Securing the Industrial Internet of Things
While organizations design and deploy Industrial Internet of Things efforts, the term is meaningless for security practitioners because Industrial Internet of Things (IIoT) is a concept. It’s difficult for security leaders to protect concepts.
That’s according to Katell Thielemann, VP analyst at Gartner Inc.
“[Security practitioners] need to approach the problem with specifics, understanding that they are dealing with cyber-physical systems that have very specific characteristics and understanding those characteristics is key to defining how to craft a security approach,” she said.
Too often, speed of initial deployment takes precedence over a security strategy that should encompass the entire lifecycle of systems, Thielemann said. Too many organizations bring an IT-centric view to security to industrial environments when it comes to IIoT efforts.
While security operational technology (OT) is gaining executive-level attention and visibility to regulatory authorities, the ability to bring them under full cybervisibility and protection as well as ensuring ongoing vigilance is challenging at multiple levels, said Santha Subramoni, is global head, cybersecurity services at Tata Consultancy Services.
At the foundation level, the threat surface (or area that can be attacked) itself is complex and varied, making asset discovery and integration an enterprise security architecture challenge, Subramoni said. Sensor, edge devices, connectivity along with related data, applications and hosting ecosystems are the core of distributed IIoT ecosystem.
There is a significant prevalence of legacy technologies and proliferation of self-contained networks, outside of enterprise network perimeters, Subramoni said. And the lack of endpoint visibility limits the ability to take preventive measures.
“Organizations need to detect and keep a catalog of vulnerabilities at multiple levels and maintain knowledge and the technology required for the same within the industrial ecosystem, which typically has yet to mature to a manageable scale and reliability,” Subramoni said.
How a Building Materials Maker Is Securing the IIoT
Building materials maker HIL Ltd. took the first step in its digitalization journey and implementing IIoT when it launched digital shop floor technology in four of its manufacturing plants in India, said Murali Raj, HIL’s chief information officer. The digital shop floor connects all machines to one network, optimizing efficiency and quality.
“Now we are moving to the next phase of predictive maintenance,” Raj said. “So we are doing POCs [proofs of concepts] on predictive maintenance and we’re doing POCs on predictive quality as well. So we also need to take care of the security measures.”
On the shop floor, real-time machine parameters are captured through sensors, programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems. The data is then transferred to the cloud through HIL’s IT network where it is analyzed in real time, Raj said. Additionally, the system generates instant alerts that the operations team can use to take corrective action.
“Previously the SCADA systems were existing as an island, not connected to the Internet,” Raj said. “So when you have your manufacturing machines and you have your PLCs on top of that, they acted together in the control room where the supervisor controlled the entire manufacturing [process]. Now, this data has to go outside the network.”
Consequently, HIL had to implement firewalls on the IT side to securely connect to the Internet. To connect its edge devices and sensors to the Internet to transfer data, the company made sure that these devices adhered to appropriate security standards, Raj said. And HIL also had to ensure that its software and firmware were patched and upgraded regularly.
After dealing with the technology, HIL also looked at people and processes.
“Previously, the maintenance engineers, electrical engineers who control the SCADA and PLC and plant didn’t even interact with any of our IT engineers, network engineers, or the leader who was looking at security for the organization,” Raj said.
Now these teams have to come together and understand one another and put a process in place to keep updated on what’s happening in their areas, he said. HIL also trained some of its IT engineers on OT and OT security and asked the plant team to have at least an awareness of cybersecurity.
“We also brought in an outside perspective where EY and Deloitte helped us to put a framework of understanding IT and OT together,” Raj said. “Since this capability was not existing internally within the organization, sometimes bringing in an outside perspective helps.”
On the process front, HIL ensured that IT security measures, such as role permissions, password resets, user access, were also being followed on the OT side.
“So the plant team, which was not used to those kinds of strong procedures, needed to accept them,” he said.
Ensure Critical Devices/Assets Are Tightly Protected
Although attacks on IIoT are less common than IT attacks, their consequences can still be tremendous, including loss of production, revenue impact, data theft, significant equipment damage, industrial espionage and even bodily harm, said Asaf Karas, co-founder and chief technology officer at Vdoo, a provider of automated cybersecurity for connected devices and IIoT.
Therefore, it’s not enough to statistically reduce the number of attacks but to ensure critical devices and assets are tightly protected as soon as they enter production, he said.
Karas offered a few approaches to help organizations improve their IIoT security:
- Adopt risk and threat management processes specific to their industry environments.
- Before deploying new devices, ensure they’re secured by design and that no exploitable first- or third-party weaknesses are found in the device code or configuration.
- Post-deployment, use asset management tools to discover and identify relevant industrial assets
- Implement endpoint runtime application agents designed uniquely for these devices to ensure ongoing monitoring and protection.
The biggest challenge of a lot of the devices today is that they weren’t built with cybersecurity in mind, said Kyle Miller, principal/director, Booz Allen Hamilton. They frequently run off simplified real-time legacy operating systems that don’t support the same level of security protections as traditional IT systems. As a result, they have the potential to increase an organization’s attack surface pretty greatly, he said.
Now these devices are being asked to connect directly from the industrial networks to the enterprise network to the Internet and the cloud, in a lot of cases, Miller said.
“[It’s important] to really manage that hyper-connectivity, the data flows and building out . . . a zero-trust environment where you are really managing what that device can talk to, what it can’t talk to, and in the event of a compromise, to be able to really limit its blast radius,” he said.
Before implementing IIoT systems, organizations should also have a good understanding of what types of risks they’re taking on, said David Forbes, principal/director, Booz Allen Hamilton.
To get this understanding, a company must get the current security posture of its vendors, the solutions and the software implementation as well as the devices that it’s implementing on its IIoT network, Forbes said.
For example, when an organization implements third-party vendor technologies, it needs to ask vendors questions such as:
- Have they built their own software on a secure platform?
- Are they using encrypted communications where necessary?
- Are there access control features in place?
“That’s very important in understanding the risk and how you’re willingly changing the threat landscape of your network by taking on these IIoT systems,” Forbes said.
Enterprises have to ensure that these IIoT devices and systems are segmented off, where appropriate, from other IT and OT networks, he said. These devices should be tightly controlled to ensure that they can remain protected but also so that one attack vector can’t create access to another.
“Those are organizational things,” Forbes said. “I think really what we’re seeing and when you look at the findings in some of these breaches and attacks, a lot of it traces back to organizational cyber-hygiene and discipline and protocols that may or may not have been put in place to begin with.”
Industrial environments are a new frontier for bad actors and all indications are that they are increasingly targeting these environments.
In 2020, there was a significant increase in vulnerabilities and threats targeting industrial environments, according to Thielemann. And it’s not surprising considering that enterprises create value through operations.
“Whether for industrial espionage or to attempt ransomware, these environments are the crown jewels for most companies,” she said. “[T]his is not about security compliance; it’s about business resilience.”
To address these challenges, organizations have to understand the key characteristics of the IIoT efforts under consideration, Thielemann said. For example:
- What are the business outcomes sought by the efforts?
- Where will the IIoT systems be deployed?
- Who will have access to them, both in the physical and cyber worlds?
- How will they be architected?
- What security solutions will come embedded versus will need to be layered?
- Will vendors need to remote in for maintenance or upgrades?
- Will data flows go through existing networks? Wirelessly?
“Organizations have to take a lifecycle view of IIoT efforts,” she said. “From requirements design to purchasing, deployment, maintenance and retirement, security considerations must be considered at each step.”
Security leaders need to realize that industrial environments are very different from enterprise-centric IT environments, Thielemann said. For example, considerations of physical location constraints, operational resilience or even safety, need to be part of the security strategy. Companies need to alter their IT-centric security approaches to account for these environments as well as their approaches to patching, monitoring and authentication.
Typically, IIoT is under the purview of engineering and production departments rather than IT, said Subramoni.
“However, there needs to be organization and oversight of transformation along with technology modernization,” she said. “Most enterprises will need trusted technology and systems integration partners to scale on demand and manage the costs of protecting industrial systems. This is a fast-evolving need and the technology community is gearing up to the challenge.”