Introduction to the Industrial Internet of Things

The Internet of Things or "IoT" refers to the evolution of the Internet beyond connectivity and interaction among traditional user-operated devices like PCs, tablets, phones and similar types of devices into the realm of connectivity and interaction with non-user operated devices such as sensors, monitors and remotely controllable devices. Internet-enabling such “unmanned” devices allows them to autonomously report events, updates, status changes, or to perform remote actions commanded by users or other devices via the Internet. The popularity of home assistants, security systems, video doorbells, thermostats, door locks, etc. evinces the continuing expansion of IoT devices within residences. 

IoT also boasts exceptional growth prospects for all types of industries such as utilities, energy, manufacturing, pharmaceuticals, educational institutions, municipalities, and others. This enterprise realm of IoT is referred to as the industrial IoT, or IIoT, where sensors, monitors, and controllers can be deployed indoors or out, often in ruggedized form factors. IIoT applications range from those broadly applicable across vertical industries including remote surveillance and security monitoring systems to provide expanded “eyes and ears” on buildings, factory floors, remote assets, etc., to specialized forms such as programmable logic controllers (PLCs) or actuators that can enact operational controls such as adjusting flow controls for production lines or pipelines. Remotely accessible sensors or controls can increase the breadth and depth of an organization’s visibility and control to achieve organizational objectives including automation, cost savings, timeliness and improved customer satisfaction.

IIoT devices by definition require Internet Protocol accessibility. Note that some types of remote sensors or “things” do not use IP protocols natively but can interface with an IP network through a border translation router. Wired IIoT devices can generally use native IPv4 or IPv6 protocols but certain wireless IIoT devices require optimization, particularly those deployed in remote areas, to enable them to conserve power (sleep often) and minimize bandwidth requirements (send small messages). The IETF has published several RFCs defining an IPv6 adaptation layer to facilitate Internet Protocol communications among IoT and non-IoT devices, termed IPv6 over Low -Power Wireless Personal Area Network (6LoWPAN). The adaptation layer serves to optimize native IIoT device traffic on IEEE 802.15.4 (2.4GHz), Bluetooth and low power Wifi networks for example to interface with native IPv6 routers and application servers. 

From a network topology perspective, IIoT devices could be considered general IP hosts sprinkled across existing subnets as is the case with most residential deployments. Alternatively, one could allocate an independent IP block(s) to facilitate IIoT application-specific capacity, security and manageability practices. Such "air gapping" separation of IIoT devices from the enterprise network adheres with judicious network security practice and is actually one of the core principles defined in the International Engineering Consortium IEC 62443 standard, entitled Industrial communication networks - IT security for networks and systems

Maintaining separation of the enterprise network from the IIoT network and even among differing zones within the IIoT network enables the isolation of malware for example within a separated zone assuming it is detected and quarantined before it can spread. The recent Colonial Pipeline ransonware attack actually infiltrated the organization's enterprise IT network systems, which was separate from their pipeline or operational technology (OT) networks. While full details about the attack are yet unpublished, the company's shutdown of the pipeline sought to contain any spread that may have crossed the IT-OT zones beforehand.

Separation of network zones with well-defined and guarded conduits between them is an effective means to contain a malware outbreak. Another core principle of the IEC 62443 standard is also a widely-recommended security practice: defense in depth. A layered security approach which enables multiple opportunities to detect and defend against attacks form multiple perspectives increases the likelihood of success. While close inspection of network traffic traversing conduits or firewalls between security zones provides one layer of protection, others should be sought to improve detection and protection performance. For example, DNS is commonly used by IIoT devices to locate centralized reporting or data aggregation systems. Use of DNS enables network administrators to modify the IP address plan as needed without having to update every IIoT device's configuration if hard-coded IP addresses had been required. A host domain name may remain static, but DNS enables an easy change to its corresponding destination IP address.

Given the prevalence and convenience of employing DNS to resolve domain names within the OT network or between IT/OT networks, close examination of DNS query and response data offers an opportunity to add a defense layer to detect the presence of malware. Malware typically uses DNS to locate a malware author's server on the Internet, enabling the perpetrator to provide instructions or code updates to successful malware infestations. DNS offers the attacker the same benefit of easily changing his/her IP address over time to evade detection. Use of a DNS firewall in such an environment can add a layer to your defenses to improve the probability of attack detection and response. 

From an IP address management perspective, a centralized IPAM system can help you confidently deploy IIoT devices by providing the ability to manage IT and OT address spaces separately yet holistically, on premises or in the cloud. Discovery of device IP addresses in the terrestrial or cloud IT and OT networks enables tracking of device inventory, also a key tenet of network security: identifying network occupants, particularly those that shouldn't be. Managing DNS is another core IPAM function that enables the management of host domain name to IP address resolution, as well as key DNS security functions like DNS firewalls, DNS tunneling detection and DNSSEC. If you'd like to learn more about how IPAM can simplify your network management processes for IIoT, please contact us.

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more