The future of IoT cybersecurity depends on how we react today
The IoT landscape shows no signs of slowing down, especially as IDC predicted that IoT spend will reach $772.5 billion in 2018. But with this exponential growth, one crucial thing is being overlooked: cybersecurity. A recent study found almost half the organizations with an IoT network have had a security breach, with larger organizations estimating one breach can cost over $20 million. How we secure and react to cybersecurity concerns today will seriously impact the future vulnerability and reliance of IoT.
More data, more risks
The methods and means to capture data in industrial and commercial IoT are currently booming and will continue to rise dramatically as connectivity and networking technology continue to improve. While this increase in data improves operational decisions, reduces manual reporting and increases safety, how can these operators be ensured their data is secure and that increased threat surfaces are protected?
With more data being transported than ever before, it’s important not only to secure assets, but to secure the communication link itself. Traditionally, supervisory control and data acquisition (SCADA) systems have been on the outside of a firewall from the corporate IT network. And with a host of legacy systems still using SCADA, this means those systems are often unprotected.
Smarter equals better
As the use of IoT technologies increases, field operators must utilize the intelligent network connecting the technologies along with intelligent data collectors, sensors and transport to provide additional value. IIoT sensors allow for more functionality, such as edge analytics and predictive maintenance, and increased connectivity to the devices using secure IPv6 standards. And for systems and networks using only remote terminal units and programmable logic controller to connect to the device, that functionality and cybersecurity might be underutilized or unavailable. Long-promised benefits, like assessing predictive failure, become possible only when the device can be accessed directly.
Operators in IIoT environments need to be concerned with everything that could be introduced to the network at every single connection point. This IoT data can be extremely useful, but safely enabling it requires a network that can meet the necessary cybersecurity requirements. Using TLS/SSL and basic AES-128 data encryption standards establishes secure connections, even where data moves across an open network, such as in an IIoT environment like manufacturing floors and oil fields. When data is properly encrypted, an unauthorized party cannot access it even if they can see it, as often is the case in IIoT. In wireless connections, standards-based connections allow relatively easy access to the moving data, leaving encryption as the only line of defense against unauthorized eyes.
Power and pain of IT/OT convergence
Traditionally, IT and operational technology (OT) environments have been divided by a firewall. However, IoT networks have reduced this wall to merely a low fence, meaning the sensors and applications in OT need to be protected to reduce the security threat to the entire network. As the convergence of IT and OT continues with the adoption of intelligent edge devices, industrial organizations are seeing security success with a connected infrastructure utilizing IP-enabled sensors or IP/IIoT-enabled access gateways. This also enables data to be shared with more than just the central control system, including direct communication between machines and multiple systems bringing in real-time sensor data.
IP technology makes it easier to deploy and talk to sensors, but it also makes it easier for intruders to infiltrate valuable data streams. Security through protocol obscurity is not a solution. There are many common attack vectors for industrial devices that become even more relevant when considering IIoT infrastructures and fully networked, geographically dispersed projects.
Knowledge is key
As companies deploy and expand their IIoT networks and technologies, they need to keep their security goals top of mind. A few questions to consider during deployment and adoption include:
- What data is being collected and/or transmitted with this technology? Is it time sensitive and/or mission critical?
- Do we need this technology to be fail-safe to prevent or eliminate catastrophic damage from occurring?
- What external factors might impact the reliable transmission and receipt of critical data from one point to another?
- What is the right tradeoff between features, ease of use and security for my installation?
Whether IT/OT convergence is a factor for an organization, both sides of the fence must put an emphasis on cybersecurity, with alignment between both parties. There are many benefits to the concept of a completely connected IoT system, but this also implies more crossover between IT and OT systems and greater cybersecurity risks. Companies need to prioritize cybersecurity in their quest to create endpoints for all their field assets.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.