Funtap - stock.adobe.com
Many organizations across verticals already implement industrial IoT, but that doesn't mean their deployments are secure.
IIoT introduces various operational technology (OT) architectures with different threat vectors and associated risks to traditional IT systems. Many risks have existed for decades, but some emerge with IIoT connections.
Common security risks that IIoT devices and associated technology bring to organizations can be organized into three categories: administrative and operational risks, technical risks and physical risks.
1. Administrative and operational risks
This type of risk involves human-made risks, whether accidental or intentional, such as incorrect use of IIoT devices or an attacker trying to break into the network.
A lack of a comprehensive IIoT security risk management program makes the entire organization vulnerable. The program must include documented policies, procedures and regular training to identify, manage and eradicate cybersecurity risks where possible.
Accidents and errors made by humans can leave gaps in security, such as through misuse or incorrect installation of IIoT devices with legacy systems in use. Organization insiders with malicious intent and outsiders also target IIoT devices.
IIoT device and systems manufacturers can go out of business and disappear or stop support while organizations still use their IIoT technology. This can leave IIoT devices that may be used for critical purposes with vulnerabilities that are subsequently exploited.
2. Technical risks
More devices expand the attack surface. Devices often have vulnerabilities unknown to the users and discoverable by cyber attackers.
IIoT deployments create new connections between IT and OT, which adds to the deployment's complexity and security risks, particularly for nonstandardized IIoT hardware, software and firmware. The lack of worldwide-adopted technical standards for IIoT security and interoperability results in inconsistent security in devices, controllers and supporting systems.
Many IIoT devices use weak or no cryptography, have weak or no authentication and run on poorly coded software that is vulnerable to exploits.
3. Physical risks
Natural disasters, events or attacks can interrupt or detrimentally change the way IIoT systems work.
Attackers might target poorly physically secured devices and make changes directly to them that affect the physical world in harmful ways, such as an attacker targeting IoT devices that control oil pipelines or other resources.
Many IIoT devices need to have maintenance or updates done manually, which may not be possible with the staff using them.
Follow recommended industrial IoT security practices
Certain cybersecurity goals should be part of every IIoT installation. First, organizations must use securable IIoT devices and systems. IoT teams must configure devices to prevent them from being used as part of an attack, such as distributed denial of service (DDoS), data exfiltration or modification of device settings.
Organizations should also establish data security controls. They must protect the confidentiality, integrity and availability of all data collected and processed by, stored on, or transmitted to or from IIoT technology. Lack of data integrity and inconsistency within deployments are particularly inherent risks of IIoT. Each organization implementing IIoT devices must have security capabilities within the following domains:
- Administrative and operational security controls. These are people-based actions necessary to ensure effective IIoT deployment security. The controls include actions necessary to manage the selection, development, implementation and maintenance of devices. Security measures must protect IIoT data and device functions and manage the workforce using IIoT devices. Some measures include IIoT security control settings documentation, policies and procedures, device secure-use training or performing IIoT risk assessments.
- Technical security. These are the technology-based components necessary to ensure effective IIoT security and protect the technological elements that are part of the IIoT system, such as cloud services or supply chains. This includes controls such as IIoT device authentication using multifactor authentication, encryption, secure boot and device identification techniques.
- Physical security. Physical measures and tools protect IIoT devices and all the hardware for associated servers, controllers, display screens, input and output devices, and the facilities that constitute the IIoT environment. Organizations must establish facility and IIoT device vicinity access controls that permit only authorized use and access to proprietary data and limit the ability to make modifications to the IIoT device and system controls. Examples include securing access to memory cards, disabling unnecessary USB ports, allowing only authorized entities to view IIoT readout screens, and controlling physical access to IIoT devices and related hardware.
Without the full set of controls in all three categories, IIoT devices and systems will not be secure.
Specific IIOT security issues for IT admins
IT admins need to incorporate IIoT devices, controllers and supporting systems within their overall network administration plan. This includes testing and risk management activities, risk assessments, vulnerability assessments, penetration testing, backup and recovery, security training for all who use IIoT devices, and the full range of other security activities needed in a comprehensive security program.
IT admins need to make sure basic security practices are implemented and followed. The NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, more commonly called the Cybersecurity Framework (CSF), is used by a significantly large portion of organizations throughout industries worldwide. Organizations may also consider other frameworks, such as ISO, the Industrial Internet Consortium's Industrial Internet Security Framework or ISA99 Industrial Automation and Control Systems Security.
Organizations can customize and use seven CSF categories to organize and adjust their security strategy and expand security controls to include IIoT devices, systems, applications and clouds:
- asset management;
- business environment;
- risk assessment;
- risk management strategy;
- supply chain risk management; and
- information protection processes and procedures.