Ensuring IoT and OT security requires collaboration
The convergence of IoT and operational technology for systems that generate large amounts of data is a unique opportunity for organizations to benefit from stronger and more resilient infrastructure, while increasing flexibility and responsiveness to new situations.
A new forecast from the International Data Corporation estimates that there will be 41.6 billion connected IoT devices, generating 79.4 zettabytes of data by 2025. A significant proportion of this data comes from industrial IoT systems, which present a different set of challenges from individual devices when it comes to cyber security and privacy.
For example, the U.K. government is planning to introduce regulations and new standards for smart energy appliances such as fridges, electric heating and air conditioning to encourage adequate protection against potential risks associated with appliances to avoid becoming a dumping ground for sub-standard smart technologies.
Similar to the rollout of adoption and regulation in the U.K., any regulation related IoT adoption must be well-administered to guarantee secure systems. In recent years, there’s been an increase in malware targeting industrial systems, and this has been made easier because of an increase in connectivity.
When it comes to industrial IoT systems, there is a unique set of security considerations for each stakeholder. Still, the entire supply chain must work together to manage the security and resilience of its operational technology (OT). Suppliers, manufacturers, installers and consumers all need to carefully consider their obligations and risk management strategies for complying with requirements and the needs of the end users.
Any organization with connected OT needs to be responsive to vulnerabilities and be ready with processes to address and manage threats.
Define each stakeholder’s role
Organizations must address data hazards in parallel with adopting new levels of efficiency and customer experience. To do so, security steps must be established throughout the cradle-to-grave lifecycle. This is best achieved by outlining each stakeholder’s role. Gaps in responsibility are common, so defining everyone’s part in bearing the burden of OT security is paramount.
Organizations should also undertake a comprehensive risk assessment when connecting OT assets to a network so that risks are understood and addressed. Organizations should consider the assets, function and data in the network and identify threats. The likelihood and impact of threats occurring can be used to calculate the overall OT risk profile, ensuring relevant and appropriate controls are put in place.
The following stakeholder tips gleaned from years helping clients with OT security risk assessments can help each participant understand what high-level activities they can take to secure implementation of OT and IoT devices.
Advice for manufacturers:
This includes teams that design and build software, firmware and hardware. This also encompasses testing and fault management functions.
- Define your support model up front
- Define the lifecycle of support for software
- Monitor and test for vulnerabilities
- Use Secure by Design and Default principles
Advice for installers and resellers:
This includes teams that work with the consumers to install products and set up any ongoing management or maintenance procedures. They may be part of the same organization that manufactures the product.
- Define your support model up front
- Develop architectural patterns for secure installation
Advice for commercial consumers:
- Grasp your responsibilities
- Identify and manage risks
- Understand and monitor the support model
- Use an asset register
- Monitor for “shadow OT”
Final thoughts
Devices spend most of their lives in the in-life management stage. The controls and processes for managing technical assets at this point rely on the previous stages being well-executed.
Indicators of trust, such as penetration testing and internationally recognized certifications including the IoT Kitemark Mark of Trust, can be used to help each stakeholder gain assurance about their upstream and downstream third parties.
Source: BSI
As part of this process, stakeholders can also map their responsibilities in a table, showing assignments for asset management, physical security, user management, encryption management, vulnerability and configuration management, security monitoring and alerting, backups, and resilient design. Then all parties can refer to the diagram to achieve controls for in-depth defense.
Ultimately, the responsibility for security in OT relies stakeholders to contribute to the whole. Just as security within an organization is everyone’s responsibility, all parties involved in the IoT asset lifecycle need to take responsibility for security and resilience. This will ensure that infrastructure remains as robust and resilient against cyberattacks as possible.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.