Digital transformations are taking place across countless businesses and industries. Big data platforms in the supply chain and fintech; automation in warehouses; AR and VR in corporate training; and the Industrial Internet of Things (IIoT) everywhere else — are just a few hotspots of innovation and investment throughout Industry 4.0.
Industrial IoT security is an ongoing concern for any professional involved in vetting, deploying, and using connected machines and devices. IT budgets are only expected to grow throughout 2022 and beyond as the cyber-physical overlap grows, but cybersecurity incidents do not discriminate. As a result, businesses large and small put themselves at risk when they fail to secure their growing networks of IIoT devices.
What’s Wrong With Industrial IoT Security?
The IIoT has expanded tremendously in a few short years, and the scale of the security problems becomes obvious with the proper perspective.
A company’s digital transformation may begin with installing connected sensors on in-house machinery. Unfortunately, these are possible attack vectors under the right circumstances and without proper protection.
When companies deploy connected IoT technologies adjacent to sensitive customer records, company IP, or networks trafficking other sensitive data, the problem scales. With the benefit of hindsight, it seems quaint that nobody foresaw the Target customer-data breach involving internet-connected air conditioners. However, it was going to happen to somebody sometime — and now that it has, it should be clear what the stakes are.
Today, this is business as usual. Companies know to vet HVAC companies touting the robustness of the security protocols aboard their internet-connected A/C products.
Early stages of digital transformations may facilitate data mobility in-house. Later upgrades may involve continuous connections with remote servers. What happens when the risk vectors expand from one retail chain’s patrons? In the United States, public utilities are typically owned and overseen by private, somewhat opaque entities.
There are excellent reasons for utility companies — water, internet, electricity, natural gas — to deploy IoT devices to pursue better service and reliability. However, this rapidly expanding web of connectivity introduces many potential points of failure regarding cybersecurity.
The crux of the industrial IoT security problem is that every connected CNC machine and lathe — and every sensor across every mile of water or gas pipeline — could give hackers a way in. Telemetry may not be valuable, but an unsecured IoT sensor may provide a route to a more valuable prize, such as financial data or intellectual property (IP).
The IIoT Security Situation in Numbers
The problem of industrial IoT security is writ large and small.
A March 2019 report from the Ponemon Institute and Tenable observed that 90% of organizations actively deploying operational technologies — including transportation and manufacturing — had sustained one or more data breaches in the previous two years.
Companies that provide critical public services represent some of the most consequential possible targets for IIoT-based attacks.
CNA Financial Corp. and Colonial Pipeline proved that most financial institutions, including some of the most significant attacks — and most public or quasi-public utility companies may not have taken adequate measures to protect their digital systems. At least one of these attacks involved a single compromised connected workstation.
IBM found that manufacturers were the most frequently targeted industry for cyberattacks in 2021. This is not especially surprising. Manufacturing companies are among the most prolific adopters of IIoT products.
Combining the physical and the cyber — by collecting abundant data and studying or modeling it — is tremendously beneficial in sourcing, fabrication, manufacturing, processing, and transportation operations throughout the industry.
The industry will be approaching the culmination of this trend by 2025. This is when professionals anticipate that around 75% of operational data in industrial settings, like plants and distribution centers, will be gathered and processed using edge computing.
Edge computing is likely the defining feature of the IIoT. But unfortunately, it’s a double-edged sword. The state of cybersecurity for the industry in 2022 is the result of decision-makers getting excited about the potential of the IIoT without staying mindful of possible harm.
What do entrepreneurs and business leaders need to know about industrial IoT security?
1. Change Factory-Default Passwords
Deloitte research published in 2020 claimed that as many as 70% of connected sensors and devices use manufacturer-default passwords. So it’s vital to change every password for every connected device when it’s brought online, whether on a factory floor or a smart home where a remote employee handles company data.
A related issue is using weak or repeated passwords across multiple IIoT devices or other digital properties. Again, companies should use unique, strong passwords each time and be sure training materials stress the importance of this as well.
2. Choose Technology Partners Carefully
Research by Synopsys indicates that very close to all commercially available software contains at least some open-source code. However, 88% of components are outdated. Furthermore, obsolete code often features unpatched software with vulnerabilities.
Business decision-makers must have at least a partial understanding of cybersecurity risks such as this one and know which questions to ask their potential vendors and technology partners. Any third party whose digital systems could introduce risk a company didn’t bargain on.
3. Create Structured Update Processes in Industrial IoT Security
Initially, it may have been straightforward for companies with limited digital footprints to manually update and maintain their IIoT systems. Today, the sheer number of deployed devices may mean updates don’t happen as frequently. IT teams don’t always remember to toggle auto-update mechanisms, either.
Researchers found an exploit in 2021 called Name: Wreck that leverages four flawed TCP/IP stacks that millions of devices use to negotiate DNS connections. These known exploits have since been patched — but devices running older software iterations risk a hostile remote takeover. As a result, billions of devices could be at risk across many consumer and commercial technologies.
Every company adopting IIoT devices must understand in advance how they receive updates throughout their lifetimes and what happens after they’re considered obsolete. Therefore, businesses should stick with systems with automatic update mechanisms and a long-anticipated operational lifetime.
4. Consider an Outside Management Team
It’s understandable to feel overwhelmed by the advantages and the possible drawbacks of investing in technology for manufacturing or any other sector. But unfortunately, many vulnerabilities and successful attacks result from companies without the time, resources, and personnel to devote to understanding information technology and industrial IoT security culture.
Companies that look before they leap with investments in Industry 4.0 may adopt a “set it and forget it” mindset that leaves software unpatched and devices susceptible to attack. As a result, one of the top trends in cybersecurity for 2022 is more companies turning to outside parties and technologies for secure, reliable, and ongoing access and identity management.
5. Outsource Connected Technologies for Industrial IoT Security
Software as a service (SaaS), robots as a service (RaaS), manufacturing as a service (MaaS), and similar business models are increasing. Unfortunately, companies can’t always spare the cash outlay to invest in the latest connected technologies and keep up with hardware and software updates over time. In many cases, it makes more fiscal sense to outsource the installation and monitoring of cyber-physical infrastructure to a remote management team.
This offloads some of the practical burden and secures access to the latest technologies. It also benefits from delivering security updates for hardware as soon as they’re available. As a result, IIoT maintenance, including cybersecurity, becomes a manageable budget line item, and enterprise planners get to focus on the real value-adding work they do.
6. Segment IT Networks and Implement Robust Device Management
Any IT network responsible for controlling connected machines should be separate from those providing general back-office or guest connectivity. They should also be hidden, with credentials only to a few as needed.
In addition, poor or nonexistent device management is responsible for many data breaches, whether through loss or theft, social-engineering attacks on personal devices, or malware installed by mistake on company machines.
Poorly managed connected machines, workstations, and mobile devices are a hacker’s ideal entryway to networks. Here’s what companies should know about device management:
- Eliminate or strictly govern the use of connected devices to process company data.
- Take advantage of remote-wipe features to remove sensitive data after the loss or theft of mobile devices.
- Ensure team members understand not to leave logged-in machines or workstations unattended.
- Implement credential lockout on all connected devices and machines.
- Carefully vet all APIs and third-party extensions or add-ons to existing digital products.
- Use two-factor or multifactor authentication (2FA or MFA) to secure the most critical logins.
Safeguard Industrial IoT Security
Distributed computing brings a wider threat surface. Unfortunately, the IIoT is still an immature sector of the economy. Some of the lessons have come at a dear cost.
Thankfully, companies considering IIoT investments have many examples of what not to do and resources for learning about minimum connected-machine cybersecurity expectations. For example, the National Institute of Standards and Technology (NIST) in the U.S. provides guidance on IoT device cybersecurity. The U.K.’s National Cyber Security Centre has similar resources on connected places and things.
Companies have options for safeguarding their IIoT-connected devices, and it would be wise to implement as many safety protocols as possible.
Image Credit: by Nothing Ahead; Pexels; Thank you!