October 19, 2020 Securing IoT/OT Systems with Deception Technology

The convergence of IT and OT requires new cybersecurity tools; deception technology is one of the most effective.

It’s very difficult to implement the traditional security controls that would be deployed to protect typical IT assets.

By Rick Peters, CISO for operational technology, North America, Fortinet

Security threats against industrial control systems (ICS) and supervisory control and data acquisition (SCADA) have increased with the convergence of operational technology (OT) and information technology (IT). OT plant operations leaders are increasingly tasked with evaluating cybersecurity solutions as OT networks become more and more challenging to protect. As mentioned in a prior Industry Today article, 9 out of 10 organizations responding to a recent Fortinet survey reported that they’d experienced at least one OT intrusion in the past year. Deception technology is emerging as a way to help combat some of these threats.

Understanding IoT/OT Threats

To grasp the potential severity of the situation, let’s look at some of the primary threats and challenges facing IoT (or IIoT) and OT systems:

• It’s very difficult to implement the traditional security controls that would be deployed to protect typical IT assets. It’s not unusual to discover IoT/IIoT and OT sensors tied to either a legacy operating system – on average 10-15 years old – or deployed in a delicate environment that can’t be taken down for updates or patches.
• IoT sensors and modern OT sensors have a much broader range of capabilities. This makes them an attractive target to malicious actors, including hacktivists and cyberterrorists who seek to access and then migrate across the converged IT and OT environment. They are motivated to breach a target network and cause economic damage to a business or infrastructure damage to a nation or region. We’re also seeing more insider threats in the OT sector.
• The perceived safety buffer of the air gap has evaporated as IoT/OT sensors are increasingly connecting to IP networks. This enables remote access but also enables cybercriminals to attack over the internet from anywhere in the world.
• Since many IoT devices are headless, they cannot be updated on a regular schedule as the IT security team employs such a practice with other assets. Rather, they must fall back on proximity controls and zero-trust network access to provide protection.

How deception technology can help

A proactive security approach is essential to address these threats. Deception technology is one such approach. Deception technology is a method of uncovering the bad actors and their tactics.

Using this technology, the IT/OT team deploys decoys (essentially, virtual fake assets) over the infrastructure, which then emulate IT devices and OT control systems. This decoy network tricks malicious actors, luring them away from critical assets and preventing them from doing actual harm to the target network. More importantly, since all of the organization’s legitimate devices and workflows recognize that these assets are a decoy, only unauthorized users, devices and applications will trigger them. Likewise, organizational security teams recognize that these triggered alerts are valuable intelligence indicators as opposed to false positives.

What you need to know

Deception technology is particularly effective in mature network environments. For example, implementing deception strategies to SOC solutions allows IT/OT teams to use deception as a high-fidelity alert source. Since deception technology alerts are only tripped by unauthorized users, devices and applications, organizations can more effectively use them to establish automation centered on threat hunting and incident response.

What’s more, the best deception technology not only protect against known threats but can also deceive, expose and eliminate against advanced attacks, often in real time. Deception technology supports a more proactive security posture by deceiving, detecting and then defeating the attackers, allowing the enterprise to sustain safe operations.

Deception technology is gaining traction and support. MITRE, which provides a framework that organizations can use to test their current security controls against the tactics and techniques cyber adversaries use when attacking ICS systems, has endorsed this type of approach. In fact, the organization is working on its new Shield active defense knowledge base that specifically includes deception as a technique that can be used to defend against these tactics.

Defense from within

Cybercriminals, whether out for profit or trying to make a political statement, are always on the lookout for accessible targets. They recognize that convergence of IT and OT typically reveals attack surface gaps to  accomplish their goals. Employing deception technology capitalizes on cyber attacker’s desire to access a perceived high-value network target by delivering high-fidelity alerts to act on immediately. With no false positives and real-time mitigation, deception technology should be included in any security stack.

Rick Peters

About the Author
Rick Peters is the CISO for operational technology, North America for Fortinet, delivering cybersecurity defense solutions and insights for OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities.

www.fortinet.com

Subscribe to Industry Today