According to Gartner, IIoT devices are projected to reach 3.17 billion units in 2020. This includes manufacturing field devices, process sensors for electrical generating plants and real-time location devices for healthcare. Companies taking advantage of these IP-connected business devices are already benefiting from new revenue opportunities, operational efficiencies and substantial cost savings.
However, technology developments in this space are fast outpacing industry standards — earning them an unwelcome reputation for exposing sensitive data to security risks. Developments in IIoT data protection are currently failing to keep up with the rapid rate of innovation and demand. Securing the confidentiality and integrity of data passing between all these devices remains a major challenge for many businesses as IT professionals have to familiarize themselves with multiple IIoT designs, often with immature security features, that present clear data breach risks. Data from IIoT and M2M systems is especially prized by cybercriminals as they seek to intercept and sell intellectual property and personally identifiable information.
Recent research by Forrester found that the top three challenges for IT professionals are IIoT integration, migration/installation risks and privacy concerns. In the study, 92% of C-level respondents reported that they implemented security policies for managing IoT devices, yet less than half (47%) reported that they did not have enough tools in place to enforce those policies. Undeterred, businesses are continuing to invest in IP-connected devices — 49% of respondents expect to increase spending on IIoT security this year.
While business spending on cybersecurity is projected to amount to $134 billion by 2022, the majority of industry experts agree that built-in security is the answer to establishing a trusted standard of IIoT security. Incorporating security into the initial IIoT design process will maintain the privacy and integrity of highly sensitive data from the beginning.
Built-in security properties
Security should never be an afterthought. Device manufacturers must adopt a security-by-design approach and build better security into the initial development of IIoT devices. Being proactive with cybersecurity practices can save a business from a widespread data breach or prevent a hacking incident that results in revenue loss and customer mistrust. The following security measures are recommended for built-in IIoT protection:
- In-depth protection: Device software should have multiple defense layers;
- Automated security patching: The ability to automatically patch and update IIoT device software that is in line with prevailing threat developments;
- Unique hardware identity: Every device should be assigned a unique identifier inextricably linked to its hardware that marks it out as trustworthy;
- Independently tested trusted computing base: Device operating systems and security mechanisms including access control, authorization and authentication, virus protection and data backup are verified according to recognized industry standards;
- Compartmentalization: Applying network security segregation within the device hardware to prevent attacks from spreading;
- Software failure alerts: Software failures should be automatically reported to the manufacturer; and
- Authentication with certificates: Device authentication should always use certificates rather than passwords.
Virtual private networks
Even when the above properties are built into IIoT devices, there is one major security measure that businesses must implement. All remote connections and monitoring of IIoT devices should be secured with industry-proven encryption technology such as virtual private network (VPN) software. VPNs can secure the IP-connection of every IIoT device so that data traffic is encrypted as it passes between individual devices and the remote central management point over the internet. When combined with remote access controls and certified authentication measures, VPNs form an effective barrier that shields company confidential data from the unwanted attention of unauthorized parties.
In summary, the phenomenal growth in development and adoption of IIoT devices is rapidly outpacing manufacturers’ ability to make them completely secure. In the next few years, we should see more manufacturers building best-practice security measures into devices. Though there are several recommended properties for built-in security, such as security patching and authentication with certificates, encrypting communications with VPNs is essential. Centrally managed VPN software provides vital data encryption for the many thousands of remote connection points that make up an IIoT environment. In combination with built-in security features and processes, VPNs provide robust protection for maintaining the privacy and integrity of highly sensitive IIoT data.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.