The Internet of Things (IoT) will have billions and billions of things, but we’ll leave the prognostications for the exact billions of devices to the pundits. My fellow systems engineers and I are in the IoT trenches, working with customers to architect and build the networks for building automation systems to make workplaces more comfortable and environmentally friendly, to enable a concrete manufacturer to increase process efficiency and to predict when long-haul trucks need maintenance.
Based on our work in the field, I wanted to share some observations about building secure networks to support enterprise and industrial IoT deployments.
Build the Right Networks for the Job
All IoT networks not created equal. A network designed for an enterprise IoT deployment is different than for an industrial IoT.
An enterprise IoT deployment is typically going to make use of the exiting a campus network as a means of connectivity. It will, therefore, use conventional wired or wireless access. Some of these enterprise IoT “Things” will be sophisticated and run mature operating systems whilst others will be “headless,” with little if any management or security. Engineering the campus network to securely accommodate these new device categories presents some serious challenges for the network architect. Not only is there the issue of scale (many more devices on the network) but there is also the issue of security particularly for “Things” that are connecting via wired (PoE powers smart lighting, building sensors, video cameras as examples).
IoT deployments in industries like energy, manufacturing, and utilities may have tens of thousands of sensors deployed on offshore oil rigs, electric distribution lines, or the energy meters of buildings and homes in a city. Much of the communications is machine-to-machine, with minimal human interaction. The connections for the process controllers, robots and other smart devices are typically wired – not necessarily Ethernet but via various analog data feeds. Other sensors may use wireless communications (again probably not Wi-Fi but a low power low bandwidth protocol like LoRa) to feed the sampled data upstream. The data originates in the field more than likely requires local processing or processing at the edge.
Because of the massive scale, the network architecture for industrial IoT deployments typically includes IoT edge compute gateways. Instead of sending all that data to the cloud for analysis, an IoT edge computes gateway like Hewlett Packard Enterprise Edgeline Converged Edge System can process the data at the remote site so that actions can be taken faster and the control over the “Things” is more immediate. Edge processing also helps to normalize the data and convert it from analog to digital if necessary.
Building Wireless LANs for IoT
In the enterprise, many IoT devices connect wirelessly. The risk is that if an IoT device is compromised, an attacker could wreak havoc on the IoT network and use the IoT devices as a launch pad for a coordinated attack that could be to external systems or targeted at the corporate network. A key design consideration for Wi-Fi used by things is to provide strong isolation between the corporate WLAN and the things WLAN.
The MultiZone feature in ArubaOS 8 allows organizations to have multiple and separate secure wireless networks using the same access point (AP). Instead of building two secure networks in one physical location, MultiZone allows one AP to terminate two different SSIDs on two different mobility controllers. By separating the traffic, an attacker can’t move from the corporate network to the IoT network or vice versa. With MultiZone, the data is encrypted from the client to the controller, safe from prying eyes. The networks are completely separate and secure even though the traffic runs through the same AP, and so organizations can have different policies for data privacy, security and traffic separation for the corporate and IoT networks. I visited a potential customer recently who had an SSID called “Things.” It’s pretty obvious what this was going to be used for but they certainly did not have Multizone.
Building Wired Networks for IoT
Wired security has often been overlooked when considering overall network edge security but we are seeing the emergence of “Things” using PoE as a very effective way to power themselves and connect to the network at the same time. In some ways, PoE is the perfect use case for many things such as video cameras, smart lighting, HVAC sensors, etc. as there is no need to run separate power and data feeds to many additional locations where things connect. As a result Network architects now have to take wired security very seriously. One option would be to provide a completely separate wired network with its own switches just for things but there are better and more cist effective approaches.
Aruba switches support a feature called Tunneled Node. Using tunneled node I am able to select a number of ports on a switch and forward that traffic over an IPSEC tunnel to a mobility controller. Think of it like a wired access point. I can apply the sale policy enforcement, role-based access and stateful firewall inspection for wired things as I have been doing for wireless traffic for more than 10 years. Tunneled Node is a very effective way to provide the isolation and security needed for wired things whilst using a common access infrastructure. Tunneled Node is available in the ArubaOS-Switch 16.02 release.
Securing IoT Devices
From surveillance cameras under the control of the Mirai botnet to smart TVs that may spy on you to insulin pumps that are vulnerable to hacking, there’s no shortage of scary stories when it comes to IoT devices.
Securing your IoT network begins with understanding what’s on the network. With Aruba ClearPass Universal Profiler, you can identify all of the devices connected to the wired and wireless network. It gives you visibility of all device types and allows you to build much more stringent access control policies for the headless IoT devices – the ones that cannot authenticate via 802.1x. Here Clearpass On Connect is used to allow authorization access policies to be written that ensure the IoT device is compliant with the access controls required to keep them in check.
You can segment traffic, enforce access controls, but how do you detect a threat from a legitimately authorized device, conventional or IoT? And with IBM’s Cyber Security Intelligence Index showing that 60 percent of cyber attacks come inside the network, it’s a scenario that must be taken into consideration when building a holistic IoT security architecture.
That’s why Aruba recently acquired Niara. It provides the next level of threat detection by invoking machine learning using data from multiple sources to search for the anomylous behavior of devices such as things or even users. For example, a video camera should always be sending video streams to know destinations. What if all of a sudden it starts to send out excessive DNS requests? DNS requests on their own are a legitimate form of traffic but based on the previous historical behavior of the video camera this would be considered to be an anomaly.
When Niara is used in conjunction with ClearPass, individual incidents that reach a certain risk score can use predefined ClearPass policies to automatically quarantine or block network access, giving the security operations team more headroom to investigate.
If you’re building a network to support the enterprise or industrial IoT, you can count on Aruba unique solutions for a flexible, powerful and secure foundation.