To Conquer, Divide
Hrabik's physically separate network is the belt-and-suspenders, come-hell-or-high-water solution. A less sweeping but still effective alternative is to separate the networks logically to limit which devices can talk to which. James took this approach at Secure Science, in part to control the risks of putting digital printers on his network.
Logical separation is based on the fact that every device on a network has two addresses. The first is defined by the manufacturer and embedded in the hardware; the second is assigned by the network. These are known as the MAC (Media Access Controller) and IP (Internet protocol) addresses, respectively. The latter might be thought of as the street address of a house; the former as the name of the person living in that house at the moment. Packets typically arrive in a network knowing the IP but not the MAC addresses of their destination. They learn the MAC address by polling the device belonging to that IP address; that is, they go to the house, knock and ask who lives there. The first step in logically separating the network is to make sure that the device does not give out the identity of its "inhabitants" to every Tom, Dick and Harry that shows up at the front door. The butler needs to be given a list that specifies whom the master will see. Everybody else gets the door shut in his face.
Separation is defined by building access control lists and enforced by encryption. S2 Security is a start-up developing a product that integrates networked management of devices - for example, video cameras, intercoms, sensors and door locks - with the idea of extending the reach of security personnel to multiple, remote-entry points. The company has two flavours of demo: a remotely controllable Webcam accessible from its Web site, and private presentations it gives clients.
It would, of course, be enormously embarrassing if one of S2's competitors were to break into its product, especially during a presentation, and it cannot be denied that there are people in this field who would be amused by - indeed proud of - such an exploit. Responsibility for securing S2 from such a debacle falls to the company's COO, Michael Welles. According to Welles, the basic architecture of the S2 system runs browser-to-controller-to-devices. Up till now, most attention has been focused on the browser-to-controller link, perhaps because external connections are supposed to be riskier. In fact, the second link is just as important, but today few controllers encrypt the device end of their communications. Here, Welles can eat his own dog food: S2 makes a product that encrypts both the commands going to the devices from the controller and the device outputs flowing back to the browser. Password protection is laid on top of these encryption layers. External access can come over a VPN or other secure link.
Repeat as Necessary
Four general principles govern device networking security. The first is logical separation enforced by encryption (as we said). The second is proactivity. Secure Science's James believes a CIO (or the CSO) ought to draw up a comprehensive threat model that includes the risks his company is likely to encounter at each stage of its growth, including important changes in status (such as going public), and build in the necessary protections, including training and standards-setting, as far ahead as possible. "The sooner security measures get built into policies, procedures and architecture, the better," he says.
The third is to use the strengths of the network - its reserves of processing and connectivity resources - to fight its weaknesses. Networks are built up out of layers of protocols or standards. The physical layer concerns what cables and cards and chips need to know about each other so that they can exchange zeros and ones; the application layer sets the rules by which applications interact; and so on. Good device networking security practice watches activity on several layers at once, from application requests (printers probably should not be Web surfing) to department access rights (why is customer support sniffing around in maintenance?).
"Watching" here means that the network is continuously comparing its current condition to "normal", which is defined by a combination of corporate policy and historical norms. Whenever the network sees a departure from the norm, it rings the authorities, like the credit card companies that call you when your card is used for a transaction in Nigeria.
Fourth, good device networking security is continuously changing. The old security model was like a door lock: Once it was locked, you'd done what you could with the technology. The new model is like virus protection: You have an ongoing relationship with a security services provider that is constantly looking for new threats, doing its own research and installing upgrades continuously. James advises hiring third-party tiger teams on a regular basis to test both your own network and the quality of the advice you have been getting from your security services provider.
These last three principles should look familiar. Proactivity, surveillance in depth and rapid responsiveness are the load-bearing members of every form of security. IT and data security executives campaign for them, usually to disappointing effect: Nobody can make the time, being careful is too great an inconvenience, everyday business can't be interrupted for training sessions, it's too expensive and so on.
So perhaps the most important piece of good news about device networking is that its security risks are so egregious, so scary, that they will force companies to implement the security principles they should have been following all along. Certainly any CIO can count on a high level of interest from an executive who has been trapped in an elevator for an hour by a 15-year-old Romanian hacker looking for a bit of recreation.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.