Companies across a range of industries now understand the benefits of edge computing, which can facilitate faster processing and enhance data analysis. However, given the remote nature of these devices, which literally exist at the edge of the network, companies are also facing new vulnerabilities that can open them up to attacks. So how can you address cybersecurity threats on the edge and develop the best edge security strategy for your organization?
To begin with, the state of industrial device security right now is messy at best, said Josh Eastburn, director of technical marketing at Opto 22.
“The devices that we’re working with, a lot of them — although they can be networked, they can exist on a network — they weren’t really designed for the network in the same way that we think about consumer or enterprise devices, with particularly the same level of security,” Eastburn said. “So what we have are network structures that have to sort of compensate for that. And we also see organizationally the sometimes-adversarial relationship between OT (operational technology) and the IT (information technology) group, who sort of sees the OT side as maybe a potential threat for their network or something that they kind of need to babysit.”
What is edge computing?
The traditional reference architectures such as the Purdue model take into account that while these devices are critical for the process, they’re also very vulnerable. As a result, there are layers of segregation between the process itself and the higher-level computing or networking resources that are potential attack vectors.
Though many legacy OT devices have existed for years on company networks, they weren’t really ready to participate as full citizens on those networks. To compensate for the vulnerabilities that are inherent in the devices, organizations have had to take extra measures that complicate the architecture of the network.
“That is more complicated, which creates a larger attack surface,” Eastburn said. “To compensate, we’re adding in other devices, maybe other network devices, other layers of software security after the fact, because the devices themselves aren’t inherently secure. Then you’ve got the organizational problems also of every time process engineering wants to put a new device on the network, there’s this uncomfortable conversation that has to happen with the IT group. And we sort of feel like we’re at the mercy of the IT group and don’t really have any ownership over the network. So it’s not really ideal for either side.”
Now, cybersecurity is moving into a phase where devices are not only network capable, but they’re also network ready, in part thanks to edge computing. The basic concept is that with a large network or high-demand network, it’s helpful to redistribute resources so all that demand isn’t coming into one place. Edge computing takes some of those resources and spreads them out throughout the network, putting them closer to the areas of high demand. This allows organizations to service the local demand more efficiently and relieve the network core of some of that burden.
The edge and cybersecurity risk
How does this shift to the edge impact cybersecurity risk? Not as much as you would think, Eastburn said, because many devices already exist at the edge.
“You have a PLC that’s sitting out in the process, and it’s connected to a network, and it has little to no security,” Eastburn said. “What we’re doing is we’re compensating for that by creating VLANs, by air-gapping networks, by putting in additional network firewalls, creating all of this additional complexity. Or restricting everybody to using static IP addresses and only being able to request those addresses from the IT group. The kind of stuff that makes it hard just to get business done. That is the state of the union right now.”
“So when we talk about moving things to the edge, what we’re talking about is increasing the processing capability of the devices that are on the edge. Potentially adding storage capabilities that they weren’t capable of before. Being able to run more general-purpose kind of applications so that they can take some of the load that is currently being sent into the network core.”
This makes it easier if companies want to work on the data before sending it into the central applications or the cloud. If companies are using distributed regional or global networks, they could be using metered connections for some of that data, which means they’re paying for everything they’re transmitting.
“There are a lot of opportunities to become more efficient, which makes it easier to scale,” Eastburn said. “That’s a big focus right now of digital transformation or Industry 4.0. Whatever angle it is that you’re looking at, scale is kind of the name of the game. And getting your security right, becoming more efficient in the way that you’re growing your network pays off. That’s what really makes that concept feasible.
Trust but verify
Of course, if you’re adding computing resources at the edge, but you’re not addressing the longstanding issue of having an open device, then you’re really amplifying your level of risk. While you can do more out in the field, you can’t assume you’re going to achieve scale without also tackling the problem of cybersecurity risk.
“That’s a longstanding issue. If you were so naive as to try and operate with more computing resources on the edge without addressing it, you could face a big problem,” Eastburn said. “But the fact of the matter is that these edge devices make it easier. They’re designed with that in mind and do that by embedding those technologies that you need to be able to operate on the edge safely.”
Using industrial edge devices can also help bridge the IT/OT divide. Because the goals of the two groups are different, that can lead to a lot of distrust. If you are an IT representative, it’s not always clear what assumptions are safe to make about OT networks. With industrial edge devices in place, IT and OT can speak a common language because they’re using the same technologies.
“So we move from a relationship potentially of distrust to one where we can trust but verify, which is a little bit more like what we’re used to if we’re looking at strictly IT networks,” Eastburn said. “We make assumptions about the devices that are being put on the network that they’re capable of a certain level of security, and now that is becoming true of our OT devices also.”
Watch for Part 2 of our interview with Opto 22’s Josh Eastburn, where he will edge communications and reducing network complexity. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.