Purdue Model for ICS Security
Industrial IoT architectures are usually structured based on the Purdue model for industrial control system (ICS) networks. This breaks the network into six layers — ranging from physical sensors to the corporate IT network — each with a defined purpose. Consumer IoT solutions, on the other hand, typically are more geographically distributed and operate under a four-tier architecture model. This includes the sensor, network, data pre-processing, and cloud analysis layers.
The design of a corporate IoT security architecture depends on the IoT architecture in place. The Purdue model used in industrial applications — with its more segmented and structured design — provides more opportunities for implementing security functionality than the consumer IoT model.
How Can It Help Secure the Network?
IoT devices can be secured using a couple of different tools. The two types of IoT security include:
- Network Security: IoT network security solutions are designed to enable users to protect their IoT devices. They inspect network traffic and can filter traffic that contains potential malicious content or violations of corporate security policies.
- Embedded Security: Embedded on-device IoT security solutions help to close the security gaps that are common with IoT devices. Insecure components, unmanaged devices, and insecure development practices can all create vulnerabilities that embedded IoT security solutions can mitigate.
The combination of network and embedded IoT security solutions enables defense in depth against IoT security threats. Consumers deploying network IoT solutions can block threats from reaching vulnerable devices, and the integration of embedded security by manufacturers into their devices reduces the threat posed by attacks that might slip through the cracks.
The Importance of IoT Security Architecture
IoT device adoption is growing rapidly as companies take advantage of the various benefits that these devices offer. However, these growing IoT deployments must also be appropriately secured for various reasons, including:
- Secure Data : IoT devices are designed to collect and process large volumes of potentially sensitive information. IoT security is essential to protecting this data against unauthorized access.
- Secure Critical Systems: As companies become more reliant on IoT devices, disruptions to their operations by cyberattacks or other events carry a growing cost. An IoT security architecture is essential to preventing attacks against critical systems.
- Secure the IoT Devices: IoT devices are notorious for their weak security posture. Default usernames, unpatched vulnerabilities, and other issues are common and leave these devices vulnerable to attack. Adding a security overlay helps close these security gaps.
- Prevent Botnet Campaigns: IoT devices are common targets for botnet malware as they are often unsecured devices with Internet connectivity. If these devices are compromised and brought into a botnet, they can be used to perform credential stuffing, DDoS, and other attacks.
- Secure “Shadow” or Unmanaged IoT: Many devices are now delivered with “Smart” functionality, e.g. Smart elevators, building management systems, IP cameras and even refrigerators. Discovering and securing these connected and unmanaged devices reduces the security risk they pose to the organization.
IoT devices rarely have enterprise-grade security built into them. An IoT security architecture is essential to identifying and preventing threats before they can harm vulnerable devices.
How to Create an IoT Security Architecture
An IoT security architecture should be tailored to an organization’s unique security needs and network architecture. Three crucial steps towards building an IoT security architecture include:
- Model the Threat: IoT devices can perform various functions and may fulfill different roles within an organization. The first step to securing these devices is determining the potential threats posed to these devices and the impact that these risks can have on the organization.
- Create Zones of Trust: Different IoT devices within an organization’s environment perform different functions and operate at various levels of trust. An IoT network should be segmented into trust zones that contain systems with the same trust level and related functions.
- Secure Network Traffic: After trust zones are defined, all cross-zone traffic should be inspected and secured. This requires routing traffic through a firewall capable of understanding IoT network traffic and enforcing zero-trust access controls.
IoT Security with Check Point
A strong IoT security architecture is increasingly important as companies deploy growing numbers of IoT devices. These devices have access to sensitive data and valuable functionality but commonly contain security vulnerabilities.
Check Point offers a range of IoT security solutions designed to meet the security needs of both consumer IoT and specialized enterprise IoT deployments. Check Point IoT Protect network security discovers, automatically maps IoT devices to predefined profiles and then applies zero-trust policies on Check Point NGFWs to both protect the IoT device and the organization from vulnerable IoT devices. IoT Protect Embedded enables IoT device manufacturers to design security into the IoT device. This starts with an assessment of the IoT firmware and then deployment of a lightweight agent on the IoT device for runtime protection to close any security gaps found during the assessment.
Learn more about the common IoT security challenges and solutions of 2022 from IDC. Then, sign up for a free demo of Check Point IoT Protect to learn how it can enhance the security of your organization’s IoT devices.
Feedback