What is Secure IoT?
How does your solition work & why is it better than firewalls?
Secure IoT and Firewalls solve two different problem sets
How can Secure IoT Save Money over Using Firewalls?
- Use of both public and private IP addresses (can use public only)
- Elimination of the need for X.509 and SSL Certificates
- Built-in, mandatory mutual public-key authentication, no external/public infrastructure/services required
- Provides protection for control systems, not just devices
- Includes communications and device monitoring, automated alerts, and connection history
- Protects and secures “unmanaged and/or unidentified” IP and non-IP devices
- Cross-domain capabilities allow for secure remote access and management
- Isolation and containment limits spread and damage - reducing cost of breach and mitigation
- No major changes to existing infrastructure and no specialized training required
- OPEX vs. CAPEX - no equipment to maintain or replace
- Reduced attack surface can lower Cyber Insurance costs (see BitSpeed)
Would this product improve our cyber security score and how?
- Man in the Middle (MitM) attacks
- Access Control Lists (ACLs) and hardware/people to manage them
- Misconfiguration of software-based security measures like VLANs
- Attack surface by moving OT into enclaves
- Potential damage from Distributed Denial of Service (DDoS) attacks
- Unauthorized access – from outside and from within
- Complexity of securing the network
- Best Practices and Segmentation (as per NIST)
- Patch Management
- Resiliency and continuity (communications failover)
- Simplicity and robustness
Has Secure IoT undergone significant penetration test to validate it would present a breach vulnerability itself, and if so describe in detail?
In 2016 the Secretary of Defense commissioned Johns Hopkins to survey over 580 companies to identify security solutions that protect Operational Technologies from unauthorized access and control from outside and within. In April 2017, the Secretary of Defense started an ongoing testing process at the National Cyber Range in Orlando with Lockheed Martin. Onclave was selected as the first company because of our unique enterprise-wide solution. We completed our first round of testing and will be returning in April 2018 to test the next release of our management and monitoring tools as part of our complete Secure IoT Managed Service.
Initial tests resulted in the following results:
- Our communications (enclaves) went un-breached and proved to be a highly secure way of segmenting OT from IT
- We demonstrated unique separation of capabilities how new topologies could be implemented logically, across domains
- While physical access created vulnerabilities, the risk was assessed as “extremely low” and having limited impact
- The Managed Service approach was acknowledged as a way to mitigate some of the physical access vulnerabilities
“…Secure IoT provides protection and management of OT and IT endpoints with their enterprise Managed Service. The security model implemented by the solution includes isolation and containment capabilities enhanced by people and processes applied to a logically defined set of enclaves. Secure IoT does not protect or claim to protect against insider threats involving physical access but has incorporated processes and alerts to notify end customers of potentially malicious behaviors or communications. The Continuous Monitoring Delivers Alerts and Reporting that track and notify customers when device endpoints are not operating or behaving as defined by a customer, a manufacturer or accepted historical patterns as well as tracking the state of the enclaves implemented by the system.”
What are the failure/maintenance points and how are they mitigated?
Internet connectivity interruptions (internal/external/natural disaster) –
CommTunnel - addressed by implementing a backup and failover connectivity solution that is appropriate for the customer (i.e., Verizon to Cable example) to include high availability using load balancing and bridges with redundancy through independent internet circuits to mitigate internet failure
Multiply geographical diverse data centers for failover points
Customer has to implement a high availability solution based on their risk tolerance – for example a low end high availability solution could be digital high band internet connection with a fail over to a POTs dial up line. Customer needs to open a firewall port such as UDP 820.
Device level failure –
- CommTunnel will notice and report a device failure but cannot be responsible for the device functions.
- Secure IoT Gateway failure will be reported with an Alert and replaced in accordance with the SLA
- Secure IoT Bridge is designed for automatic failover no impact to service.
- No moving parts, solid state, simple configuration, “battle-tested”
Break/fix SLA Maintenance – in the unlikely event that a Secure IoT Gateway fails, a hot-swap replacement will be available for each facility (multiple in most cases). Replacements do not require an Onclave or third-party technician but may require some phone support.
Secure IoT MSC System Failure –
- Environment – as noted above failure of Secure IoT through our MSC is protected by automated failover communications and hardware. Little to no impact on service
- Secure IoT software is also secured inside the enclave so no impact to protection
- Secure IoT enclave is hardware based so a failure of a hardware endpoint could induce a break in communications within the impacted enclave. Break Fix preformed per SLA.
Failures Related to Insider Threat Tampering –
- Physical access - Removal of or attempted access to Gateway creates an automated alert which triggers SLA defined break fix.
- All employees with access to our system or enclaves are prescreen with background checks through “Hire Right” where they are evaluated for civil, criminal, financial etc backgrounds.
What is the typical internal support model for a client (which type of technical resources typically manages/support these devices?
Since Secure IoT is a Managed Security Service, the typical internal support by our customers is managed through a Service Level Agreement (SLA) that clearly defines roles and responsibilities of all parties.
Each SLA is negotiated, defined and agreed upon uniquely with each customer due to the diversity and complexity of the OT and of each enterprise. Every SLA defines levels of support, alerts, escalations process, reports and all activities managed between the Secure IoT MSC, the enterprise customer and any third-party integrators who may be providing support. All Secure IoT equipment and software used is managed and supported by Onclave and it is included in the cost of the service.
From the customer side, it is preferred if there is an architect and a senior network administrator available to participate in the monitoring and support provided by the Secure IoT MSC, but “typical network support personnel” can easily address break-fix and the majority of service issues that may arise.
What are the typical Roles and Responsbilities related to the SLA?
What is your cloud strategy?
Secure IoT is not a cloud-based solution, and in fact, goes in the opposite direction of cloud-based solutions in that the way Secure IoT protects devices is by segmenting and segregating them into private networks that are inaccessible to, and have no access to the Internet.
How many enclaves can I have?
There are no inherent limits to the numbers of Enclaves you can have, or how many devices can exist within a single Enclave. A single Enclave is bounded, in part, by a Secure IoT Gateways. Gateways work in tandem with Secure IoT Bridges. A single Bridge can logically support a virtually unlimited number of Enclaves, limited only by bandwidth requirements of the protected devices. Bridges and Gateways can be added as required, with no upper boundaries, and are routinely configured in pools to assure redundancy and high availability.
Can One Enclave talk to another?
Enclaves can be designed to allow the devices and IT assets in them to talk with each other and to those in other Enclaves.
What if someone plugs a laptop into my Secure Segment?
Secure IoT detects the addition of the IT device to the segment and automatically alerts the Customer of the presence of the unauthorized device, so that the Customer knows the device is on the segment, where it is logically, and then, if appropriate, can remove it from the segment.
What if someone plugs a wifi into my Secure Segment?
AnswerSecure IoT detects the addition of the wifi device to the segment and automatically alerts the Customer of the presence of the unauthorized device, so that the Customer knows the device is on the segment, where it is logically, and then can remove it from the segment.
What devices do you fix/monitor?
Secure IoT monitors every device in the Enclave, regardless of type, manufacturer, operating system, protocol, or communications medium. If the device is in the Enclave, Secure IoT sees it, monitors it, and reports on its behavior.
Secure IoT is not a hardware break fix service
How long does it take to create a Secure Segment?
The planning for and design of the Secure Segment can take weeks or months, but the actual creation of the Secure Segment happens in a moment, when the Secure IoT solution is turned on.
How does Secure IoT interact with Cisco Routers?
Secure IoT interacts with Cisco routers the same way it interacts with all routers. Secure IoT is not a router-based solution, and thus, is agnostic toward the presence, or manufacturer, or model of router.
How does key management work?
Secure IoT key management provides the essential information needed for establishing a trusted relationship between a single Bridge or pool of Bridges and a Gateway. Once a set of OT devices are identified to be included in a protected enclave, the Secure IoT Management Console (MC) provisions the keys based on the determined Secure IoT Sleeve ID. Each Bridge or Bridge Pool can support up to 4095 Secure IoT Sleeve IDs. Gateways can only trust one Bridge or Bridge Pool which is identified during the issuance of the key. The keys are placed on a secure iKey.
How does Secure IoT modify enclaves?
Enclaves can be easily modified after they have been created. A single enclave can have one or more segments. An enclave segment consists of all the devices protected in a single logical group. Therefore, if an enclave is first created to isolate the OT devices on a subnet and later a set of management tools for those devices needs to be able to securely communicate with the OT devices, a second Gateway with the same Secure IoT Sleeve ID could be placed on the LAN that the management tools reside on to connect the segment with the OT devices to the management tools. The enclave now has two segments.
How does Secure IoT add/or subtract a device?
If a new device is detected, Secure IoT Smart Alerts notifies the appropriate parties. The Smart Alert has actions that can add the device to the enclave or identify it has an unwelcome device for immediate physical removal. If the device is added, Secure IoT Management and Monitoring Services will determine the devices common behavioral patterns as a basis for alerting the appropriate parties that the device is operating outside of its normal boundaries.
How do we deal with a device that pops up after we do the initial survey?
If a device wasn’t discovered during the initial survey and is detected after the enclave has been created, Secure IoT Smart Alerts notifies the appropriate parties. The Smart Alert has actions that can add the device to the enclave or identify it has an unwelcome device for immediate physical removal. If the device is added, Secure IoT Management and Monitoring Services will determine the devices common behavioral patterns as a basis for alerting the appropriate parties that the device is operating outstand of its normal boundaries.
Does Secure IoT comply with USA Common Criteria?
Secure IoT is targeting for NIST FIPS 140.2 which is a standard that exceeds the Common Criteria framework for security.
Does CommTunnel support PCI-DSS?
Secure IoT operates at Layer 2 and therefore has no impact on PCI-DSS. We look at this as a Defense in Depth that further protects the data in motion.
How quickly can a MAC address be added/replaced to the enclave?
MAC addresses can be managed in real-time. Devices can be preloaded into the system, so that when they’re online, they can join the enclave. MAC address management is handled through the MMS Console that is accessible by the party responsible for managing devices inside the enclave. MAC addresses can appear and disappear instantly as the service is based on live monitoring. A Smart Alert will be sent to the customer for validation of the removed or added device. Additionally, whitelisting is handled because the MMS is policy driven.
Can access be denied by MAC address through the MMS software?
Yes, the MMS console interface allows an operator to blacklist a device (MAC) and forwards the blacklisted MAC to the Onclave Bridge that instructs all gateways and OEM gateways to ignore the blacklisted device.
How will communication between MMS and the physical person to respond be handled (what protocol i.e. email, SMS...?)
Client has the option to choose primary communication method from; ‘email, text, call’. There will also be actionable items contained inside the alert itself that allows Client to self-remediate issues.
How is loading of the MMS on Premises solution handled?
On premise solutions are installed as a standard MMS SOC on site.
How is licensing being monitored for device quantity for an on-premise solution?
Our Managed Service is priced on a ‘per device per month’ basis. The quantity is range based (i.e.; 4,001 thru 6,000 devices price at ‘x’, 6,001 thru 9,999 priced at ‘y’). The MMS is a ‘self-reporting based on system logs’ that we would invoice against. Ranges will be set to accommodate normal adding/removing of device inventory as determined by the customer.