Security concerns around the Internet of Things (IoT) are growing, but the issues can be especially problematic in industrial organizations, where connected devices often control heavy machinery and dangerous systems.
Examples like the Stuxnet worm, which took down large nuclear centrifuges, and attacks that took down part of the power grid in Ukraine are often seen as weapons confined to cyber warfare. However, as more and more industrial systems become connected, similar attacks could be seen among businesses in the future.
At a presentation during the 2017 Dell EMC World conference in Las Vegas, Rohan Kotian, senior product manager for IoT security at Dell EMC, explained the major trends affecting industrial IoT. Here are nine best practices Kotian recommended for improving industrial IoT security
1. Understand the concerns
From the manufacturer, many IoT devices come with minimal security controls, if any at all. Clarity of asset ownership, lack of standardization, flat network issues, inefficient patch management, and resource constraints are all concerns that should be taken into account, Kotian said.
2. Study the attack trends
The recent Mirai botnet distributed denial-of-service (DDoS) attack took down a popular DNS service and left many internet companies out of commission. Being that most IoT devices have default or no credentials, the Mirai botnet spread rapidly, Kotian said. However, a security framework has been built up around Mirai, which can be leveraged by companies to protect against future attacks.
Another trend is that ransomware is moving from files to devices, with attackers beginning to target IoT devices. Attackers are also exploiting old vulnerabilities on old devices that haven’t been updated, Kotian said. Additionally, the search service Shodan offers a broad look into open IoT devices.
3. Evaluate the risk of blending IT and OT
IIoT requires IT and OT to work together. Although, the two often have different goals and concerns. IT is often concerned with infrastructure, security, and governance; while OT can sometimes be focused on yield, quality, and efficiency, Kotian said. Businesses must think of who needs to involved in their IoT deployment and these employees can share a mission. It’s also important to note that IT and OT approach security differently, evaluating different risks, focusing on different patching cycles, protocols, and more, Kotian said.
4. Consider major IIoT security viewpoints
Security in IIoT requires specific considerations. End-to-end security must be handled from edge to cloud and security technologies must be wrapped around legacy systems, Kotian said. IT must also account for constrained system resources and work to get the right mix of human and automation interaction.
5. Classify risk
Industrials organizations need to understand that risk is not static, Kotian said. These organizations should account for legal ownership of IoT components and the supporting systems. The physical consequences of IIoT errors can be much more grave than other IoT breaches.
Kotian noted that a proper security posture for IIoT must consider operations as well. Once an organization has classified the risks facing it, it must build out a security framework to address these risks.
6. Consider the devices
When thinking about IIoT devices, IT needs to think about security features involved with on-boarding, authentication, and provisioning. The data sent by the devices is also a critical security concern. Data integrity and confidentiality should be a top focus, Kotian said, with businesses constantly thinking about where the data is moving and how they’ll encrypt it. Asset management and visibility, along with behavior analytics are also top considerations.
7. Consider the gateway
Outside of devices, the gateway is also a critical security vector in IIoT. Captain recommends that organizations follow best practices and system hardening for starters. Secure boot and execution, and secure credential storage can help these companies better secure their gateways, Kotian said.
8. Leverage the value of the fog
The fog, or adding compute to the edge offers three advantages, Kotian said. First, it brings real-time decision making through edge analytics. Second, data transfer cost is reduced with compression and cleansing. And third, security and data continuity can be improved through local operations.
9. Secure data access
Industry standards should be used for authentication and authorization to secure access to company data, Kotian said. Additionally, firms must ensure data integrity and protection as well, and focus on secure credential management for keys, credentials, and access tokens.