Networks have evolved significantly over time. They were once simply used to connect computers via switches (Layer 2). As the need arose for these computers to communicate across different networks, routers were introduced. To protect these systems from network-based threats, firewalls soon followed. As networks expanded to support more than just computers, securing IoT and OT devices became even more critical. This expansion has also increased the attack surface, raising the question:
Where should you begin when securing IoT and OT devices?
My recommendation is to start with Network Access Control (NAC).
Difference Between OT and IoT Devices
Let’s discuss the difference between OT and IoT technologies. OT devices are designed to control and monitor physical processes in industrial settings, whereas IoT focuses on collecting and exchanging data in real time. For example, OT is commonly used in critical infrastructure, such as Industrial Control Systems (ICS), while IoT is often deployed for facility management and environmental monitoring.
The Current State of IoT and OT Devices
It’s important to remember that IoT and OT technologies are not simply “black box” solutions; rather, they consist of multiple interconnected devices communicating with each other. As a result, their network connectivity may not always be RFC-compliant and could rely on proprietary protocols. Additionally, many of these devices are programmed by developers who may have limited knowledge of network component development, or the software may have been created before the relevant protocol RFC was officially ratified.
OT and IoT networks are often flat, Layer 2, and highly open, primarily due to protocol limitations and the need for real-time communication. Even minimal latency can cause device failures, making low-latency connectivity a priority. However, this lack of sophistication, combined with infrequent updates that typically don’t include any security considerations, makes securing these IoT and OT devices even more important as they are often attractive targets for malicious hackers.
A few years ago, I bought a standalone IoT security camera and decided to run a vulnerability scan on it. I quickly discovered that it was using a Linux Debian kernel that was already over five years old at the time, with multiple known vulnerabilities. Wanting to help, I reached out to the manufacturer to report the issue but never received a response. Reflecting on this experience and working with various customers, I came to realize that OT-IoT networks present several challenges for network administrators, including:
- Visibility: The lack of visibility into network activity makes it difficult to detect potential security threats and unauthorized access. Most OT-IoT networks are open, and sensitive to network processes like scanning and latency. I have seen instances where scanning OT-IoT devices with network security scanners causes them to crash, which could bring down the production of a facility.
- Control: Limited or no control over communication on the network due to the manufacturer’s requirements, or network sensitivity of the OT-IoT solution, may increase the risk of security breaches and unauthorized device connections.
- Redundancies: Most OT-IoT devices generally lack robust redundancy measures, often relying on minimal backup solutions, such as configuration, output file backups, or even screenshots of the device configuration. Given this limitation, the primary redundancy strategy is to keep spare devices or replacement parts available, even in cases where the issue stems from software corruption.
While NIST 800-82r3 provides valuable guidance for securing IoT and OT devices, it’s essential for organizations to follow a broader security framework, such as NIST 800-53, ISO 27001, or CIS 18. Adhering to a security framework can be a complex and time-consuming process, so I always recommend starting with the basics–Network Access Control (NAC).
What is Network Access Control (NAC)?
Network Access Control (NAC) is a security solution designed to enforce policies on devices connecting to a network, enhancing visibility and minimizing security risks. From my experience, I have worked with Cisco ISE and Aruba ClearPass, so my insights on NAC tend to revolve around those two products. However, I would love the opportunity to test out FortiNAC as well.
Let’s start with the basics. When implementing a NAC solution, you’ll find that most platforms offer device classification and support both wired and wireless networks. Policies or access rules are established to determine how users and devices interact with the network, where they are located, and which resources they can access.
Typically, access policies are built based on device classification (or endpoint profiling), user identity, associated user groups, or other identifiable attributes. The specific attributes used depend on what the NAC solution can observe on the network, ensuring a dynamic and secure access control framework.
During a recent call with a customer, a key question was raised: Why not air-gap the OT-IoT network instead of implementing NAC? My response was, what are the requirements? With Industry 4.0 revolutionizing operations, the need for continuous data exchange has fundamentally changed how production systems are connected. Before digitization, OT-IoT systems didn’t require network connectivity. However, today’s modernized production environments rely on real-time or near real-time data exchange, making air-gapped systems impractical for most organizations.
That said, if real-time data exchange isn’t a requirement, an air-gapped network could still be a viable option. It’s important to remember that NAC isn’t a standalone solution but rather one of several essential tools needed to establish a strong foundation for OT-IoT security.
Unfortunately, no single tool can cover all security measures, but NAC is one of the most effective solutions available especially when it comes to improving OT-IoT security. Why? Because NAC provides visibility into the network, identifying and categorizing all connected devices.
With the right licensing and/or integration to security solutions, most NAC solutions can detect unusual network activity and recognize common attack patterns. A key capability of NAC is the ability to segment endpoints into designated groups based on predefined policies. Depending on the policy assigned to a group, different security measures and defensive actions are enforced.
It’s worth noting that some NAC solutions refer to these logical groupings as “zones.” By grouping endpoints and devices that logically belong together, organizations can contain potential threats. If an attacker infiltrates a specific group, they remain isolated within it, preventing lateral movement and ensuring that the rest of the network remains unaffected.
Modernize Your NAC Solution
If you’re still using a legacy NAC solution, it may be time to consider an upgrade. Here are a couple of key tips to guide you through the process:
Gain Full Visibility and Understand Device Behavior
Identifying and classifying every device on your network is essential. Knowing what devices are present and how they are being used is critical for security and management. If your NAC solution struggles to recognize OT-IoT devices, collaborate with the manufacturers of both your NAC and OT-IoT solutions. Alternatively, working with a trusted partner like KNZ Solutions can help ensure proper integration and visibility.
Automate Network Segmentation and Policy Enforcements
Once you have full visibility into your network, the next step is to automate segmentation. Establish policies that dynamically segment the network based on logical identifiers, such as device classification, business units, or teams. Ensure your NAC solution can enforce these policies in real time, keeping devices properly isolated and granting access only where necessary. This approach not only enhances security but also ensures devices operate within their designated network segments.
Integrate NAC into your Broader Security Strategy
As organizations advance in their digital transformation efforts and work to protect their infrastructure, securing IoT and OT devices is more critical than ever. NAC plays a vital role in enhancing visibility, enforcing policies, and mitigating risks, but it should not be viewed as a standalone solution. Instead, it must be integrated into a broader security strategy that includes network segmentation, continuous monitoring, and proactive threat management.
Building a robust security infrastructure is an ongoing process, a journey, not a one-time fix. By adopting the right tools, following best practices, and partnering with experts like KNZ Solutions, organizations can modernize their operations while ensuring a strong, resilient security posture.
Zero-trust security principles are now being increasingly adopted in operational environments. Learn how to implement zero-trust in a phased approach here.
About the Author:
Chris Price is an experienced executive deeply committed to nurturing and empowering team members to realize their fullest potential. My passion lies in technology thought leadership, and my career has been dedicated to providing guidance and leadership in aligning technology with business objectives. In recent years, we’ve observed a significant evolution in technology, particularly in digital solutions, which have the potential to differentiate businesses and confer a competitive advantage in their respective industries. In this new era of digital business, organizations must embrace transformation. Within my team, we possess the expertise to guide organizations through the disruptions brought by digital innovations, offering innovative ideas and state-of-the-art technology to navigate these changes effectively.
