FEATUREDApplication Development & Modernization
PETER WELCHER | Solutions Architect
This blog post is part of a series discussing Cisco IoT, with this post focusing on Cisco IoT security and use cases.
Prior blogs tersely mentioned some of the many Use Cases, but this blog will examine a few more closely to get a feeling for what’s different from non-IOT/industrial networking.
Why IOT? First, it is an expanding area of networking, with increasing use cases. Secondly, it is impacting current organizations, especially healthcare and retailing, but touching anything where new forms of sensor may provide valuable security or cost saving benefits, or enable new capabilities (better inventory, better products, etc.).
Blog Series
Part 1: Background and Overview of Cisco IOT
- Introduction
- Perspective: What Skills Are Needed? Who Are the IOT Customers?
- Industrial Edge Computing
- Link: Cisco IoT Overview: Part, Background
Part 2: Cisco IOT Hardware
- Industrial Routers
- Industrial Switches
- Industrial Wireless
- Link: Cisco IoT Overview: Part 2, IoT Hardware
Part 3: Other IOT Essentials (THIS BLOG)
- Industrial Security
- Industry Use Cases
Part 4: Finishing IOT Touches
- Meraki IOT
- IOT Skillsets
- More IOT Links
Part 5: The IOT Competition
- Juniper
- Aruba
- Arista
Industrial Security
Industrial and IOT Security must be good. You cannot assume devices are in locked closets or enclosures. Heavy machinery getting hacked and out of control is everyone’s nightmare, and good for scary scenes in movies!
I like seeing Cisco documentation: Cisco documents the journey to “better Industrial Security”.
Here are some starting points: https://www.cisco.com/c/en/us/products/collateral/security/industrial-security-cvd-so.html
The first key security-related task is visibility into the OT (Operational Technology) assets and activities – know what you’ve got, how it connects. That’s come up as a selling point (and capability) for some ZTNA products like Elisity as well. It also is crucial input for your IOT security design!
The next task is segmenting IOT separately, which is desirable from a security perspective. Consider it not only for protecting enterprise assets from the industrial side, but vice versa!
My take: a quick first cut might be to put all IOT into one segment,then refine by isolating by security trust level (small vendor, large vendor, or some other “hack resistance” metric). Eventually you might even segment by vendor or product suite to try to limit the scope of any successful hacks. In some ways, that last approach might be simpler. If you have the energy left to do it!
In any case, deciding on your segmenting security design depends on knowing what’s on the network. In the case of IOT, that might be quite a few things that nobody told you about!
One capability Cisco has added is Cisco Secure Equipment Access (SEA). I understand it as ZTNA remote user identity-based secured access to IOT devices. The access is via a SEA gateway agent running onsite in the IOT routers and switches.
Features:
- Identities, roles, security posture checks
- IOT/OT resource isolation
- Browser-based access using RDP, VNC, SSH, telnet, or HTTP(S)
- With audit trails
Basic SEA provides browser-based remote access.
SEA Plus adds more flexibility:
- Native asset client on desktop for IP-connected assets
- Remote access via VPN-like controlled comms channel
- Support for an IP-based app, along with its native capabilities such as file transfer (think log files), for troubleshooting and firmware updates.
Cisco also has the IOT Operations Dashboard. It can secure remote equipment access, collect/process/control transfer of data, and serve as edge device manager (deployment and monitoring of IOT routers).
The IOT Operations Dashboard includes Industrial Asset Vision for LoRaWAN sensors.
New Cisco capabilities: CyberVision (IOT/OT asset visibility and security posture), and Wireless Backhaul Support: deploying and monitoring wireless backhaul devices in Cisco URWB (Ultra-Reliable Wireless Backhaul) mode (see the previous Wireless section).
CyberVision lets the network “act as a sensor,” simplifying remote traffic monitoring, providing deep packet inspection, and saving having to build a packet replication SPAN/RSPAN solution (which scales poorly, adds cost).
- CyberVision allows grouping traffic flows as conduits to help build appropriate segmentation policies.
- It also provides Risk Scoring of endpoints and operations.
- These and related features support iterated posture improvements to secure the IOT networks.
- CyberVision also allows extending OT visibility to a CMDB such as ServiceNow, and a SIEM such as Splunk.
- Re visibility (etc.), via Cyber Vision: https://www.cisco.com/site/us/en/products/security/industrial-security/cyber-vision/index.html.
Cisco presented Security for Roadways as an example of their IOT Security offerings. I’ve put my summary description of that into the later Use Cases section.
Here’s the link to a Cisco Industrial Security Design Guide:
There’s also a Cisco firewall in industrial form factor: https://www.cisco.com/c/en/us/products/security/industrial-security-appliance-isa/index.html.
For additional industrial/IOT Security topics: https://blogs.cisco.com/tag/industrial-security.
Industry Use Cases
Part of the business opportunity in IOT is services to companies that have a specific market focus but are internally challenged supporting IOT. In many cases, it’s not their main focus. Their needs include cybersecurity, handling the complexity of IOT solutions, a lack of skilled staffor support for many remote locations or large numbers of sensors, etc.
Here are some of Cisco’s documented IOT use cases:
- Connected mass transit – Cisco Validated Design: https://www.cisco.com/c/en/us/solutions/industries/transportation/connected-mass-transit.html. Potentially monitor passenger levels, traffic levels/delays (e.g. buses), environmentals, locations, provide customer WiFi/Internet, etc. Vehicles, transit stops, maintenance yards, within one common architecture.
- Transportation in general: https://www.cisco.com/c/en/us/solutions/industries/transportation.html
- Secure Connected Roadways: https://www.cisco.com/c/en/us/solutions/internet-of-things/roadways-intersections.html
- Ports and Terminals: https://www.cisco.com/c/en/us/solutions/internet-of-things/ports-terminals.html
- Utilities: Electric, Water, Field Networking, Industrial Hybrid Work (mobile workers): https://www.cisco.com/c/en/us/solutions/internet-of-things/iot-digital-utilities.html
- In particular: Substation Automation:
- https://blogs.cisco.com/internet-of-things/deliver-next-generation-substation-automation-with-the-cisco-catalyst-ir8340-rugged-router
- https://www.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/Utilities/SA/3-1/SA-3-1-DG.pdf
- Manufacturing, Robotics, Factory Floor: https://www.cisco.com/c/en/us/solutions/industries/manufacturing.html
- Connected Mining: https://www.cisco.com/c/en/us/solutions/industries/materials-mining.html
- Connected Communities (especially where there is no fiber, or as fiber backup): https://www.cisco.com/c/en/us/solutions/industries/smart-connected-communities.html
- Smart agriculture (for some reason, agriculture is NOT on the previous IOT general industries page): https://launchpad.cisco.com/c/dam/r/launchpad/cisco-satsure-collaboration-whitepaper.pdf
- Other IOT use cases: https://www.cisco.com/c/en/us/solutions/industries.html
- See also this blog: https://blogs.cisco.com/innovation/iot-for-good-how-the-internet-of-things-is-transforming-our-world-for-the-better
- Interesting blog re use of sensors for digital twin of a physical bridge: https://blogs.cisco.com/internet-of-things/leveraging-a-digital-twin-with-machine-learning-to-revitalize-bridges
That’s probably more than enough links. I included them to show the breadth of the use cases!
Secure Roadways Use Case
Here is a summary of the Secure Roadways Use Case … my summary/paraphrasing of Cisco’s description .
The need: Cities, departments of transportation, and highway agencies are looking ahead. Coming needs: connected vehicles and vehicle to everything communication, mobility as a service across transport modes, electrification/sustainability at scale.
The opportunity: The US, EU, and Australia apparently all have large grant funds for roadway/infrastructure improvement. Think remote alerting to equipment problems, remote troubleshooting, time/staff savings and better traffic flows.
Cisco sees this as stages: unconnected infrastructure, basic connectivity, flexible and secure connectivity, and ultimately fully connected intent-based networking. Current challenges: safety, traffic congestion, wasted fuel, emissions. One driving factor: regulation, e.g. TSA (US) and NIS (EU).
Secure Connected Roadways might provide the following: visibility, zero trust, and secure remote access. All key as the scale of roadway devices increases and become more critical, and funding for staffing remains tight. Cisco notes that typical visibility/detection solutions require mirroring network traffic to dedicated appliances, which is complex. Whereas, as already noted, Cisco Industrial routers and switches can provide active discovery and deep packet inspection, tied to Cisco’s Cyber Vision Center.
Conclusion
IOT Security entails performing segmentation and other activities we do in non-IOT networks. It also includes specific Cisco tools
One unique aspect is that IOT sensor and other IOT device vendors may not be as familiar with network security, as they historically worked with isolated environments. So, segmentation and isolation may well be part of the necessary security steps.
The prior paragraphs listed many categories of Use Cases. I think that pretty much speaks for itself! Reading my crystal ball, there may be a LOT more IOT in the world going forward!
