by Earl Perkins | May 22, 2014 | 4 Comments
I think after a few years of incessant media coverage on every conceivable way our critical infrastructure can be compromised, many within and outside of operational technology (OT) firms are likely to be desensitized to the problems outlined, from taking down power grids for millions to disabling water and sewage treatment plants, from diverting trains to disastrous collisions to destroying sensitive medical devices, from opening oil and gas pipelines to stopping assembly lines– the list just keeps growing. Desensitization to all of this news would be unfortunate, since we do need people who remain sensitive to the risk without wallowing in despair over the scale and occasional drama associated with the problem.
At the heart of it all is the realization that (a) the number of type of systems that can be compromised is more vast than we perhaps previously envisioned; (b) the increasing complexity of new technologies and their integration and interaction increases the threat surface and opportunity for compromise; and (c) what can be done to actually mitigate or prevent some of these threats from becoming reality is nowhere near as exciting to talk and write about as the threat itself. We appear to be a society long on admiring problems and their consequences and short on actually providing some good news about what can be done to solve problems. Let’s take a look at just a few simple, positive activities taking place that will help an enterprise an effective security and risk management plan for their IT/OT infrastructure.
1- The majority of the problems that have already been reported could have been prevented without new, sophisticated technologies. Instead old-fashioned best practices in security and risk management (that have been practiced for years), applied consistently across the enterprise would have prevented many of the headlines from being written. These practices include a top-down, risk-driven governance process, effective communications across engineering, management and operations and simple techniques applied to the use of threat intelligence, detection and response, access control and vulnerability management (among other domains). They include having a security architecture that has defined controls across all layers of IT and OT infrastructure– data, application, system, network and endpoint. They include a balance between prevention and detection that allows for reduced response times to compromises. Proven security and risk practice has been documented and available for a very long time. What has been missing is an appreciation of the risks taken in continuing with their absence and the mandate or will to apply them in many enterprises;
2- There are existing points of integration between IT and OT security that are available today, and using them as a starting point to engineer, manage and operate security requirements is efficient, cost-effective and can result in immediate early benefits against the threats described. One of those points is the network. For decades, IT and OT network architects, engineers, managers and administrators have worked together. In some cases they have shared network protection assets. In other cases they have provided support and maintenance for one another in key security areas. Unlike other areas of IT and OT, most OT-centric enterprises have network teams that as a rule respect and trust one another– a key criteria to move forward quickly in securing OT infrastructure. Ensure that your network planners play a key role in implementing IT/OT security process and technology early in the program;
3- There are a number of excellent forums for OT security and risk planning, management and operations information, and that number is growing monthly. Not only are such resources as ICS-CERT and vendor-sponsored reports and services available to report threat information, but there are peer forums, frameworks, checklists, templates and other information sharing and guidance tools available to enterprises that seek to improve their security and risk management posture. Most enterprise planners know how to filter out vendor-marketing speak for some of the available resources. Most of these resources cost nothing but the time to access and use them. In fact, if there is a problem with this activity it may be that there are almost too many resources, and sometimes enterprise planners have difficulty knowing where to start. That is a good problem to have, considering the alternative. Gartner can assist you in finding, filtering and using our tools as well as other available tools to assist in building or managing your security and risk management program;
4- There are signs of progress in the development of risk frameworks that encompass a more holistic view of security for the enterprise, where IT, OT and physical security considerations are incorporated into a more comprehensive digital security model for assessing, addressing and managing risk for the enterprise. More comprehensive and complementary security controls are being defined. Major industry players in security and risk management are moving to acquire companies that incorporate OT security functionality into existing IT security, to create partnerships with other providers to ensure that this comprehensive idea of digital security is addressed according to industry-specific and process-specific requirements. It is still early, but the momentum is there and OT-centric enterprises can expect better assistance soon.
Yes, the sky is dark. Yes, there are real threats, real problems, real risks. No, the sky is not falling. The news isn’t all bad. There are ways to address these threats. Keep that in mind the next time you read the next scary story about OT security.
Category: Cybersecurity Operational Technology OT Security Security Tags:
by Earl Perkins | April 9, 2014 | 3 Comments
One significant milestone in operating system history occurred yesterday– the end of official support for Microsoft Windows XP. As with many in the industry, it got me to thinking of the implications for specific OT-centric industries. I spent over a decade in the electric utility business before becoming an analyst, so my attention naturally turned to my colleagues in that industry. There has been so much concern of late on the security of the “smart grid” (a catch-all phrase used by many in the media to actually denote the more complex web of services provided by the utility industry). I was recently approached by some within the business media community to comment on the milestone of the end of Windows XP support, particularly since there are a number of systems within the utilities that depend upon XP for some critical functions. Listed below are some of the observations and suggestions that I provided to them. I reproduce them here for your consideration as well. For those of you in other industries, I don’t think it would be hard to extrapolate some similar observations in light of how you use Windows XP as well in the industrial control and automation environments.
1- Utilities are more likely to be concerned not about the security or system management implications of the XP maintenance as much as they are about the implications on regulatory compliance. Most utilities fall under the NERC CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection) guidelines, now in their fifth edition. Utilities are accustomed to providing rather detailed regulatory compliance audit reporting to prove compliance with the regulation. They are currently reviewing what this maintenance end may mean in interpreting areas related to change and configuration management. Many consulting firms and major vendors in the utility product/service markets are gearing up to aid the utilities in evaluating implications and taking steps to address them;
2- Windows XP isn’t the only back-dated operating system in use in utilities—there are a significant number of old and back-dated UNIX and Linux OS versions running in utilities throughout the world, though few of them have the presence or impact that Microsoft’s announcement has for XP users. The main point that I made in earlier notes to you is that the OS environments in operational technology (OT) for control and automation change much less often than in IT environments because of utility needs for high reliability, availability and safety. Ironically, patch management is often applied due to concerns either about system stability or vulnerability. But these systems are frequently (a) highly customized from the original, out-of-the-box environment; (b) hardened via some fairly impressive network segmentation and security as a general rule, (c) devoted to very specific OT uses, and not as a general-purpose OS for multiple internal users, and (d) monitored closely by engineers keen on keeping the systems reliable. There are frequently backups to these systems as well;
3- Though the maintenance end-of-life issue will raise future planning concerns for utilities, the fact is they won’t be able as a general rule to update or replace these systems easily or quickly. Modernization and update of such systems occurs more slowly due to the critical real-time, event-driven nature of some of the systems, and developing a project to switch over a system built for high-availability will be non-trivial.
There are some relatively straightforward steps that utilities can do to prepare, and most utilities have already started on implementing these (and others), or in the process of doing so. Those steps include:
- Ensure you have an accurate inventory of where Win XP systems are deployed, complete with historical information regarding length of service, hardware configurations, network connectivity, remote access, users and their credentials—all of the normal detail associated with technical or risk assessments;
- Employ a risk analysis to get a sense of “prioritization” with those systems dependent upon Win XP, i.e. which ones pose the most significant risk to the utility, which ones are most-to-least complex in current configuration and in possible replacement;
- Review current regulations regarding change management and determine with a level of assurance the impact of this deadline on current efforts to comply with NERC CIP;
- Evaluate the current market for any options related to extending the lifetime of Win XP systems while you plan the next steps of the process.
I can say to you in summary that the end-of-life of XP maintenance is a matter of concern for utilities and the smart grid in general, but in the scheme of other concerns, I don’t believe it represents the largest one, nor do I believe that the smart grid will be less secure tomorrow than it is today as a result of the change. I consistently see that most of the problems related to securing these environments arise from not following very basic, tried-and-tested policy and process for securing the infrastructure, and managing stable OS environments is part of that policy and process.
The OT-centric industry has some formidable challenges ahead, and this is but one of several.
Category: Operational Technology OT Security Security Tags: electric utilities, industrial automation, industrial control, operational technology, OT, OT security, Windows XP
by Earl Perkins | March 28, 2014 | 4 Comments
In my previous blog I took some time to explain the differences between what Gartner has referred to as operational technology (OT) systems and the Internet of Things (IoT). The announcement on March 27 by some significant technology companies regarding the Industrial Internet Consortium (IIC) highlights this discussion about precision in language. For AT&T, Cisco, General Electric, IBM and Intel to work to a common OT and IoT script is significant– if that is what is happening. Let’s examine this move and its effect on OT and the IoT industry.
Terms such as the “Industrial Internet” or the “Industrial Internet of Things” (IIoT) have been in the media and in marketing materials for some time now. Most companies recognize that an inflection point in technology use is taking place, and I think the IIC wants to call attention to the change and the need for action as a result. While I believe it is important to have a term or phrase that catches the eye of decision-makers affected by OT and the IoT, it is important that the phrase reflect accurately what a company or service provider is attempting to sell. If the purpose of the phrase “Industrial Internet of Things” is to (1) capture buyer attention and (2) once captive explain what it means and how the IIoT affects the buyer’s business, that’s fine. I’m concerned about whether or not that second step will actually occur and if the consortium’s message yesterday and during the briefing reflects that intent.
OT has existed in enterprises and in the market far longer than the IoT. I sometimes say that OT was using IoT architecture and technology before it was cool to talk about the IoT. The industrial control and automation world built fit-for-purpose systems with technology that used RFID tags, M2M communications, embedded systems, sensors, wireless communications and other IoT components literally for decades. The IIoT can be considered as the next generation of OT architecture and technology that will update and extend OT functionality, utilizing IoT use cases and technology improvements. The Industrial Internet is OT Version 2. The IIoT is that industrial subset of the IoT. In addition to the IIOT, the IoT has grown to span all industry sectors, serving consumers and commercial industries such as financial services and insurance as well.
So why am I focused so much on this terminology? After all, as Shakespeare said, “O! be some other name: What’s in a name? that which we call a rose by any other name would smell as sweet.” The primary reason I wanted to introduce our view of these terms is to address some soft spots in the IIC mission. The key word here is “industrial”. Attempting to link areas such as financial trading to “industrial” concerns is indirect at best, and asset monitoring is a universal concern not only associated with industrial systems. I know the case can be made that there a little “industrial” technology in every business sector, but let’s stay focused. The IIC’s primary mission is for industrial companies. OT is heavily influenced by “cyberphysical” needs, physical assets in industrial environments– the turbines in power plants, the assembly lines for automobile companies, even the stop lights in transportation systems. Personal consumer electronics and systems supporting traditional IT don’t need new cheerleaders. Of course, there will be “cross-over” areas such as ATMs and point-of-sale systems in commercial environments, connected home technologies, and solutions in health care– these are sectors that I referred to above with some industrial infrastructure. I suppose they could be considered to some degree as “industrial”. But my concern is for any consortium, no matter how big or how prestigious, trying to bite off literally more than it can chew. The only ‘real’ industrial partner in the consortium at this point is GE (and arguably perhaps AT&T). The rest are decidedly IT-centric, so the desire to make the IIoT more “inclusive” is understandable. But there is plenty of opportunity on the industrial side without trying to make more of it than necessary. The IIC is not a standards-setting consortium, but can no doubt influence standards in OT by being first to support and first to adopt. While a reference architecture is described, not timeline has been given for it. The executive director of the IIC (also CEO of the Open Management Group, or OMG) envisions the industrial internet as encompassing everything that needs a more robust Internet, not only those elements that can realize OT v2 for industries. I find that to be a bit of a stretch. The industrial piece of the IIC’s mission will keep them busy enough for a long time to come. It’s ok to help out less industrial sectors, but our advice would be to try to stay focused.
There are several things that are good about this announcement. One, it continues to highlight the fact that OT needs are rising to the level of visibility within IT-dominated enterprises. Having IT firms and an OT firm of such caliber together underscores the importance of the architecture and technology of the IoT to the future evolution of OT, though more OT-driven firms need to join to ensure the vision and direction doesn’t become too— well, IT-centric. In the area of OT security, many needs are NOT the same as IT. The IoT will also pose new and different security challenges to that of IT– ask the OT architects and engineers that are already familiar with many of those challenges. The Industrial Internet Consortium is positioned to make a positive contribution to leveraging the technologies of OT and the IoT, but actions will speak louder than words. Time will tell if this moves beyond a marketing and awareness campaign to something more substantive.
Category: Internet of Things Operational Technology OT Security Security Tags: critical infrastructure, industrial automation, industrial control, industrial internet, Industrial Internet Consortium, Industrial Internet of Things, IoT, OT
by Earl Perkins | March 14, 2014 | 5 Comments
In a previous blog, I wrote of the terminology that we use when describing security for the Internet of Things, or IoT (“Getting Past the Word Games to Secure the Internet of Things”). In that blog I also mentioned that I would write about operational technology (OT) security as well.
Gartner defines OT in industrial areas as “hardware and software that detects or causes a change, through the direct monitoring and/or control of physical devices, processes and events.” In the world today you see many different examples of OT– industrial control systems (ICS), industrial automation, process control networks (PCN), distributed control systems, and more. You also have seen terms such as SCADA (for “Supervisory Control and Data Acquisition”), a prominent management system for OT. As we’ve written about in blogs in previous years, there is an entire universe of technologies that IT professionals know little about unless they happen to support such environments in enterprises that are involved with OT. There are many of enterprises engaged with OT, from energy and utilities, oil and gas, chemical, manufacturing, transportation to health care, pharmaceuticals, aerospace and defense, and more. In IT, our primary deliverable is information. We use applications, databases, networks and systems to ultimately derive information to make business decisions. Information is also used in OT environments, but the reason Gartner uses the word “operational” in OT is because information is used for other purposes than just decision making. One of the main purposes is to change the “state” of the environment around an OT device, or the state of the OT device itself.
OT applications, hardware and networks frequently followed a different development path than IT historically, resulting in platforms and protocols that IT professionals may not recognize except in principle only. The terminology for many of the systems is different, though they may look familiar. The vendors and service providers are frequently different. Many can argue that OT actually came first in the form of mechanical, analog devices dating back to uses in the 19th century, before the advent of general-purpose computers. In any case, we have IT environments and OT environments today in enterprises, managed separately. This also means that we have IT security concerns and OT security concerns frequently addressed by different organizations. The question is, are IT and OT the same, or are there particular differences in the way we secure OT environments? Gartner believes there is an 80/20 rule-of-thumb in the answer: 80% of the security issues faced by OT are almost identical to IT, while 20% are very unique and cannot be ignored. The 80% figure is due in no small part to the adoption of IT technologies by OT over time.
Gartner’s definition of OT security is “practices and technologies used to (a) protect people, assets and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems. We believe that there are many aspects of OT security that are the same as IT security, particularly in areas such as the network. We also believe that there are major movements in the industries to use IT security architecture and IT security platforms increasingly in OT environments, as OT infrastructure and applications are gradually upgraded as needed. In a sense, the industries are bringing some of the IT security “sins” of the past into the OT environment. In another sense, there remain unique requirements in OT that will require special approaches to security. We’ll write more about those similarities and differences in a future blog, because they are important.
But where does OT security fit (if anywhere) in the discussion about the Internet of Things? Are they one and the same, or is OT something completely different? Even more importantly, should you care?
Yes, you should care, and yes, OT and the IoT are related. In a sense, OT is the “first generation” of the IoT, one specifically designed for industrial use, often in long-term deployments, whose endpoints are found in industrial environments, from aircraft to automobiles, from assembly lines to airports. OT and IoT do share many of the same underlying components: sensors, actuators, meters, machine-to-machine communications, and embedded systems. OT historically has mechanical origins for many of its systems (though it is now primarily digital), whereas the IoT is rooted almost entirely in digital architecture.
As a decision maker, you should care about OT and IoT similarities and differences because many of your security decisions will be affected by the use of those building components, arranged in different ways for different industrial, commercial and consumer solution scenarios. There will be common vendors in the OT and IoT worlds. There will be mixed OT/IoT scenarios from service providers such as telecommunications and multi-media. OT can be considered a subset of the IoT in the same manner some refer to OT as the “industrial Internet”, or the “industrial IoT”. Just remember that not all security scenarios for OT apply to the IoT and vice versa.
Regulatory uncertainty and global concerns about the security of OT systems around the world is fueling the interest in OT security solutions. These concerns are even more urgent than the more nebulous, generalized concerns discussed about securing the IoT, because many OT environments have direct, immediate impacts on people and the environment. OT failures (due to security failures) literally have the capacity to kill or maim and can have severe environmental impact. That is quite different from concerns about the loss of data or even impacts on corporate brand based on compromises of many IT environments.
In future blogs we will explore OT security in more detail. If your company is involved in providing OT security or in using OT security systems, Gartner would be interested in hearing from you regarding your products, services and/or experiences. This is particularly true if you are a vendor or service provider intent upon addressing some of the unique 20% differences in OT currently not addressed by IT security products and services.
Don’t be a stranger.
Category: Internet of Things Operational Technology OT Security Security Tags: CIP, critical infrastructure protection, distributed control, industrial automation, industrial control, Internet of Things, IoT, OT, OT security, process control networks
by Earl Perkins | March 5, 2014 | 7 Comments
One of the things that I enjoy about working at Gartner is the ability to participate with clients and providers in industry, government, commercial, consumer and other sources in more precisely defining key terms and phrases resonating in the markets. In some cases, terms may come from sources outside of markets, but most of the time terms that later go on to be ‘famous’ get their start in marketing, for better or worse. Take for example the Internet of Things, or IoT. There is debate on its origin, but I have seen references to the term or ones similar to it dating from the 1990s, and ironically not from marketing. IoT is ok as a term, but it is awkward to continue to refer to “things” in your writing, so what will likely occur is a move to “objects”, “entities”, “identities” or “elements” when seeking precision in writing about what the “thing” really is in the IoT. From a security perspective (which is what I will endeavor to focus on), I’m more likely to write about securing the Internet of Things, but then refer to securing “objects” henceforth rather than “things”. This seems trivial, but adopting some basic rules in the way we express the terms I believe is important to ultimately understanding this industry movement.
The next issue then arises as to the actual definition of the IoT. At present, it is an embracing term that Gartner defines as “the network of physical objects that contains embedded technology to communicate and sense or interact with the objects’ internal state or the external environment.” The key words in this definition are network, physical, embedded, communicate, sense, and state. Strictly speaking, The IoT doesn’t have to be the global Internet, but it can be an internet or private network. The objects in the IoT may also be passive in that they are simply tags, and what they communicate is an identity, like a bar code or RFID tag, for example. Even with this definition, the potential for defining objects that we interact with every day is profound, and I believe that’s one reason why many feel intuitively that this is something big, something disruptive, an inflection point in the way we view computing and networking. From a security perspective, a draft definition for IoT security can be “governance, practices, technologies and services used to secure the networks and objects that make up the Internet of Things.” An object itself can be a collection of other objects or individual elements, to make matters more complex, so securing the object means potentially securing the software, firmware and hardware of each as a single unit. You can see how interesting securing the IoT can become.
The concept of the IoT isn’t new at all. If you ask many engineers and technicians in industrial enterprises today, they will tell you that they have been dealing with devices and embedded technologies as defined here for decades. They can tell you about sensors that detect heat, pressure, temperature and other state changes, sensors that have been embedded in physical equipment that signal back their results over a network so that another device or system with processing capacity can analyze and make yet other changes in state (“lower the temperature”, “reduce the pressure”) for the environment where the sensors reside. RFID tags have been identifying millions of manufacturing components for years to systems that track them. The objects of the IoT have been available for some time. But the recent advances in some of the technology platforms and software have begun to move much of the ‘industrial’ IoT technologies into the mainstream, into commercial and even consumer spaces. The sheer level of innovation in combining the objects of the IoT into value delivery scenarios is mounting. Creative entrepreneurs are providing industry, business and the consumer with scenarios almost daily, some that will be destined to disrupt existing markets forever.
This leads me back to the security question– where does that leave those accountable for security and risk within their enterprise when it comes to understanding, embracing and managing this new world? The question is valid, but unless your enterprise is actually engaged in manufacturing objects of the IoT or delivering services for the IoT, the impact of the IoT in the short term is likely to look more like your current concerns around BYOD (where ‘device’ takes on a new meaning) and mobile security needs. Think about it– most smartphones today have several sensors within, each contributing to the human experience with the phone. In essence, you’re hold an object of the IoT in your hand today.
Another area, however, where securing IoT takes on present-day urgency is in operational technology, or OT. That’s another term whose definition I will explore in a later blog, but for now, consider the industry terms associated with OT, such as industrial control, industrial automation, process control. OT was part of the IoT before it was cool to be, and objects of the IoT exist everywhere in oil and gas, utility, manufacturing, transportation, health care– practically any industry where there are industrial-grade concerns not handled by general-purpose computer systems and networks. The industrial IoT itself is undergoing updating and upgrading, so many of the same technologies you will find in commercial and consumer markets for the IoT– sensors, embedded systems, machine-to-machine (M2M) communications, RFID tags– they already exist in OT. A strategy for securing infrastructures that use such systems to create changes of state is now one of the top concerns facing security and risk planners in enterprises today. What changes will traditional IT security undergo to embrace OT security? That too will be one of our next topics.
Category: Internet of Things Operational Technology OT Security Security Tags:
by Earl Perkins | January 30, 2014 | 1 Comment
When you read about the Internet of Things (IoT) in the press, it can get very confusing, particularly if you want to consider how one might go about securing the IoT. First, there isn’t universal agreement on what the IoT really is, whether it is literally architecture, infrastructure, marketing, or something else. Gartner has a definition for the IoT as do others, so I don’t know that this is a big issue. What we DO know is that the increasing attention focused on an interconnected world of devices far greater in number and variety than PCs, tablets and smartphones uncovers a fundamental truth for all enterprises that buy or sell products and services in the security markets. That truth is that the way decision-makers in enterprises think of the practice of security has to change. Their vision of information security, of IT security, of operational technology (OT) security, of physical security– is now obsolete.
Now why would I say something like that? After all, we still need a strategy for ensuring the confidentiality, integrity and availability of information. We need an infrastructure and practice that protects computer systems and networks. For many enterprises involved in industrial control and automation activities, we need that same protection for those operational systems that are the lifeblood of the enterprise. And yes, we need to continue the practice of protecting our physical infrastructure with the people and technology needed to secure our buildings and other physical assets. So what’s the issue?
Consider a world where the number of connected, communicating devices increases 100-fold. Those devices have hundreds of new form-factors for firmware, operating systems, communications protocols, and interfaces. Those devices are part of IT security, part of OT security, part of physical security. Those devices are interwoven and embedded into complex systems that need more machine-to-machine communications, more data collection, more analytics– more, more, more. But it isn’t just a matter of volume, it’s also a matter of complexity, and the expansion of the “threat surface”, the number of entry points into an enterprise (or multiple, linked enterprises). It is also a matter of the interconnectedness of the IoT, where problems in a physical security system can affect the OT systems, or the IT systems. It also means for example that we have to rethink the ideas of identity and access management, since we’re now going to have uniquely addressable devices and uniquely addressable humans, and complex relationships between humans and devices, devices and other devices– I think you’re starting to get the picture.
Perhaps it’s time to consider whether our current bias to the terms “information security” and “IT security” should remain. Perhaps we should consider a new term at the top of the security “pyramid” for many enterprises. By saying this, I am NOT lessening the importance of information in the new architecture of security– quite the contrary. What objects in the IoT have in common with traditional IT is their hunger for information. The devices of the IoT use that information to (among other things) literally change the state of the environment that device is in, whether it’s increasing temperatures for homes, shutting valves in water companies, or closing relays in an electric grid. But they still need reliable, accurate information to do so. Information is the currency of this new type of security. The ‘consumers’ of that information and the outcomes from decisions made with that information now expand a thousandfold.
So what adjective will we give “security” now in our enterprise? Will we continue to call our approach “information security” but with a broader definition set beneath it (and all of the changes to security risk, governance and management that may entail) or do we use something else? Gartner has a reputation of creating phrases that are used from time to time in the markets and with our clients. Perhaps it’s time we recommend another one. The issue isn’t the term, however. The issue is what enterprises must do to accommodate this new, combined way of looking at security, and the impact it will have on policy and practice. It just might give the idea of BYOD a whole new meaning. It will certainly change the calculus of risk. It’s very likely to change your plans for threat intelligence and incident management. It will change the way we secure our relationships with suppliers and partners. In any event, welcome to the new world of the unified security practice. Buckle your seat belts.
Category: EA Internet of Things Operational Technology Security Tags:
by Earl Perkins | January 20, 2014 | 8 Comments
Some of you no doubt noticed that Google announced their intention to buy a company known as Nest Labs for $3.2B U.S., one of their largest acquisitions ever. This blog isn’t about that acquisition, but it did get me to thinking about what such an acquisition means to our dialog on the security for the Internet of Things. It called to mind what is obvious in the way of concerns about securing a world of interconnected devices vs. what may not be obvious. I thought it would be appropriate to mention a few of the latter in the shadow of such a purchase. I realize that for many of you close to the industry, some of these concerns MAY already be obvious to you. If so, humor me so that I can point out some of them to the mainstream audience.
Concern #1 – For many devices in the IoT, programming and design is actually like a return to the ‘old’ days. While there are some similarities of IoT development to development and engineering for mobile devices (a lot in fact), many of these devices don’t have the user interface, the memory, the processing or the power you would find in a more general-purpose system like a tablet or smartphone. The devices are designed to work in harsh conditions in some cases for years with what comes from the hardware factory and the programmer. Embedded systems design figures prominently into many of these devices, and those devices are often required to communicate and interact directly with other devices, thus requiring a multi-layered understanding of machine-to-machine communications. Creating a security plan for such devices isn’t as easy as it appears. Let’s just take one example. If you are interested in installing some client code on a device of the IoT, you’ll have to make sure you talk with the designers and programmers at the beginning of the cycle to even see if they have the memory and processing to handle it. Early adopters of encryption in some systems are already finding this can be a big issue.
Concern #2 – I’ve noticed a lot of detailed attention paid fo the development of power sources for many devices in the IoT. This has led me to wonder whether or not one of the more interesting attack vectors of the future may be a “denial of power” attack, where someone conversant in the design and architecture of such systems interested in disabling them works out a way to deny those systems of power, either by getting them to do processing in an excessive way (like denial of service attacks in networking) or to otherwise impact the way power is used in the device. This is even true for those devices that might be permanently installed with “regular” attachments to power, such as a sensor for lighting systems in a city. You’ll then need to consider the physical security of the power source to ensure that you are really providing a 360 degree view of securing the device.
Concern #3 – I’ve been reading with interest the discussions about the identities of devices, and whether or not some aspects of traditional identity and access management can be used to address the IoT. While I’m certain that issues will arise regarding authenticating and authorizing access of applications running on devices of the IoT, I was thinking more about the scale of such implementations and how a device might have a relationship with another device, which has a relationship with a human, which has a— you get the idea. There are going to be some interesting designs for security management when you have to give everyone and everything a name and then work out the relationships between them to know what kind of access they should be provided.
My identifying these concerns wasn’t mean to depress you. I am also not the first one to think about them or consider them. But on the road to securing the Internet of Things, I think they bear consideration.
Category: Internet of Things Operational Technology Security Tags: embedded systems, Internet of Things, IoT, M2M, machine-to-machine communications, security
by Earl Perkins | January 10, 2014 | 1 Comment
Welcome to my first blog post in my new role within the Gartner security analyst team. I am starting a series of posts on two relatively new areas of Gartner security coverage.
The first will comment on security and risk management issues and concerns with the industrial control and automation infrastructure found in many enterprises, especially those involving critical infrastructure such as utilities, oil and gas firms, manufacturing, transportation, and others. Gartner refers to this infrastructure as “operational technology” (OT) to distinguish it from traditional IT infrastructure. Gartner refers to OT as hardware and software that detect or cause a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Technologies such as SCADA, process control networking and distributed control systems are examples of OT. Media coverage regarding OT has grown in frequency as vulnerabilities are discovered and threats to OT systems and networks increase in frequency and sophistication.
The second will comment on security and risk management issues and concerns for what the markets now call the “Internet of Things”, or IoT. As many of you already know, The IoT is the network of physical objects that contains embedded technology to communicate and sense or interact with the objects’ internal state or the external environment. It ranges across myriad industries and examples, from devices to monitor health and exercise to smart watches to traffic flow sensors to intelligent smoke alarms to— well, you get the idea. The IoT is currently one of the most interesting concepts for innovators and entrepreneurs, and design ideas and product proposals are ricocheting across the market faster than professional ice hockey players. While not all of the IoT demands enterprise-class security, there are enough concerns about privacy and misuse of data or device to merit consideration.
Gartner has already published research in OT and the IoT, and some security research has also been published on these fields as well. But the growth and position of these technologies for enterprise users and consumers demand more, and research in 2014 will focus on areas such as embedded systems security, securing smart cities, and business continuity/disaster recovery concerns in a world of OT and the IoT. We welcome your comments as we tackle some of the major security issues of the day for OT and the IoT here in this blog. Let’s get the discussion started.
Category: Applications Cloud EA IAM Internet of Things Operational Technology Security Strategic Planning Tags:
by Earl Perkins | December 19, 2012 | 1 Comment
2012 has been quite a year for identity and access management for our clients and for the IT and business world in general. The amount of interest and inquiry has grown to unbelievable rates. Our research has been read, discussed, questioned and challenged. Our IAM Summit in Las Vegas had its strongest attendance since the summit’s inception. IAM vendors and service providers have been working with Gartner in record numbers to discuss their product and service roadmaps and futures. New ones have appeared almost monthly. While not necessarily a record year in mergers and acquisitions by IAM solution providers, it was robust. Actions by clients and providers alike point to an inflection point in IAM for 2013– in the way it is planned, produced, purchased and put into production.
Clients using IAM are growing more mature in IAM usage, demanding more of solution providers, and innovating as a result of the changing dynamics in business. Clients selecting IAM tools for the first time are asking harder and more penetrating questions regarding capabilities, pricing, and the nature of relationships with providers. The broader impacts of IT changes in mobile, cloud, social media and information (i.e. the Gartner Nexus of Forces) are being felt as IAM customers struggle to keep up with challenges and choices.
All of that sounds impressive, but what does it really mean for clients in 2013? What does it say about the future of IAM as a practice, a process, or a market?
IAM as a practice has finally gained a degree of credibility within maturing enterprises. Clients recognize the value of knowing who has access to what, who gave it to them, and what they’ve done with it. They leverage such knowledge not only for regulatory compliance purposes, but to enable business decision-makers to “index” decisions with a “who view”– to provide an identity context to decisions involving enterprise resources, supply chains, customer relationships and human resources. IAM as a process is now defined– there is more formalism and structure around employee, customer and partner onboarding, change management and offboarding of identities. There is better sharing of information between IAM systems and security systems that can also use that identity context in delivering their own answers to IT and the business alike, from data loss prevention to security information and event management, from network access control to governance, risk and compliance management. IAM as a market continues to grow at a formidable pace, addressing the increase in the means of delivery (via cloud and social media) as well as in access points (via mobile). Information is the delivery mechanism for identity context, but is also useful in providing a degree of granularity to the IAM experience, whether in authentication, authorization, provisioning or other capabilities.
2013 is going to be an exciting year for IAM and for clients that use it. Validation of all of those painful, pricey efforts to implement a robust identity data and log model will begin to bear fruit. IAM as a service (IDaaS) in the market will continue to grow in market presence, finding its place in realistic implementations that leverage the uniqueness of that delivery and challenge the status quo of enterprise solutions. The rise in mobile needs for IAM as well as the enabling of IAM options via mobile ensures a rich growth opportunity for innovation. Social media requirements as well as its contributions to IAM ensure a unique opportunity to redefine identity itself to be more encompassing than just for the enterprise. The quantity, quality and velocity of information from 2013 IAM systems will be dramatic, and clients will need to be careful that they don’t drown in a sea of IAM information by leveraging new skills sets and new analytics tools to ensure information becomes knowledge.
Happy New Year! And buckle your seatbelts. It’s going to be quite a ride.
Category: IAM Tags:
by Earl Perkins | August 31, 2012 | 1 Comment
In a previous blog, I had touched upon the concerns that I had regarding the U.S. efforts at moving toward a consensus on how to secure N. America’s critical infrastructure, particularly in the energy and utilities markets. I believe the point of that blog was that many people were beating the warning drums, but fewer were offering up practical advice about how to counter the threats.
I recently read yet another article regarding the U.S. government’s “interference” in answering operational technology (OT) security concerns. The general thrust of the article was that the government was once again going to bumble their way into industries that it did not understand well and create more problems than it would solve by applying regulation in some form. The latest attempts in this arena involved the U.S. Cyber Security Act of 2012, which did not pass Congress prior to their latest recess. The article went on to underscore the belief that if the government would just ‘stay out of the way’, the private sector would self-regulate in the necessary fashion to ensure a secure critical infrastructure.
I am not here to debate whether that is true or not, though watching events over the last 4 years in the financial services sector leaves me a bit cynical about the ability of individual industries to look out for the welfare of the average citizen. What I DID want to say is enough already with the whining about critical infrastructure– how scary it is, how no one understands it, how government or industry is going to create an apocalyptic scenario if they continue on the current path. Here are some suggestions instead:
1- For the private industries, quit whining and complaining about how no one understands the trouble you’ve seen in security, and start cooperating to reduce the number of different forums giving advice (some of it conflicting). I’m dizzy trying to track the number of studies being released by government and private sector groups alike, some with different terminology for the same things, others with conflicting information (e.g. “The sky is falling!! No it’s not!! Yes it is! No it’s not!!). Try prioritizing your venues for communication and information dissemination and collectively establish authoritative voices about the nature of the problem, the current state, and what can be done to address the problems. If you want to avoid regulation, be consistent with how you describe the problem to Congress by agreeing upon credible, factual sources rather than fighting it out in the media. You may not like the idea of government regulation, but at least they appear to be TRYING to do something, however misdirected you may feel it is;
2- For the government, quit your bickering over who’s in charge and sort out a strategic hierarchy. Bring some consistent to YOUR studies and reports as well, and come up with a taxonomy of which study is for which purpose and which group or infrastructure. In the case of energy and utilities, decide what the roles of DHS, ODNI, DOE, NRC, FERC, NIST (to name just a few), the White House, and Congress are and be clear about it. I know this isn’t likely to happen until after the election, but perhaps we can set this as an early goal for the next administration. In addition, quit changing the NERC CIP regulations long enough for consultants, integrators, and the companies affected by those regulations to have a stationary target. Most important of all, work with private sector to ensure that you’re ALL drawing upon valid, credible, scientific sources of information from which to make decisions. Relegate questionable media reports by agencies that don’t have knowledge or awareness of the specific industries affected to their proper place in the decision process;
3- For all involved: we continue needing refinement to the common language we use about operational technology security and to agree upon the major issues we must address. We need to agree upon what obvious priorities are, i.e. what are the basics that can be done TODAY to take incremental steps to improve security for our critical infrastructure (such as ensure that basic security policy is in place and APPLIED, and that organizational requirements be identified and established early so training can commence, for example). Most importantly, we need to understand WHO IS IN CHARGE for the particular priorities identified, and what being in charge means from a governance and program perspective.
As my wife often says, it’s time to put your big boy pants on and act your age. It’s possible to sort out major issues related to critical infrastructure protection if the grown-up willingness to admit something must be done and someone must be able to lead and coordinate the effort. The rest should follow. I know it sounds easier than it really is, but it isn’t going to solve itself by wringing our hands or whining about who’s in charge.
Category: Uncategorized Tags: