Multiple questions to be considered in Industrial Internet of Things networks
BOULDER CREEK, Calif. — Industrial security and cybersecurity — not just security for the more consumer-focused Internet of Things — is a growing problem with not many comprehensive, concrete solutions.
In the factory, there are multiple questions to be considered for industrial IoT (IIoT) networks, such as what kinds of security tech to implement and where, and which threats it should address. Several industry groups have already proposed multi-layered approaches, frameworks and sets of controls for securing devices and assets in IIoT networks, and some technology for protecting connected devices and networks already exists.
According to the Global ICS and IIoT Risk Report by operational technology (OT) security firm CyberX, one-third of the OT networks whose processes are controlled by industrial control systems (ICS) are exposed to the public internet. Half lack anti-virus protection and more than half use easily hackable plain-text passwords in their control networks. More than three-quarters run obsolete Windows systems like XP and 2000 that are unsupported with security patches, while 82 percent run well-known remote access management protocols, making it easier to access and manipulate network equipment. Twenty percent have wireless access points, which can be compromised in multiple ways, including the KRACK WPA2 vulnerability in most Wi-Fi networks, discovered last October.
Using CyberX's proprietary network traffic analysis algorithms, the report analyzed production traffic from 375 OT networks in multiple sectors including pharmaceuticals, chemicals and manufacturing.
Last September, the National Institute of Standards and Technology (NIST) published last a manufacturing profile providing details for implementing its Cybersecurity Framework in the plant. Also last year, the agency published a draft revision of its SP 800-53 Security and Privacy Controls for Information Systems and Organizations, focused on how public and private sector organizations can maintain security and privacy in interconnected systems and devices such as their IoT and IIoT networks. Although the controls were developed for use by the federal government, industry organizations are also adopting them.
According to the draft revision, they are intended not just for IoT and IIoT or information security, but for protecting all kinds of computing platforms including mobile, cloud and industrial control systems.
The non-profit Center for Internet Security (CIS) hosts the CIS Controls, a prioritized list of key actions that organizations can take to protect their networks. Referenced in NIST's Cybersecurity Framework, they are considered a leading cybersecurity approach. Last year, CIS added an implementation guide for small and medium-sized enterprises.
Aimed more specifically at the IIoT, the Industrial Internet Security Framework (IISF) was developed last year by the public-private Industrial Internet Consortium (IIC) to begin creating industry consensus for securing IIoT systems. It's based on the consortium's Industrial Internet Reference Architecture, a standards-based architectural template and methodology to provide a common framework and concepts for IIoT system architects.
The IISF separates security evaluation into several factors, including endpoints, communications, management systems and supply chains for the system's elements. It includes best practices and discussions of existing standards, regulations, and guidelines for IIoT security and cybersecurity.
Last October, the IIC also released the Industrial IoT Analytics Framework, containing instructions for system architects for mapping analytics to IIoT machine and process data.
Given that the processes implemented within OT, ICS, and SCADA environments are essentially a form of communication, factories should be deploying solutions capable of visualizing and monitoring these communications, said Matt Morris, vice president of strategy and products for NexDefense, a provider of industrial and IIoT cybersecurity software solutions. These solutions are usually deployed near the network edge by connecting into either a mirror port on managed switches, or via network taps for unmanaged switches.
"These systems will primarily be implemented on-premise, within the enterprise environment, and ideally implemented system- or network-wide, but may follow along with the criticality of the assets they protect," said Morris. They should also be capable of being deployed retroactively into existing environments to continue the useful life of high-value assets, yet provide high levels of visibility and awareness.
Most mature solutions offer software-only options, hardware options, or combinations to match the flexibility required, and can detect hundreds or more types of risks and threats. Some, such as NexDefense's Integrity, can visualize and detect a broader range of risks beyond security threats, such as design flaws, misconfigurations, and system failures, said Morris.
IIoT security does require specialized software and hardware, and ultimately, security needs to be designed in, said Alan Grau, president and founder of Icon Labs, a provider of security solutions for embedded IoT and edge devices including industrial control devices. Adding security later results in implementation compromises, which are often responsible for vulnerabilities hackers can exploit. Solutions like Icon Labs' Floodgate Security Framework allow security to be designed into embedded devices themselves. Management of IIoT security should be implemented either on-premise or in the cloud, depending on the specific deployment, and integrated with IT security management, he said.
Market Research firm IDC divides security technology for the IoT and IIoT into four buckets: IoT devices and sensors, network, cloud, and physical security, said Abhi Dugar, IDC's research director for IoT security and the report's author.
The largest by far at about 70 percent is physical security, like alarm systems and physical access management, because these products are based on legacy technology that's already in place. This is also the slowest-growing category. The other three are much smaller and total about 30 percent combined. The largest is devices and sensors, followed by cloud products and network products. For the 2017 to 2021 forecast period, all three are expected to grow in the 13 to 16 percent CAGR range, with devices and sensors growing the fastest at 16.1 percent.
— Ann R. Thryft is the industrial control & automation designline editor on EETimes.