Top 3 Security Considerations For IIoT Devices
With the evolving industries and proliferation of devices in the industrial sector, the security of IIoT devices is becoming increasingly critical. Understanding the frameworks, standards, and methodologies to ensure security in design, as well as operations, needs to be factored into both the design and lifecycle of these systems.
Share This Article:
Businesses within the critical infrastructure sector generally have technologies that both operate the business (IT) and enable the business’s mission-critical functions to occur (OT). Although the technologies may be ubiquitous, it is the function that denotes the criticality of the technology asset, particularly in sectors such as utilities, transportation, and defence.
If we focus on the proliferation of devices within the Industrial Internet of Things (IIoT) market and what is driving this growth, we find that cost reduction, the flexibility of deployment, and the search for new data sources to improve decision-making are core facets. This rush to find data has the potential to expose new threat vectors to organisations that may be used to static Operational Technology (OT) footprints. Focusing on cyber security as a primary risk management activity, the goal to continually identify and mitigate security risks is increasingly complicated with the addition of each new vector.
Businesses should seek specialists who provide alignment to relevant OT standards that can (and should) play a role in IIoT environments. Although there are important demarcations between the functions of IIoT and OT, the similarities should not be neglected when considering security.
What are some considerations for IIoT Security?
A standardised approach will ensure quality security outcomes, and it is with this in mind that we recommend three initial tasks to safeguard your IIoT deployments.
1. Assure the security of remote updates
The nature of IIoT devices means that they are often deployed at scale, making manual updates difficult, expensive, or simply unfeasible. To address this, almost all IIoT devices will offer remote upgrades either over the air or via remote mechanisms.
The advice is to ensure that a process is followed to protect the integrity and authenticity of software. It is essential that updates are performed during administration activities – even a trivial activity of confirming that a supplier’s hash matches with what was provided can ensure traceability for the software. Additionally, any implementation should utilise either secret keys or PKI technology and have the choice of using Security Layers or protected authorisation token-based interaction.
2. Ensure end-to-end encryption
When selecting IIoT devices ensure that there is support for end-to-end encryption via common methods such as Transport Layer Security (TLS). In any web communication, TLS should be a prerequisite, including management traffic, as without adequate security the device or its data can be hijacked, stolen, or altered in ways that could be potentially dangerous.
3. Disable unused ports and remote debug features
Many IIoT devices have unnecessary open ports, including in some cases the ability to remotely debug the device. Prior to use, and ideally, when devices are undergoing type approval, these should be assessed to disable any unused ports and functions. It is also recommended that products are professionally penetration tested on both remote and local interfaces as part of type approval.
Thinking of an IIoT deployment?
With any IIoT deployment security assurance activities should form a key part of the delivery program. Security should be expressly considered during project establishment, procurement, design, testing and validation. Without budgeting for the necessary security considerations during project planning, design, and system roll-out, the post-deployment implementation of security controls can add significantly more cost and delays to the project.
Additionally, the above recommendations apply to IIoT devices themselves, however further security advice, assessment, and assurance will be required for overall integration and risk management on the network. There are various standards that can be tailored to each unique IIoT deployment to help ensure a Secure by Design approach, so it is advisable to seek professional input early on in the project lifecycle.
We thrive on helping our customers realise a secure and safe operation. For more information on any of the above, please reach out to any of our team members, for a no-obligation chat about your challenges.
With the evolving industries and proliferation of devices in the industrial sector, the security of IIoT devices is becoming increasingly critical. Understanding the frameworks, standards, and methodologies to ensure security in design, as well as operations, needs to be factored into both the design and lifecycle of these systems.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.