4.1.3. Specialized Systems: IoT, ICS/SCADA, and Embedded

💡 First Principle: Specialized systems prioritize operational function over IT security. Medical devices, industrial controllers, and IoT sensors were designed to work reliably for years — not to receive security patches. This creates a fundamental tension: they're often the most critical systems and the hardest to secure.

Internet of Things (IoT) — network-connected devices with sensors and limited compute: smart thermostats, cameras, medical devices, wearables. Security challenges: minimal processing power (can't run antivirus), infrequent or impossible firmware updates, default credentials, and often no encryption.

Industrial Control Systems (ICS) / SCADA — systems controlling physical processes in manufacturing, power plants, water treatment, and transportation. SCADA (Supervisory Control and Data Acquisition) provides centralized monitoring and control. These systems run for decades, use proprietary protocols, and patching risks operational disruption. A vulnerability in a power plant controller isn't just an IT problem — it's a safety problem.

Embedded systems — purpose-built computing systems within larger devices (car engine controllers, ATMs, medical imaging). They have real-time operating systems, fixed functionality, and very limited attack surface — but when compromised, the consequences are physical.

RTOS (Real-Time Operating System) — an OS designed for deterministic, time-critical operations. Used in embedded systems where delayed responses could cause physical harm.

Securing unpatchable systems requires compensating controls since traditional security approaches don't apply. Network segmentation isolates these systems from general IT traffic. Application allow listing prevents unauthorized code execution on systems that can support it. Network monitoring detects anomalous communication patterns — a PLC that normally communicates with one SCADA server shouldn't suddenly be reaching the internet. Wrappers and proxies can add encryption and authentication to devices that don't natively support them. The key principle: if you can't secure the device itself, secure everything around it.

⚠️ Exam Trap: ICS/SCADA systems should be on isolated networks, not connected to the corporate network or internet. If a question describes SCADA accessible from the internet, that's the vulnerability — regardless of what other controls exist.