Microsoft Azure’s take on industrial IoT security
The man who leads Microsoft Azure’s industrial IoT security efforts has experience in all aspects of cybersecurity, stemming as much from his academic work at Microsoft as from his efforts to develop business solutions.
Arjmand Samuel’s experimental research has taken him from projects for enterprises to the realms of smart home security, and he’s been winning industry awards since the early 2000s. Today he occupies a dual role as principal program manager and security lead for Azure IoT, developing software and designing product features while also defining Azure’s security strategy.
Such a wide range of expertise is necessary if you intend to champion industrial IoT security. In recent years, the world at large has become all too familiar with the digital vulnerabilities of internet networks – from Mirai to WannaCry – yet Samuel sees this as just half of the problem.
“What makes IoT unique when it comes to security is the combination of digital (cloud, IT) and physical (devices, sensors, machines) into one deployment,” Samuel said in an interview with The IoT Institute. “To make matters worse, teams managing digital and physical business inside our customers usually don’t collaborate on one IoT security approach.”
Which makes the common divide between information technology and operations technology staffs that businesses experience more than disruption of culture. A lack of alignment between the two departments can leave network security gaps that play into the hands of potential hackers, in a game where they already seem to have the upper hand.
[New York is a hotbed for IoT security and blockchain activity. See why.]
Another is that, despite the many features common to all IoT systems, each industrial segment has unique security challenges to tackle.
“They have different requirements to connect devices to the cloud, how to send the data and specific industry standards,” Samuel explained. “The reality is that all the industrial segments have their own challenges regarding IoT security, so we can’t point out which one is the hardest.”
His first example is manufacturing and its standard communication protocol OPC-UA, for relaying information to the cloud via machinery and gateways. Meanwhile IoT systems for healthcare must support HIPAA, a U.S. healthcare law intended to safeguard health information. (Microsoft’s Azure blog is partially dedicated to talking clients and prospective customers through all these nuances.)
But there are plenty of industrial IoT security standards that extend across verticals. When asked what fundamental advice he has for companies securing their networks, that’s what Samuel concentrates on.
“When securing networks to transmit data to the cloud,” he said, “it is very important to use certifications for device-level authentication such as X.509 as a cryptographic safeguard.”
Even the unique vulnerabilities of smart homes and their devices – exacerbated by “cool” trumping “safe” and manufacturers competing to be first to market, much more so than with industrial IoT – must be accounted for.
“Indirectly, we ended up reaching customer scenarios such as smart home via B2B2C,” Samuel said. Azure has clients that are themselves partly responsible for the security of consumer IoT devices. In his eyes the “registration and provision of devices” is one of the greatest smart home challenges, a task Azure recently tackled with a dedicated service.
The sheer size and scope of these industrial IoT security challenges largely account for why industrial IoT case studies have been less apparent than those for consumer IoT. Now, after years of waiting, publicized use cases are appearing thick and fast. The involvement of Microsoft and other security vendors has encouraging implications for the security of these projects, and we'll soon see how their efforts stand the test of real-world use.