Identify IoT and OT devices
IoT and OT devices are different to manage when you compare this with laptops and servers. How can you identify and protect IoT and OT devices from possible hacking will be addressed in this article
On this page Kappa Data informs you how to identify and protect IoT and OT devices.
What is IoT and OT?
IoT (Internet of Things) has become a buzzword for years. You can't open a website that is ICT related without reading something about it.
Why would that be?
Every "thing" is connected. In home-use environments we think about dishwashers and refrigerators. These things exist in business networks too, supplemented with radio's, coffee machines, etc... They need to be connected to inform the supplier for whatever or to receive functional information from the internet in order to work (such as internet radio). This is non production related and is categorized as "shadow IT".
On the other hand, we have OT networks (Operational Technology). These are more specific and quasi always production related assets, meaning that they are required to make the production work. A well-known example would be a PLC, but it could as well be a CT scanner in a hospital. Most of the time we know that it's there, but we forget about the subparts such as suppliers that install a sensor to do remote follow-up.
Why would that be?
Every "thing" is connected. In home-use environments we think about dishwashers and refrigerators. These things exist in business networks too, supplemented with radio's, coffee machines, etc... They need to be connected to inform the supplier for whatever or to receive functional information from the internet in order to work (such as internet radio). This is non production related and is categorized as "shadow IT".
On the other hand, we have OT networks (Operational Technology). These are more specific and quasi always production related assets, meaning that they are required to make the production work. A well-known example would be a PLC, but it could as well be a CT scanner in a hospital. Most of the time we know that it's there, but we forget about the subparts such as suppliers that install a sensor to do remote follow-up.
How is this a threat?
Both IoT and OT systems can be a potential danger for a network. Unpatched and unsecured systems can give hackers access to the network and allow them to use the zombie system as a jumping off point. Some of these assets are cloud manageable out of the box and have default passwords. These could potentially be a backdoor of any network.
Â
Yeah yeah, not for me!
Â
You might think this is a bit exaggerated. Maybe… At least, if you have this opinion, that must mean that you know exactly what assets are active in your network. Maybe you once did a discovery scan and the company has a policy in place not to link any kind of unmanaged system. But people come and go and people are creative in finding solutions for their problems.
Â
Think about this discovering you once might have done. That is a snapshot of the moment. No visitor, testing machine or – at that time – turned off machine will be in that list. Your inventory is incomplete and after one day potentially outdated.
Â
How are you able to protect a network if you don’t have an accurate inventory of all assets in your network?
What does Kappa Data offer?
Â
Armis is a product that is able to build a complete network inventory and identifies all assets by its function. A scanning station with Windows embedded will be identified as scanning station.
Â
Around the clock the Armis collector will analyse all network traffic by the use of a span port. Any device that became online, even for a fraction of a second, that sends or receives a network package, will be detected and identified, without the need over Armis itself to do a portscan or send anything to that device.
Â
This way of working makes it also possible to see what is happening, what other “things” are connected to or in that device, and therefore supply a complete visibility of each network component and its track.
Â
The Armis product called Centric, comes in four flavors :
- One for regular IT environments
- One for OT
- IoT
- Medical environments.
Â
Clearly there is a focus depending on the choice or combination. For OT and IoT in particular, since this is the subject of this article, one of the things that Armis is capable of doing, is mapping the network to the Perdue model. To do so, Amis is able to read SCADA and other industrial protocols and can analyse the communication layers of the different communication assets. Even more, PLC’s with integrated interface cards will also be identified and analyzed.
After identification comes protection?
Â
Yes, now you know what to protect, you can start drawing your segmentation plan. The first thing to do in order to protect OT networks, is to put them in a separate isolated network. You can read more about this in our article around NAC. Unfortunately, most OT systems do not have the ability to install some kind of a protection agent. By putting them in an isolated VLAN, they cannot be accessed from outside the production network.
Â
But is this enough?
Â
The answer is always: “it depends”, but in security it can never be enough, it can only be too expensive. What we need is an affordable solution that is highly flexible to adapt to any kind of network. The problem in the segmentation example above, is that one asset is still capable of infecting another, while – let’s be honest – they don’t need to contact each other, only the server or engineering station.
Â
The solution to this is hyper-segmentation or micro-segmentation.
Kappa Data offers this together with Extreme Networks’ Fabric solution. This makes it possible to add an extra isolation layer on top of a VLAN and decide who can access what. For example, the PLC can contact the Engineering workstation but nothing else. Another PLC can do the same thing, but they can’t contact each other, although they are in the same VLAN. This is a very cost-effective and relatively easy integrable solution in any existing network, by the use of Extreme Networks Fabric switches (also known as VOSS).
Another way to protect an asset, is to keep it up to date. Firmware and OS upgrades and updates should be applied on a regular basis and in high priority if needed. But priorities are network dependent, which causes chalenges in larger environments. The product VIPR of the vendor Armis is able to identify and prioritize vulnerabilities unique to each network. This assits the engineers to update their assets in the correct order. This way you can achieve fast and affective protection in a minimum of time. Whenever there are CVE’s published, they will be in the protal and taken into account.
Â
What if there still is an attack?
Â
Although a network can be highly secured, you know that an attack is never far away. In regular IT networks we already have lots of detection tools in place, such as XDR, NDR, SIEM and other effective tools. Since this article is about OT, we will put a spotlight on Armis again.
Â
Earlier, you read that Armis builds the perdue model of an OT network and is able to identify traffic layers. It is a rule within these networks that one can only talk with another in the layer just above or just below. If you would pass a layer and jump one further, this could indicate a breach.
Â
This and many more specific attacks can be identified by Armis Centric.
In Armis you can build policies in how to deal with certain situations, in this case a potential breach detection. Armis itself will not take direct action but will notify someone or something among others by the use of webhooks and API’s.
Why would you consider IoT and OT protection?
Â
The are two basic rules in this:
Â
- Assets can be used as a jump host to attach the internal network.
- OT networks are in the heart of your production network. You don’t want this to be attacked.
And remember: you probably don’t know all devices that are connected to your network.
Frequently asked questions
Check our FAQ section where you can find the first questions that have been asked to us during the last months.
Contact usWhat specific features of Armis aid in protecting IoT and OT devices?
Specific features of Armis that aid in protecting IoT and OT devices include:
- Device discovery and inventory: Continuous monitoring to maintain an up-to-date inventory of all devices.
- Risk assessment: Identifying vulnerabilities and assessing the risk associated with each device.
- Behavioral analysis: Monitoring device behavior to detect anomalies and potential threats.
- Threat detection and response: Providing real-time alerts and automated responses to mitigate risks.
- Integration with existing security infrastructure: Enhancing protection by integrating with firewalls, SIEM systems, and other security tools.
What challenges do organizations face in managing and securing IoT and OT devices?
Organizations face several challenges in managing and securing IoT and OT devices, including:
- Visibility: Difficulty in identifying all devices connected to the network due to the sheer number and variety of devices.
- Diverse protocols: IoT and OT devices often use various protocols that are not standardized.
- Legacy systems: Many OT devices are legacy systems that were not designed with security in mind.
- Limited control: Difficulty in applying traditional security measures to devices that cannot be easily managed or updated.
- Vulnerabilities: Increased risk of vulnerabilities due to lack of regular updates and patches.
What are the benefits of using Armis for a network with many IoT and OT devices?
The benefits of using Armis for a network with many IoT and OT devices include:
- Comprehensive visibility: Achieving full visibility of all devices connected to the network, including those that are not easily managed.
- Enhanced security: Proactively identifying and mitigating risks associated with IoT and OT devices.
- Operational efficiency: Reducing the need for manual device management and monitoring through automated processes.
- Compliance: Helping meet regulatory requirements by ensuring that all devices are monitored and protected.
- Scalability: Easily scaling to accommodate a growing number of IoT and OT devices as the network expands.
How does Armis help in identifying IoT and OT devices on a network?
Armis helps identify IoT and OT devices on a network by providing comprehensive visibility through its agentless platform. It uses passive monitoring to detect and classify devices based on their behavior, communication patterns, and other attributes. This allows organizations to discover all devices, including those not easily managed, without disrupting network operations.
How can Armis improve security for IoT and OT devices that are difficult to manage?
Armis improves security for IoT and OT devices that are difficult to manage by using its agentless approach to monitor device behavior and network traffic without requiring direct control over the devices. This passive monitoring ensures that even unmanaged devices are continuously evaluated for security risks, and any unusual or suspicious activity is promptly detected and addressed.
Contact us for a demo
Are you curious to learn whether our solutions can help you with searching of assets in the network and how to protect these assets? Contact us for a demo via the below button.
