IIoT Security: A Holistic Approach

Wednesday, November 30, 2016 @ 11:11 AM gHale


By Jalal Bouhdada
Equipment such as sensors, gateways, processors and actuators continuously evolve, communicating with each other via the internet. Due to this fact, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) are quickly becoming a business reality within various industrial sectors.

Currently the IIoT is increasingly closing the gap between IT and operational technology (OT), meaning companies have access to real-time critical data in a cost-effective manner.

RELATED STORIES
Monitoring a Growing Network
ROK: Securing Connected Enterprise
PSUG: Designing a Security Program
IoT Attack Scare: Is Industry Ready?

Enhanced intelligence and fast delivery are key drivers for further investment in IIoT, but as the technology is still in relative infancy, security is a rising concern.

Built in Security
IIoT security requirements are currently in their early stages, as many suppliers’ primary focus remains on the innovative nature and functionality of a product. Security has therefore not been on the agenda of many smart device manufacturers for some time.

That mindset has led to IIoT devices suffering exposure to a wide range of risks. Such risks include distributed denial of service (DDoS) attacks and hackers manipulating data and process values. A prime example of this came about when Applied Risk researchers discovered several flaws in industrial products, which could allow hackers to execute arbitrary code within webpages and modify the settings of vulnerable devices.

The potential ramifications of a breached industrial environment go far beyond the boundaries of cyber space, making it an even greater threat than those seen in traditional IoT networks. This is reflected in the impact on physical processes, as disruption of these can lead to serious consequences such as tripping a plant, overfilling a tank and the release of gas or chemicals. Even more disturbingly, this can result in fatalities, injuries and damage to assets or the environment.

The emergence of IIoT has led to increasing needs and adoption of Internet-enabled devices from various industries. The initial attacks and vulnerabilities discovered should act as a real eye-opener for businesses. These attacks demonstrate the financial and reputational consequences of security not being taken seriously and should also be seen as a wakeup call for industries to address security throughout the lifecycle of these devices. Vendors and suppliers looking to implement security into industrial products from the outset should look at the available security frameworks, such as those from the Industrial Internet Consortium.

Holistic Security Approach
In the grand scheme of things, security should be a holistic process. This means the security of a device should be addressed from the initial phase of a project or initiative. Having the right security requirements as part of the contract and procurement process is hugely important to ensure the supply chain is well controlled. Selecting a product based on the business and technical requirements, backed by the security assessment of the device, is essential to understand a product’s limitations and shortcomings.

With that in mind, businesses can take proactive countermeasures to mitigate risks and function without fear of security-related downtime. This process goes even further once a product is in production to ensure all controls are in place to protect the asset from unauthorized access or tampering. This is an ongoing function that can be supported by technical and procedural controls.

Furthermore, understanding the supply chain and product ecosystem is a complex requirement, entailing a considerable amount of testing. A lot of work can be done to identify physical and logical threats, including testing the embedded security and the integrity of firmware. This can be supported by the review of the Secure Development Lifecycle (SDLC) and application and protocol layers, as well as static code analysis. It is imperative that businesses understand that security should not be considered as an additional function of industrial products, rather it should be thought of as a critical business process to prevent cyberattacks.

Jalal Bouhdada is the founder and principal ICS security consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.



Leave a Reply

You must be logged in to post a comment.