DDI for IIoT (Part 2)

In Part 1 of this post, we introduced the Industrial Internet of Things (IIoT) and IP topology considerations. In particular, IIoT devices could be addressed as a typical device or host, or one could allocate an independent IP block(s) to facilitate IIoT application-specific capacity, security and manageability practices. The benefit of this latter approach is “air gapping” separation of IIoT devices from the enterprise network adheres with judicious network security practice.

IIoT air gapping

Maintaining separation of the enterprise network from the IIoT network and even among differing zones within the IIoT network enables the isolation of malware for example within a separated zone assuming it is detected and quarantined before it can spread. The Colonial Pipeline ransomware attack in 2021 actually infiltrated the organization’s enterprise IT network systems, which was separate from their pipeline or operational technology (OT) networks. The company’s shutdown of the pipeline sought to contain any spread that may have crossed the IT-OT zones beforehand.

Separation of network zones with well-defined and guarded conduits between them is an effective means to contain a malware outbreak and is incidentally also one strategy for zero trust deployment. Another core principle of network security is defense in depth. A layered security approach which enables multiple opportunities to detect and defend against attacks from multiple perspectives increases the likelihood of success. While close inspection of network traffic traversing conduits or firewalls between security zones provides one layer of protection, others should be sought to improve detection and protection performance. For example, DNS is commonly used by IIoT devices to locate centralized reporting or data aggregation systems. Use of DNS enables network administrators to modify the IP address plan as needed without having to update every IIoT device’s configuration if hard-coded IP addresses had been required. A host domain name may remain static, but DNS enables an easy change to its corresponding destination IP address.

IIoT DNS security

Given the prevalence and convenience of employing DNS to resolve domain names within the OT network or between IT/OT networks, close examination of DNS query and response data offers an opportunity to add a defense layer to detect the presence of malware. Malware typically uses DNS to locate a malware author’s server on the Internet, enabling the perpetrator to provide instructions or code updates to successful malware infestations. DNS offers the attacker the same benefit of easily changing his/her IP address over time to evade detection. Use of a DNS firewall in such an environment can add a layer to your defenses to improve the probability of attack detection and response.

From a DDI perspective, a centralized DDI system enables secure deployment of IIoT devices by providing the ability to manage IT and OT address spaces separately yet holistically, on premises or in the cloud. Discovery of device IP addresses in the terrestrial or cloud IT and OT networks enables tracking of device inventory, also a key tenet of network security: identifying network occupants, particularly those that shouldn’t be. Overall, a robust DDI system will help you deploy and manage IIoT devices in several ways: in planning your IP network segmentation, assigning or discovering IPv4 and IPv6 addresses, and securing your DNS to protect both DNS and your IIoT estate.