BlueAllyBlueAlly

PETER WELCHER | Solutions Architect 


This blog post is part of a series discussing Cisco IoT, with this post focusing on Cisco IoT security and use cases.  

Prior blogs tersely mentioned some of the many Use Cases, but this blog will examine a few more closely to get a feeling for what’s different from non-IOT/industrial networking.  

Why IOT? First, it is an expanding area of networking, with increasing use cases. Secondly, it is impacting current organizations, especially healthcare and retailing, but touching anything where new forms of sensor may provide valuable security or cost saving benefits, or enable new capabilities (better inventory, better products, etc.).  

Blog Series

Part 1: Background and Overview of Cisco IOT 

Part 2: Cisco IOT Hardware 

Part 3: Other IOT Essentials (THIS BLOG) 

  • Industrial Security 
  • Industry Use Cases 

Part 4: Finishing IOT Touches 

  • Meraki IOT 
  • IOT Skillsets 
  • More IOT Links 

Part 5: The IOT Competition 

  • Juniper 
  • Aruba 
  • Arista 

Industrial Security 

Industrial and IOT Security must be good. You cannot assume devices are in locked closets or enclosures. Heavy machinery getting hacked and out of control is everyone’s nightmare, and good for scary scenes in movies! 

I like seeing Cisco documentation: Cisco documents the journey to “better Industrial Security”.  

Here are some starting points: https://www.cisco.com/c/en/us/products/collateral/security/industrial-security-cvd-so.html 

The first key security-related task is visibility into the OT (Operational Technology) assets and activities – know what you’ve got, how it connects. That’s come up as a selling point (and capability) for some ZTNA products like Elisity as well. It also is crucial input for your IOT security design! 

The next task is segmenting IOT separately, which is desirable from a security perspective. Consider it not only for protecting enterprise assets from the industrial side, but vice versa!  

My take: a quick first cut might be to put all IOT into one segment,then refine by isolating by security trust level (small vendor, large vendor, or some other “hack resistance” metric). Eventually you might even segment by vendor or product suite to try to limit the scope of any successful hacks. In some ways, that last approach might be simpler. If you have the energy left to do it! 

In any case, deciding on your segmenting security design depends on knowing what’s on the network. In the case of IOT, that might be quite a few things that nobody told you about! 

One capability Cisco has added is Cisco Secure Equipment Access (SEA). I understand it as ZTNA remote user identity-based secured access to IOT devices. The access is via a SEA gateway agent running onsite in the IOT routers and switches.  

Features: 

  • Identities, roles, security posture checks 
  • IOT/OT resource isolation 
  • Browser-based access using RDP, VNC, SSH, telnet, or HTTP(S) 
  • With audit trails 

Basic SEA provides browser-based remote access.  

SEA Plus adds more flexibility:  

  • Native asset client on desktop for IP-connected assets 
  • Remote access via VPN-like controlled comms channel 
  • Support for an IP-based app, along with its native capabilities such as file transfer (think log files), for troubleshooting and firmware updates.  

Cisco also has the IOT Operations Dashboard. It can secure remote equipment access, collect/process/control transfer of data, and serve as edge device manager (deployment and monitoring of IOT routers).  

The IOT Operations Dashboard includes Industrial Asset Vision for LoRaWAN sensors.  

New Cisco capabilities: CyberVision (IOT/OT asset visibility and security posture), and Wireless Backhaul Support: deploying and monitoring wireless backhaul devices in Cisco URWB (Ultra-Reliable Wireless Backhaul) mode (see the previous Wireless section).  

CyberVision lets the network “act as a sensor,” simplifying remote traffic monitoring, providing deep packet inspection, and saving having to build a packet replication SPAN/RSPAN solution (which scales poorly, adds cost).  

  • CyberVision allows grouping traffic flows as conduits to help build appropriate segmentation policies.  
  • It also provides Risk Scoring of endpoints and operations.  
  • These and related features support iterated posture improvements to secure the IOT networks.  
  • CyberVision also allows extending OT visibility to a CMDB such as ServiceNow, and a SIEM such as Splunk.  
  • Re visibility (etc.), via Cyber Vision: https://www.cisco.com/site/us/en/products/security/industrial-security/cyber-vision/index.html. 

Cisco presented Security for Roadways as an example of their IOT Security offerings. I’ve put my summary description of that into the later Use Cases section.  

Here’s the link to a Cisco Industrial Security Design Guide: 

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/IA_Security/IA_Security_DG/IA_Security_DG.html. 

There’s also a Cisco firewall in industrial form factor: https://www.cisco.com/c/en/us/products/security/industrial-security-appliance-isa/index.html. 

For additional industrial/IOT Security topics: https://blogs.cisco.com/tag/industrial-security. 

Industry Use Cases 

Part of the business opportunity in IOT is services to companies that have a specific market focus but are internally challenged supporting IOT. In many cases, it’s not their main focus. Their needs include cybersecurity, handling the complexity of IOT solutions, a lack of skilled staffor support for many remote locations or large numbers of sensors, etc.  

Here are some of Cisco’s documented IOT use cases: 

That’s probably more than enough links. I included them to show the breadth of the use cases! 

Secure Roadways Use Case 

Here is a summary of the Secure Roadways Use Case … my summary/paraphrasing of Cisco’s description .  

The need: Cities, departments of transportation, and highway agencies are looking ahead. Coming needs: connected vehicles and vehicle to everything communication, mobility as a service across transport modes, electrification/sustainability at scale.  

The opportunity: The US, EU, and Australia apparently all have large grant funds for roadway/infrastructure improvement. Think remote alerting to equipment problems, remote troubleshooting, time/staff savings and better traffic flows.  

Cisco sees this as stages: unconnected infrastructure, basic connectivity, flexible and secure connectivity, and ultimately fully connected intent-based networking. Current challenges: safety, traffic congestion, wasted fuel, emissions. One driving factor: regulation, e.g. TSA (US) and NIS (EU).  

Secure Connected Roadways might provide the following: visibility, zero trust, and secure remote access. All key as the scale of roadway devices increases and become more critical, and funding for staffing remains tight. Cisco notes that typical visibility/detection solutions require mirroring network traffic to dedicated appliances, which is complex. Whereas, as already noted, Cisco Industrial routers and switches can provide active discovery and deep packet inspection, tied to Cisco’s Cyber Vision Center.  

Conclusion 

IOT Security entails performing segmentation and other activities we do in non-IOT networks. It also includes specific Cisco tools  

One unique aspect is that IOT sensor and other IOT device vendors may not be as familiar with network security, as they historically worked with isolated environments. So, segmentation and isolation may well be part of the necessary security steps.  

The prior paragraphs listed many categories of Use Cases. I think that pretty much speaks for itself! Reading my crystal ball, there may be a LOT more IOT in the world going forward! 

 

Disclosure Statement

Contact BlueAlly

Connect with BlueAlly today to learn more.