, these organizations can establish a single organizational policy to govern all their certificates and assure consistent deployment and management.
There’s no doubt that the IoT will continue to expand and evolve at an accelerated pace. With a centralized, consistent approach, organizations can implement a winning strategy that addresses the unique security challenges of IT and OT.