Rise of the Machines: The Need for Dynamic Micro Network Segmentation
Blog by: Patrick Brog, Security Consultant
Most of the people that are about to read this blog, will know the movie series The Terminator and that part 3 is about the Rise of the Machines. I have to admit that I have seen each part of the series more then a few times as I do like SciFi movies and series. In the movie the military is building an artificial intelligence defense network for the reason that it will be much faster and more efficient in making defense decisions and take defensive actions then humans possible could. The problems arise when the military is losing its control over the artificial intelligence brain and it starts building its own logic and consequently bases decisions on this.
Skynet is the name of the system, the network and “spoiler” alert is growing beyond control of humans and eventually takes over the control. Leaving the military with a situation which is FUBAR as they say in the military.
During a customer meeting where we were talking about the security incident they experienced within their IoT network, I suddenly thought about Skynet. I don’t know why or how my brain made this connection, but when the thought popped-up it made sense.
Automate, automate, automate..
We are designing, deploying, using IoT/OT devices to gather information and automate the heck out of everything we can think off. Most of the times for a valid reason, being it business or production intelligence, optimizing usage of each available square meter of office space, lowering energy consumption, increasing efficiency of production lines, etc. etc. And in almost all cases, the design of these IoT/OT sensors doesn’t include security by design, doesn’t include ‘a statement of work’ for the code what it is and what it’s NOT allowed to do. A similar design flaw was made in the design of Skynet, it didn’t have a ‘statement of work’, it didn’t include a boundary of what it would never be allowed to do.
Now, I’m not stating that the IoT/OT devices will take over control of the world and start killing every single living human being. However, I do dare to state that if we just keep designing and deploying IoT/OT devices over and over again in the same way that we have been doing so far in most of the environments we will eventually get hit very hard in the face. As the question will then not be; will a large scale IoT/OT generated Internet/Network attack take down the Internet/Network, but the question will then be; WHEN will a large scale IoT/OT generated Internet/Network attack take down the Internet/Network? (or cause a data leak).
Want to know about OT/IoT security?
OT, ICS and office IT are increasingly sharing networks. But often, these devices aren’t designed with security in mind, and they don’t play nice with your processes.
So, what to do? Are we too late with taking adequate measures? Has Skynet taken over already and are we heading towards a shitstorm?
I personally don’t think this is the case. However, we can’t wait on the manufacturers of the IoT/OT devices to get their security designs in order, to include a clear ‘statement of work’ in the code of the IoT/OT devices which only allows them to do things for which they are designed.
Take matters into your own hands
So, we have to design the boundaries, lay the borders and limit the reach of the IoT/OT devices in the network design. But we have to do this smart, we need to base the solution on automated dynamic policies. Manual reconfiguration of switch ports, wireless SSID’s, doesn’t scale, Skynet will outpace us then from the start. We have to beat the IoT/OT devices in their own game, being automation!
In my opinion this requires the following steps/components:
Get full visibility on what is connected to your network, on a detailed level (generic Linux or Windows device doesn’t cover it);
Implement a policy based network access control solution (for wired, wireless and wan);
Design and implement dynamic micro network segmentation;
- Dynamic because the access is based on profiling and policies;
- Micro because network access, connectivity and reach are based on device/user/application;
- Network because the policies will be applied independent of the access media (LAN, WLAN of WAN);
- Segmentation because the policies will determine which VLAN, peer to peer communication allowed yes/no, local or central break-out and if needed enforcement by dynamic ACL’s;
This is not science fiction, the required technology exists, in fact it’s proven technology by now. So please don’t take the approach, “it will not happen to me”. If it’s not for yourself, then do it for me and the other people who enjoy surfing the internet, don’t let Skynet surprise you and win.
Want to know more about dynamic micro network segmentation?
In a next blog my colleague Willem Bargeman will provide a more in-depth technical description of dynamic micro network segmentation. In the meantime, if you would like to know more, contact me at [email protected] or on Twitter at @pbrog_nl.