Part one of this series provided a high-level overview of Threat Intelligence, the underlying data types common in the current security landscape and how these data are gathered, analyzed and consumed. As cyber security becomes a key focus for the IoT it may appear, on the surface, much of the existing threat intelligence and the techniques used to gather these data do not directly play a role in protecting IoT devices from malicious actors. Though there are gaps in some areas, specifically with malicious files for IoT devices and closed network threat analysis, much of the threat data can be applied to the IoT once communication with, and across, the Internet occurs.
Many consumer and industrial IoT devices do use custom protocols to communicate with one another in a closed environment which presents a challenge for existing systems to gather and collate data specific to these environments. Fortunately, by definition, devices in the IoT must communication through the Internet requiring proprietary or non-TCP/IP traffic to be converted to TCP/IP. It is at this conversion point existing threat intelligence can play a critical role in protecting IoT devices through the use of traditional malicious IP blocking and traffic management to and from malicious or off category URLs. Some specific cases for the use of these data that directly affect how IoT Gateways can be secured are:
Malicious IP Blocking: One of the most basic ways to protect IoT devices is to prevent known malicious IP addresses from communicating from the Internet to devices inside of a network. If an OT network contains devices that are directly manageable over the Internet and whitelisting is not a viable option due to dynamic addressing, then a very straightforward and extremely successful solution in IT ecosystems, is to block known malicious IP addresses.
URL Categorization and Reputation: Another common, and extremely effective, security measure that is used throughout the IT landscape in perimeter appliances is to limit what a device can communicate with. Through the use of policy and security management filters devices can, at the gateway, be denied the ability to communicate with malicious IP addresses and URLs, preventing the exfiltration of data to unknown or unauthorized entities.
The aforementioned use of IP addresses and URLs in IoT Gateways to help prevent threats from entering an ecosystem does have limitations in terms of detecting threats in closed environments. Today, threat intelligence providers have focused on identifying threats on the Internet at large due to the vast amounts of data available for analysis. Machine learning engines have been a boon for the cyber security industry in their ability to be finely tuned to detect and identify Internet-borne threats but they require vast amounts of data to accurately identify a threat and reduce false positive results. Closed ecosystems, even TCP/IP-based networks, do not have the volume of data the current state of machine learning requires to accurately and definitively detect threats unique to these environments. Building tools and applying new methodologies to these smaller datasets associated with closed ecosystems will be the challenge security architects must overcome as more and more devices make their way into the IoT.
Part three of this series will continue with the discussion around threat intelligence and how to apply it to IoT Gateways to protect OT ecosystems. It will give an overview of a basic gateway, the submodules required to extract necessary data from a data stream for analysis, how to analyze the resulting data and the process for applying policy to the overall environment. The hope will be to keep the discussion moving forward on how existing technology can help protect the IoT.