The Security Challenges of Industrial IoT

Andrew Howard
Three security cameras
Illustration: © IoT For All

The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.

Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.

The Trickle-Down Effect

The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.

In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.

This challenge becomes compounded as users come up against other complicating factors, such as:

  • Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
  • Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbate the IT administrators’ inability to monitor and control these devices.
  • Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.

Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.

Industrial IoT Security – Partnering for IIoT Security Success

Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.

Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.

Businesses considering partnering with an MSSP should take into account the expertise, resources and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also needs to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.

The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.

Andrew Howard
Andrew Howard
As CEO, Andrew focuses on expanding the international footprint for Kudelski Security’s unique blend of cybersecurity capabilities. This includes working with clients, partners, and new strategic alliances to optimize approaches to minimizing cybe...
As CEO, Andrew focuses on expanding the international footprint for Kudelski Security’s unique blend of cybersecurity capabilities. This includes working with clients, partners, and new strategic alliances to optimize approaches to minimizing cybe...