By Simon Bryden, Consulting System Engineer at Fortinet
In the data center, servers, storage and, more recently, networks are highly automated, and the processes are “industrialized”. However, in the case of IT security, point solutions and manual work still seem to prevail. In this article, we will take a look at the important first steps towards an industrialization of IT security as well as consider whether or not we need a legal regulation of minimum security requirements for IoT equipment (and thus for IIoT equipment).
Since the first network firewall devices started to appear on the market, the volume, variety and sophistication of threats has increased at an alarming rate. This has led to an increase in the types of security prevention devices being installed to protect against a wide range of different types of attack, through different channels such as email, web and social media. In parallel, users of the technology are demanding more ease of access, bringing new challenges, as wifi becomes the de-facto means of network access, and as more and more devices are networked and connected to corporate networks – often with poor security.
This environment has often led to patchwork security solutions consisting of niche devices, each focused on one part of the problem, but when it comes to the challenge of managing and maintaining such solutions, the overhead can have an adverse effect. In addition, individual devices may not have the overall visibility to detect and block a complex attack.
In this complex and hostile environment, it is increasingly important to employ complete, holistic security solutions where components work together, exchanging information, correlating events and taking the appropriate action to detect, protect and most importantly, inform the security operators of any issues. Visibility is key, and the solution must be capable of displaying data in a way that conveys the pertinent information without operators being overwhelmed by log messages or false-positive indications.
With the Internet of Things and Industry 4.0, more and more networked devices with incredibly poor IT security are being brought onto the market. There are increasing calls to put regulations in place to protect the IoT (and Industrial IoT) but this needs to be considered carefully. Government regulation has its place, and where it makes sense most is in environments where users may be unaware of the dangers which could be exposed when using devices which have no apparent malicious capability. This is primarily the case in the consumer IoT market, where more and more powerful devices are available and have more and more potential to be used for non-legitimate purposes. Examples are home control systems, which may be compromised to provide information useful to burglars. Video cameras may be subverted to provide information about house contents and occupancy; connected door locks to provide access. And of course any of these devices can be used to participate in combined malicious attacks such as the massive IoT DDoS attacks which were seen last year.
As vendors battle to bring more features at a lower cost, it makes sense to introduce regulation to ensure that users can have some level of assurance that a product has a sufficient level of security as to not present a danger in their homes. This in turn will provide the incentive which is sadly lacking today, for vendors to include security in the inherent design of their products.
In comparison, when looking at more professional uses of IoT, especially industrial and critical infrastructure applications, care has to be taken to ensure that regulation does not impact innovation and competition. In those cases, it is vitally important that the personnel responsible for the running of those networks have the information, skills and tools required to ensure that equipment meets the security standards appropriate for the specific purpose and application.
These fundamental ideas are the basis for the Fortinet Security Fabric, which unifies products and technologies through a broad, integrated and automated approach.