IoT knife fight: OT or IT? Part I

A Looming Management Problem

Boy Scouts was a fun time for me. Yes, I looked like a dork in my shorts and high socks. The proverbial cute girls in a convertible even singled me out one time while I was selling Scout show tickets door-to-door. While they were making fun of me, whistling and asking me if I sold more with the socks up or down, all I could think of as my face started burning with embarrassment is how they had no idea what we would be doing at the show. How cool our spectacle of an exhibit was going to be. My dad and I decided to alloy metal — bronze, to be exact — to make metal belt buckles right in the parking lot of the Astro Hall (which was the convention site for the Astrodome). I doubt they would have made much fun of me if they had seen me in my fire suit, rock wool gloves and a smelter’s mask wrestling with Kelvin-level heat over a homemade smelting unit made with yard blowers while pouring boiling metal into casts. While trying to not get burned or kill anyone in the process.

Talk to any information technology manager or director and they will tell you this is the exact kind of issue they deal with every day.

Management may sometimes look at computers, information and all the associated engineers as a little like a young man in a pair of odd-colored high socks. But the truth is that these professionals often deal with things that can hurt or even kill people. This stark reality is in plain sight for anyone who has seen — or worked with — massive robots on a plant floor, complex HVAC and fire-suppression systems installed in large buildings or campuses, or security and badge systems that protect both resources and workers.

And these are just the things that are connected to the network now. Just wait for what’s coming next…

Who owns IoT?

The internet of things crosses numerous boundaries within a company. Traditionally, the group that takes care of operations technology (OT) has owned IoT. These engineers are also sometimes referred to as SCADA groups or automation teams. In energy companies, they usually fall under the business units and represent a completely different portion of the company’s electronic resources than the traditional information technology folks that handle things like email, IT infrastructure and internal applications. Instead, the OT team owns things like the small computers attached to pumps, critical thermostats monitoring freezers or smelters, and the motors that drive things.

In decades past, this was all really boring stuff.

Traditionally, OT devices were never connected to the regular network run by IT, and they certainly never touched the internet. Instead, these devices required very low-level programming and even today still often run using Microsoft DOS (no touchscreen or mouse there). OT technology has tended to be perfunctory and tedious, and certainly has not ever included anything like Alexa telling jokes to the OT engineers or Siri reminding them that they had forgotten their children at aftercare.

Instead, this technology has had to monitor things like temperatures, manage the flow of energy or turn valves on and off. In many cases, the protocols they manage and the devices and software they run on have not changed for decades.

But now, because of things like big data cloud, the availability of smaller and cheaper computers, and things like just-in-time, response-driven inventory, the OT environment is undergoing a rapid and radical change. New requirements like speed and performance are forcing OT teams to replace their traditionally static devices with new technology, and the need to adapt in real time to highly elastic demands means that OT solutions are increasingly connected to networks with real-time information feeds.

This change is also causing OT and IT to fight over the control of digital ground. While OT is growing, it is primarily growing into the spaces usually controlled by IT as it is being bolted onto the same networks that phones, routers and laptops touch. This is creating a whole range of security challenges that neither group has ever had to deal with in the past and affects the delivery of applications and information that reaches all the way into the executive suite.

We have seen the results of failing to address these challenges. IoT vulnerabilities continue to plague network administrators. It’s one thing when an IoT device running games in your kid’s bedroom is compromised. It’s another thing entirely when it’s a connected valve controlling chemicals used to purify water systems, or an oil pipeline running through pristine wilderness, or large robots assembling automobiles side by side with human workers.

This is the cyber knife fight we find ourselves in. It is closer, dirtier and emotionally draining for all involved, even the bad guys. The better we fight, the harder we make it and the less effort they will begin to put into it. We are already starting to see this with numerous arrests, dark web take-downs and numerous botnet mitigations that lead to the arrests of those that would wound us.

Fortinet’s quarterly “Global Threat Landscape Report” has been tracking IoT vulnerabilities for some time now. Last year, millions of hijacked IoT devices were used to create a massive botnet known as Mirai that was used as a denial-of-service weapon to shut down huge segments of the internet. And that wasn’t a one-time thing. A similar IoT-focused attack known as Hajime was introduced just this past spring, but this time with a much more sophisticated toolkit of exploits attached. And as reported in the Q2 2017 report, security professionals continue to identify a growing number of IoT-based exploits, and it predicts that they these attacks will continue to threaten the security of organizations across both IT and OT environments.

Which makes trying to decide whether the IT or OT team is responsible for these problems, and who gets to establish protocols for visibility and controlling security risk, a complicated and often territorial dispute.

It’s the kind of thing that wars get started over. And with new threats looming over the horizon, it’s not the sort of distraction your organization can afford.

This is part one of a two-part series. Read part two here.

Original article was written in IoT Agenda and can be found here.