By Cliff Ortmeyer, Head of Marketing at Newark
Manufacturers seek new technological innovations to improve productivity and, ultimately, their market competitiveness. It’s why the Industrial Internet of Things (IIoT) has drawn the industry’s attention to the benefits of making their factories smarter and more data-driven.
Yet, large changes in ways of working can cause confusion, inaction, or even introduce risk. Manufacturers can easily become overwhelmed by all that they don’t know – what new devices should they add, what new data they will generate, and how they keep that data safe.
Recent surveys of executives and decision makers found that security is a top concern in adopting IIoT. While they are excited about the ability to extract new value from the devices they already have, they are concerned about the business risks that IIoT done poorly could have on their operations.
Manufacturers also need a network that is well architected to ensure the reliability and resiliency of their systems as the devices (such as sensors and actuators) become digitized and interconnected. But increasing interconnectivity also brings a risk of cyberattacks. Unfortunately, it’s too common a fact that, when manufacturers connect a device – wired or wirelessly – they need to accept that, at some point in the service lifecycle of that device, ‘somebody’ will try to attack the device itself or the protocols and standards it uses.
That’s because these devices were originally designed to be used in well structured, closed systems; not to be connected and exposed to corporate networks or the Internet where they might be subject to unintentional traffic or intentional attack. As such, most protocols used in industrial systems today have limited built-in security. The devices often have been tested on how well they behave under proper conditions, and those devices can fail when exposed to malformed packets or excess traffic.
Consequently, the benefits of the IIoT cannot be achieved without multiple layers of security that successfully protect all the networked systems and devices. Secure communication, secure network monitoring and securing code execution at the device level are all essential, not optional.
It’s critical that manufacturers address security issues at every layer. While traditional endpoint security and network-monitoring technologies protect IT business applications, the technologies won’t work for the embedded devices in the IIoT. These operational assets must be protected against cyberattacks by integrating security directly into the endpoint devices themselves.
The following lays out the key areas that must be addressed for effective IIoT security:
• Preservation of functionality – Embedded control devices are at the heart of smart factories. Successful cyberattacks on them can have catastrophic consequences; thus, security solutions must protect both the data stored on networked embedded devices and safeguard the operations they perform.
• Attack replication – Embedded devices are mass-produced. If a hacker can find a way to successfully attack one of these devices, that attack can be replicated across all devices of the same type. Thus, a single-point breach can become a mass-failure mechanism.
• Assumed security – Many manufactures believe that embedded devices are not targets for hackers. That assumption is no longer true and security should be considered a top priority for most embedded designs.
• Upgrade difficulties – Unlike other networked devices, embedded devices are not easily patched. After they are deployed, they run factory-installed software for as long as they remain operational, even if that code has security vulnerabilities.
• Long life cycles – Life cycles of embedded devices are typically much longer than life cycles for PCs or consumer devices and they may be in the field for 15 to 20 years or more. Implementing designs that will withstand the ever-evolving security threats expected over the next two decades is a tremendous system engineering challenge.
• Deploying outside enterprise security perimeter – Embedded devices are either mobile or deployed in application environments. As a result, they may be directly connected to the internet, totally outside the security protections installed in corporate environments.
With these concerns in mind, where can manufacturers turn for help in figuring out their IIoT security approaches? The good news is there is an abundance of resources available. The ISA/IEC 62443 Cybersecurity is a good starting point for guidance on how to access and enhance IIoT system design. Another good source is the Industrial Internet Consortium, a global organization of over 200 companies that promotes the accelerated growth of the IIoT. It has recently published the Industrial Internet Security Framework Technical Report with best practices guidance.
Likewise, organizations list NIST and SANS have also published Industrial Internet security recommendations. Belden has also developed a simple “1-2-3” approach to help you assess where you are and take simple, concrete steps to enhance your system’s security.
However, before you begin any changes to your system, it is essential to start with a risk and vulnerability assessment. Once you know what are your most important assets and biggest risks, you can prioritize what to protect first and develop a plan.
Filed Under: IoT • IIoT • Internet of things • Industry 4.0