IoT and Security. Edge. Network. Tracking

by Albert Putnam November 15, 2016

IoT and Security. Edge. Network. Tracking

Security and IoT is a topic impossible to avoid. With the days of modern APIs, and smart edge devices, the days of isolated LAN architectures are numbered.

Recent DDoS attacks show systemic vulnerability in IoT device deploys. Some have taken the walled garden approach: Do not allow the user/owners local access to their devices. But that is not really what the customers want.

Others go with the status quo from twenty years ago. They transparently indicate that their devices are for open, shared LANs, and one had best put a series of walls around them. To be technical: Put them in a virtual private network. This puts a load, without much benefit, on IT. It also ignores internal to network breaches... systematic or accidental.

There has to be a middle road, some set of practices that is acceptable to end points and users, and IT and the enterprise.Three seem to arise.

One: 
Make some effort with the edge devices. This is old school but just recently becoming standard practice for IoT devices. When "password" is used below it can be interchanged with the term "access token" or even "authentication method".

A. Make sure edge devices have passwords.
B. Close all access methods not related to setup and operation.
C. Make sure no setup or access method can be repeated quickly, either to probe for entry, or deny others service.


In a way the ABCs are non-negotiable. D is probably the hardest, but most important:

D. Make sure edge devices have good passwords.   
This can be done by demanding first configuration password changes... Good for pilots, but unscalable in interesting large deploys. The other way is to set a strong and unchangeable password... which cannot by any means be deduced from the network. Generating a password from a network interface MAC address is close to this... except when MAC addresses leak from LAN to WAN - like when MAC are used for generating other defaults. Keeping manufacturer "cloud" databases of passwords leaves the end device a brick when the service expires. [NOTE this does not imply the owner of the device or the LAN on which it resides should not build and maintain a database of passwords - that is just their responsibility]. The key seems to be a unique long and strong local password, easy for human or machine entry, stored out of band, and only locally accessible. There are patentable and trade secret pathways therein... so let us leave it at that *grin*. Much of the above deserves to be credited to James Lyne at a Xively Xperience 2015.

Two: 
VPNs are still not easy to setup. And within a VPN their are no access controls. Modern IoT use cases of remote service beg for a way to keep the setup interfaces, for example of a motor controller and its allied pressing machine controller, available only to select external parties, while they freely communicate with each other directly in the LAN. This speaks to access control lists - ACLs. Modern microservice architectures are forging a pathway here where even "interprocess" communication needs and has ACL-like constructs. True ACL-likes are heavy weight and hard to configure... and add more pain to IT setup.

Can ACL-like setup, for by-port access tokens, be automatically templatized and deployed automatically? Software defined perimeter is an emrging standard with offerings from those like Cryptzone. Some like Illumio for VMs and containers have a method which might transfer well from IT to OT.

Three: 
Testing, tracking and logging. As well as one might develop edge and core and network and database strategies, they can be pried by inquiring minds, or they can be broken, by accident or misuse. One needs to do testing (like API testing by Smartbear, for development and production - DevOps)... but even more important, one needs continuous monitoring, so that one can learn each time something new arises -and something new will arise - one can find ways around passwords and network access controls.

At minimum on LAN and WAN, one should try watching transactions with NagiosWireshark tends to not run all the time, and MRTG is somewhat limited. And if one goes further there are tools for various types of tracking, like those from Genians and PRTG. I will go further than tools and suggest one needs to consult with someone who has experience in real world deployments, in the wild, large deploys and monitoring thereof. Like Cimetrics has with Analytikafor automation systems.




Albert Putnam
Albert Putnam

Author



Leave a comment

Comments will be approved before showing up.


Also in Cimetrics News

Cimetrics Professional Services Delivers the Promise of Analytics
Cimetrics Professional Services Delivers the Promise of Analytics

by Anto Budiardjo June 12, 2017

Combining cloud-based analytics with professional services to keep smart buildings performing.

Read More

A New Deal for Buildings - An Initiative for 21st Century Facilities
A New Deal for Buildings - An Initiative for 21st Century Facilities

by Anto Budiardjo May 31, 2017

Cimetrics is pleased to announce its support for a new industry initiative: A New Deal for Buildings.

Read More

Mass Innovation Nights #98: IoT at MITRE
Mass Innovation Nights #98: IoT at MITRE

by Svetlana Lyons May 11, 2017

Cimetrics had an honor to participate in the Mass Innovation Nights at MITRE last week in Bedford.

Read More

cimetrics.com Legal Terms and Conditions

June 29, 2016

cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE.  YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.

Terms of Use

The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors.  The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.

BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.

IN NO EVENT SHALL CIMETRICS, ITS OFFICERS, DIRECTORS, EMPLOYEES, PARENTS, AFFILIATES, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE CIMETRICS SITE, WITH THE DELAY OR INABILITY TO USE THE CIMETRICS SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE CIMETRICS SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE CIMETRICS SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF CIMETRICS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE CIMETRICS SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE CIMETRICS SITE.

Passwords

If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.

If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately.  Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.

Copyrights and Trademarks

All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.

Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, and BAS-o-matic are trademarks or registered trademarks of Cimetrics.  The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics.  All other trademarks are owned by their respective companies.

Links to Other Websites

This Site may from time to time contain links to other websites ("Linked Site") or other Internet information sources ("Third Party Source"). These links are provided solely as a convenience to users of this Site and do not constitute an endorsement, sponsorship or recommendation by Cimetrics.  Each Third Party Source or Linked Site may have its own terms of use and privacy policy. Cimetrics is not responsible for the content, availability, or policies of any Linked Site or Third Party Source, or any additional links contained therein.

Privacy

Please read the privacy policy for this Site, which is incorporated into these Terms and Conditions by reference.