If you’re reading this online, on a phone, or on a laptop, chances are you have one: a password. Passwords have long been our trusted guardians in the digital world, protecting everything from social media accounts to banking information. And the same is true in the enterprise realm, where companies often turn to passwords to protect their digital files and operations. With the increasing integration of IoT and OT systems in the business and manufacturing sectors, a crucial question arises: can a simple password keep everything safe?
The password dilemma
There was a time when a strong password was all that was needed for online security. But today, believing that is a fantasy. Passwords may have been the guardians of our computers for years, but they can no longer be the only guardian.
Consider any critical infrastructure, such as the power grid or subway system of a major city. A weak password could be the chink in the armor that leads into the inner sanctum of control and opens the way to disruptive chaos by malicious actors. Brute-force attacks can crack weak passwords in an instant, and phishing scams are becoming more sophisticated. An attacker who takes advantage of human nature, such as implicit trust or curiosity, can cause a domino effect, compromising entire systems if someone falls for a cleverly disguised email.
The truth is that today's cyber threats are too advanced to rely on a one-size-fits-all approach, like passwords. We need stronger, more robust defenses to keep our interconnected world safe.
Technical Architect, Tenable.
The concept of layered defense in operational technology
Let’s put aside the discussion of passwords for a moment, we’ll come back to it. Beyond passwords, there is a layered approach to security that protects IoT and OT systems. Operational technology networks have long been segmented into “layers,” as frequently described in the Purdue model. This model divides infrastructure based on the functions provided by a given layer. If we break it down, Tier 0 represents the physical machines, Tier 1 represents the “cyber-physical” layer, where the kinetic world intersects with the digital world, and the “controllers” live. Tier 2 represents where humans come into play and facilitates the “human-machine interface” (HMI) layer, where people control the various processes. Finally, Tier 3 provides services that the other two tiers depend on.
It's clear that from a security perspective, we can take advantage of these segregations. Typically, most traffic should flow between any two layers, for example, layers 1 and 2, and layers 2 and 3. Of course, there are exceptions, but these should be fairly limited. By taking advantage of this natural segregation, we can create security rules to control what traffic can go where. This segmentation restricts communication between zones, minimizing the potential impact of a breach. We'll call the segregation provided by the Purdue model “horizontal segregation,” since the segments run horizontally.
But OT facilities are HUGE. Imagine a four-unit thermal power plant or an automobile manufacturing plant. Even if we have strict controls for horizontal segregation, what happens when someone enters a plant and tries to move side to side instead of up and down? In our four-unit thermal power plant example, if one unit is compromised, the attacker can move to the other three units. Likewise, in our automobile factory example, someone entering the paint plant can move laterally into the body shop.
Therefore, vertical segregation must also be implemented. In the power plant example, there should be no way for traffic on Purdue Level 1, in Unit 2, to flow to Units 1, 3, and 4. Likewise, if an attacker gains control of the paint shop at an automobile factory, he must be prevented from moving to other locations.
In short, each zone has its own specific function and traffic between them must be strictly controlled. This way, if a hacker manages to sneak into one zone, he or she will not be able to easily move on to another.
Vertical segregation and horizontal segregation zones are maintained by the “security guards” of the digital world: firewalls and access control lists (ACLs). They’re like the bouncers at a party. They monitor every message and piece of information that tries to enter a zone, making sure it has a legitimate reason for being there. Only authorized information gets through, keeping the system running smoothly.
Layered security is like a well-designed transportation network, with checkpoints, controlled intersections, and dedicated lanes in all directions, ensuring smooth and safe operations.
Putting it all together: 2FA, keys and digital certificates?
Other authentication and authorization mechanisms are often used to strengthen security beyond what is possible with passwords alone. The general concept is “something you have and something you know,” and the most secure authentication occurs when two-factor authentication (2FA) is used.
The use of digital certificates or one-time passcodes (app-based or FOB), when combined with passwords, satisfies the “something you have and something you know” requirement of 2FA. and/or biometrics offer a stronger alternative to passwords. Additionally, in machine-to-machine communications, digital certificates serve to enable mutual authentication and strong encryption of machine-to-machine communications. Finally, digital certificates are used to digitally “sign” messages in secure communications, preventing interference with the content of messages while in transit. We see this application in use every day when using the Web with HTTPS.
Passwords are still an important part of authentication, but used alone, they are becoming more dangerous every day. That’s why many online service providers are turning to “passcodes,” which serve as the second factor of two-factor authentication. Instead of using a number from an app or a key fob, biometric data (face or fingerprint) is used to confirm that it’s YOU using the system. Think of passwords as the key to your front door. They let you in, but anyone with a copy can also open the door. With stolen credentials a common occurrence, passwords are no longer secure.
Therefore, they need to be complemented by stronger authentication methods that include something more. A certificate or proper two-factor authentication is absolutely essential. In fact, even if someone obtains a password, with properly implemented two-factor authentication it is impossible to use it: the system needs the second factor to authenticate or access will be denied. Forging a 1024- or 2048-bit RSA key remains computationally infeasible. The same goes for a face or fingerprint.
Transitioning to a key-based future: challenges and considerations
While cryptographic keys offer undeniable advantages, there are challenges. First, legacy systems impose inertia: these systems may remain in service until it becomes economically unviable to operate them.
Key management requires specialized skills and a certificate of authority. Careful management is critical to avoid certificate expiration and potential system disruptions. The added complexity requires a risk-benefit analysis to determine appropriate deployment scenarios. Transitioning to a key-based system also involves costs associated with new technologies, staff training, and policy development. However, the long-term benefits outweigh the initial investment, resulting in a more secure and resilient environment.
We're stuck with passwords (for now)
Passwords remain a sad reality for some legacy OT devices that lack support for cryptographic keys. Replacing them entirely might not be an option – we get used to what we know, and sometimes the cost of changing things is too high. Furthermore, some would question the value proposition of advanced security at the lower levels of a layered security model, especially when those levels are well protected by multiple layers above. So what can we do? For such scenarios, strong password hygiene is critical. This includes enforcing complexity requirements, regular rotation, and implementing multi-factor authentication (MFA) where possible. Password managers further enhance security by securely storing and managing passwords, reducing the risks associated with poor password practices.
The future of IoT/OT security: a holistic approach
As IT and OT come together, exposure management, active directory protection, and Zero Trust Architecture (ZTA) become increasingly important. This is great for efficiency, but it also creates new security challenges. The golden rule is to look at the whole picture, not just isolated systems.
Exposure management involves continuous monitoring and assessment of the attack surface to identify and mitigate vulnerabilities. Securing active directories ensures that only authorized users can access critical systems, while ZTA enforces strict access controls. The proliferation of IT and OT systems, while introducing security risks, also presents opportunities to modernize security strategies. By taking a comprehensive approach, organizations can protect their sensitive assets and strengthen operational resilience.
Building a fortress for the connected world
Passwords have served us well, but the changing IoT/OT security landscape demands more. With tons of new devices connecting to the internet, we need a serious security upgrade. Cryptographic keys, layered security, and a commitment to ongoing education on password best practices are critical to a strong defense. This requires constant vigilance and adaptation, but the rewards of a strong defense against cyberattacks are immeasurable. The ever-expanding world of interconnected devices demands our unwavering commitment to protecting them.
We list the best business password managers.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
