Securing IoT/OT environments: The password paradox

A cybersecurity icon projecting from a laptop screen.
(Image credit: Shutterstock / song_about_summer)

If you are reading this online, on a phone or laptop, chances are you have one. A password. Passwords have been our trusty guardians in the digital world, securing everything from social media accounts to bank information. And it is the same in the enterprise space with companies often leaning on passwords to secure their files and digitally enabled operations. With the growing integration of IoT and OT systems in enterprise and manufacturing sectors, a crucial question emerges: Can a simple password keep everything safe?

The password predicament

Once upon a time, a strong password was all you needed for online security. But these days, believing that is a fantasy. Passwords may have been the gatekeepers for our computers for years, but no longer can they be the sole guardian.

Consider any critical infrastructure, such as the power grid or subway system of a major city. A weak password could be the chink in the armor leading to the inner sanctum of control and. opening the path to disruptive chaos by bad actors. , Brute-force attacks can crack weak passwords in a heartbeat, and phishing scams are becoming increasingly sophisticated. An attacker taking advantage of human nature such as implicit trust or curiosity can lead to a domino effect, compromising entire systems if someone falls for a cleverly disguised email.

The truth is, today's cyber threats are too advanced for a one-size-fits-all approach like passwords. We need stronger, more robust defenses to keep our interconnected world safe.

Dick Bussiere

Technical Architect, Tenable.

The concept of layered defense in operational technology

Let’s put our discussion on passwords on hold for a moment - we’ll get back to that. Beyond passwords lies a layered security approach that safeguards IoT and OT systems. Operational Technology networks have long been segmented into “Layers”, as is frequently described by the Purdue Model. This model breaks up infrastructure based on the functions provided by a given layer. If we look at it, Level 0 represents the physical machines, Level 1 represents the “Cyber-physical” layer, where the kinetic world intersects with the digital world, and “Controllers” live. Level 2 represents where the humans come into play, and facilitates the “Human Machine Interface” (HMI) level, where people command the various processes. Lastly, Level 3 provides services on which the other two levels rely. 

Clearly, from a security perspective, we can take advantage of these segregations. Generally, the majority of traffic should flow between any two layers - for example Layers 1 and 2, and Layers 2 and 3. There are of course exceptions to this but these exceptions should be quite limited. If we take advantage of this natural segregation, we can make security rules to control what traffic is allowed to go where. This segmentation restricts communication between zones, minimizing the potential impact of a breach. We will call the segregation afforded by the Purdue model as “Horizontal segregation” since the segments run horizontally.

But, OT facilities are HUGE. Imagine a four-unit thermal power plant or an automobile manufacturing facility. Even if we have strict controls for Horizontal Segregation, what happens when someone gets inside a plant and tries to move side-to-side rather than up and down? In our four-unit thermal power plant example, if one unit gets compromised then the attacker can move to the other three units. Likewise, in our automobile factory example, someone breaking into the painting facility can move sideways into the body shop.

So Vertical Segregation must also be implemented. For our power plant example, there should be no way for traffic at Purdue Level 1 in Unit 2 to flow to Units 1, 3 and 4. Likewise, if an attacker gets control of the paint shop in an automobile factory, that attacker should be prevented from moving to other places.

To summarize, each zone has its specific job, and traffic between them must be strictly controlled. This way, if a hacker manages to sneak into one zone, they can not easily move to another.

Vertical Segregation and Horizontal Segregation Zones are maintained by the “security guards” of the digital world – firewalls and access control lists (ACLs). These are like bouncers at the party. They check every message and piece of data that tries to enter a zone, making sure it has a legitimate reason to be there. Only authorized information gets through, keeping the system running smoothly.

Layered security is like a well-designed transportation network with checkpoints, controlled intersections, and dedicated lanes in every direction, ensuring smooth and secure operations.

Tying it all together - 2FA, keys and digital certificates?

Other authentication and authorization mechanisms are frequently used to bolster security beyond what is possible with passwords alone. The general theme is “something you have and something you know”, and the most secure authentication occurs when two factors are used (2FA).

The use of Digital Certificates, or one-time passcodes (application or FOB-based), when combined with passwords satisfy the “something you have and something you know” requirement of 2FA. and/or biometrics offer a more robust alternative to passwords. Additionally, in machine-to-machine communications, Digital Certificates serve to allow mutual authentication and strong encryption of inter-machine communications. Lastly, Digital Certificates are used to digitally “sign” messages in secure communications, preventing interference with the message contents whilst they are in transit. We see this application in use every day as we use the Web with HTTPS.

So passwords continue to form an important part of authentication, but used alone they become more dangerous every day. That’s why many providers of online services are pivoting towards “Passkeys”. These serve as the second factor in 2FA. Rather than using a number from an app or a fob, your biometric (face/fingerprint) is used to confirm that it is YOU who is using the system. Think of passwords as your front door key. It gets you in, but anyone with a copy can unlock the door too. With credential theft being a frequent event, passwords are no longer secure. 

So, they must be augmented with stronger authentication methods that include something else. Either a certificate or a proper 2FA is absolutely essential. In fact, even if someone does get a password, with properly implemented 2FA it is impossible to use it - the system needs the second factor to authenticate or access will be denied. Forging a 1024 or 2048-bit RSA Key remains computationally infeasible. The same is true regarding your face or thumbprint.

Transitioning to a key-based future: Challenges and considerations

While cryptographic keys offer undeniable advantages, challenges exist. First, legacy systems impose inertia - maybe these systems will remain in service until they are economically infeasible to operate.

Managing keys requires specialized skills and a certificate of authority. Careful management is crucial to avoid certificate expiration and potential system disruptions. The additional complexity necessitates a risk-benefit analysis to determine the appropriate deployment scenarios. Transitioning to a key-based system also involves costs associated with new technologies, staff training, and policy development. However, the long-term benefits outweigh the initial investment, resulting in a more secure and resilient environment.

We’re stuck with passwords (for now)

Passwords remain an unfortunate reality for some legacy OT devices that lack support for cryptographic keys. Replacing them entirely might not be an option; we get comfortable with what we know, and sometimes the cost of switching things up is just too high. Plus, some would question the value proposition of advanced security at lower levels of a layered security model, especially when those levels are well protected by multiple higher layers So, what can we do? For such scenarios, strong password hygiene is critical. This includes enforcing complexity requirements, regular rotation, and deploying multi-factor authentication (MFA) where possible. Password managers further enhance security by securely storing and managing passwords, reducing the risks associated with poor password practices.

The future of IoT/OT security: A holistic approach

As IT and OT come together, exposure management, securing active directories, and Zero Trust Architecture (ZTA) become increasingly important. This is great for efficiency, but it also creates new security challenges. The golden rule is to see the whole picture, not just isolated systems.

Exposure management involves continuous monitoring and assessment of the attack surface to identify and mitigate vulnerabilities. Securing active directories ensures only authorized users can access critical systems, while ZTA enforces strict access controls. The proliferation of IT and OT systems, while introducing security risks, also presents opportunities to modernize security strategies. By adopting a comprehensive approach, organizations can safeguard their sensitive assets and strengthen operational resilience.

Building a fortress for the connected world

Passwords have served us well, but the evolving landscape of IoT/OT security demands more. With tons of new devices connecting to the internet, we need a serious security upgrade. Cryptographic keys, layered security, and a commitment to ongoing education on password best practices are all crucial for a robust defense. This requires ongoing vigilance and adaptation, but the rewards of a robust defense against cyberattacks are immeasurable. The ever-expanding world of interconnected devices demands our unwavering commitment to safeguarding them.

We list the best business password managers.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Dick Bussiere, Technical Architect, Tenable.