What the rise of industrial IoT means for cybersecurity
It is difficult to find an industrial or operational technology firm today not focused on — or at least exploring how to — incorporate IoT. According to some estimates, the industrial IoT industry will have more than 46 billion active industrial connections by 2023. The market is demanding smart features and connectivity for new systems, and as IoT concepts continue to mature and new, innovative technologies emerge, these will also quickly move into the IIoT space.
IoT is being applied in a wide range of industrial use cases, from sensors used to track things like equipment health, fuel efficiency and energy management to fully automated machines and robots used to outfit smart, connected factories. While IIoT offers tremendous opportunities to deliver more and richer data to drive operational efficiency and smart decision-making, it also puts increasing pressure on cybersecurity.
According to Frost & Sullivan, cyberattacks within the energy and utilities industries alone cost an average of $13.2 million per year. Hacking operations — such as LockerGoga, which crippled Norsk Hydro’s aluminum production, costing the company an estimated $52 million in losses; Dragonfly 2.0, which targeted dozens of energy companies in the U.S. and Europe; and GreyEnergy, which took down power grids in Ukraine — all go to highlight how hackers are taking full advantage of security vulnerabilities within industrial control systems and why security is becoming increasingly mission-critical in the IoT era.
If done properly, IIoT can be disruptive. When done poorly, it can create a material security risk. To best protect against cyberattacks and other security risks, each industrial device should be secured. Manufacturers should design each IIoT device or sensor to comply with current cybersecurity best practices, such as the principle of least privilege, defense in depth and access control. For example, IIoT devices should be designed with security in mind, including capabilities for secure, over-the-air changes to enable updates to mitigate threats that are not present at deployment.
Unfortunately, particularly in the industrial space, huge numbers of legacy devices exist that are difficult to secure due to uptime requirements and cost. What’s more, legacy equipment is an especially easy target since much of it was not designed or built with security in mind.
Getting IIoT security right
When it comes to securing IIoT environments it’s best to start with the basics. This includes a focus on patch management, identity management and monitoring. Building out a comprehensive security plan requires understanding and properly setting up each of the four layers of IIoT architecture to prevent compromise now and in the future.
Device layer
The device layer is where the digital world meets the real world, and hence where it is most at risk. This layer consists of IoT hardware, software, sensors and actuators. IoT devices are susceptible to spoofing, tampering, theft, elevation of privilege, information disclosure and repudiation threats. While organizations should look to design security into the devices by incorporating a hardware root of trust, at minimum they should adopt a strong secrets strategy — passwords, keys, certificates and so forth — or invest in additive security to harden devices in the wild.
Communication layer
The communication layer defines the communication protocols, network technologies and communications service providers necessary for the IoT system. It may also define the necessary security protocols, for example, data transport layer security, or other security mechanisms, such as X.509 certificates. In general, this layer is susceptible to eavesdropping, tampering, information disclosure, spoofing and denial of service. Strong encryption on all communication channels should be a security priority. Where feasible, mutually authenticated channels are preferred.
Cloud platform layer
The cloud platform ensures end-to-end semantic consistency of data objects throughout the distributed industrial IoT system. It describes how data flows into, out of and through the system, as well as how it is transformed and stored. It also contains the features and intelligence that gives an organization its competitive advantage. It provides the stream processing, event processing, dispatching, orchestration, analytics, algorithms and machine learning necessary to meet the needs of the business. This layer is susceptible to threats like tampering, information disclosure, elevation of privilege, theft and denial of service. Organizations should invest in a third-party assessment or monitoring of their cloud platform as virtually all attacks will involve taking advantage of weaknesses in this layer.
Process layer
The process layer focuses on how the organization will integrate IoT projects with governance, operations and management processes, and line-of-business systems. The weakest link in a cybersecurity architecture is people. Their negligence in understanding and implementing cybersecurity practices and policies can render the entire ecosystem vulnerable to debilitating cyberattacks. These attacks include repudiation and theft of sensitive information, such as intellectual property.
Also, emerging security regulations help to ensure a baseline level of protection for the broader industry. We’re starting to see movement on Capitol Hill to address and crack down on industrial security threats, most recently through H.R 5733, DHS Industrial Control Systems Capabilities Enhancement Act, a bill introduced in the House this past year.
IIoT security: Should you go it alone?
Securing IIoT devices or networks is a specialist field. Many companies don’t have access to the necessary skills to build and maintain a sustainable IIoT security architecture. As such, one critical question for businesses as they develop their IIoT security strategy is whether to go it alone or to get help.
Organizations should have their devices and networks inspected and tested for vulnerabilities and take the recommended actions to mitigate any risks. They should also demand suppliers harden devices and design products against tampering and attacks.
Organizations may also want to investigate third-party monitoring. Managed security service providers are adapting to meet demands created by complex IIoT environments, but this too is a specialist field as IIoT data and networking requirements are different from traditional network monitoring.
As businesses consider working with a managed security service provider, they should ensure that the partner they are considering has the expertise, resources and services to guide them through the process of designing, implementing and managing IIoT security throughout the entire device lifecycle.
At a basic level, this means ensuring the partner’s IIoT security platform can integrate seamlessly into the existing environment, can be controlled and verified securely from a central location, and can scale to meet changing needs. At a more an advanced level, this requires being able to provide a global view of all devices and of the network as a whole to reduce detection time and combat advanced adversaries.
It should be noted that IIoT security is a continuum and it’s impossible for every connected system or device to behave securely within every context. Therefore, a good rule of thumb and a sound approach for any industrial enterprise is to always adopt an evolving security posture and to also take steps toward due diligence before bolting on the latest piece of technology.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.