You’ve already been hacked. That’s the point of view of cyber security professionals regarding your well-secured IT infrastructure. When it comes to your Industrial Internet of Things (IIoT) security, what are the chances your trillions of connected devices are secure? Not very good.
Ensuring the security, reliability, resilience, and stability of your IIoT systems is critical to ensuring trust and reducing business risk. Poorly secured IIoT devices can serve as entry points for cyberattacks. And yet, price pressure and technical constraints on IoT devices challenge manufacturers to design security features into their devices.
When thinking about industrial IoT devices, recognize that the security of these devices is not a simple “secure or insecure.” Instead, think of IIoT security as a range of device vulnerability from totally unprotected devices with no security features to highly secure systems with multiple layers of security features. But highly secure systems can come at a high price.
IoT Risk Tolerance
How much to spend on your IIoT security can be determined by understanding your risk tolerance. Your security risk tolerance is a function of how likely a device will be compromised, the damage a compromise can cause, and the time/resources required to meet a desired level of protection. If I think of it from a personal perspective, I’m less concerned with someone stumbling into my YouTube account where they can mess with the channels I follow, compared to my bank account where they can drain my savings. One’s a nuisance so it gets less effort, the other catastrophic so I’ll go to greater lengths to protect it.
Consider these factors as you work through the risk assessment and mitigation calculation for your business. Identify the present security risks, and the potential future risks. Then gauge the costs if the risk occurs and compare it to the estimated cost to mitigate the risk. If your business can’t tolerate the cost if the risk happens, then you can justify the cost to protect your system.
When you’re reviewing these security trade-offs, try to avoid a single facility perspective. The networked connectivity of industrial IoT devices means that security decisions made locally for one IoT device can have global impacts on your organization. A hacked device has the potential to effect your company as a whole.
Industrial IoT Security Challenges
IoT devices tend to differ from traditional computing devices in important ways that challenge security. So when your calculating the risk potential of a hacked IIoT device, keep some of these things in mind:
- IIoT devices deploy at a massive scale and many devices can establish links and communicate with other devices on their own in an unpredictable, dynamic fashion.
- You may not have real visibility into the internal workings of the device or the precise data streams they produce. An IoT device intended for one function, may perform unwanted functions or collect more data than intended.
- Deployments often consist of many identical or near identical devices, increasing the chance one hack can spread across all devices with the same vulnerability. Default passwords are a frequent culprit.
- Devices may have a service life longer than other equipment and can be deployed in locations difficult or impossible to reconfigure/upgrade.
- Security that’s good enough at deployment is not appropriate for the lifespan of the device. Long-term support and management of IoT devices is a significant security challenge.
- Some IIoT devices are intentionally designed without any ability to be upgraded, usually seen with low-cost components used within a more complex system.
- Functions may change when a manufacturer provides an update, leaving your equipment vulnerable to whatever changes the manufacturer made.
- Devices may have no way to alert the user when a security problem arises, making it difficult to know a security breach has occurred.
- A security breach may go on for a long time before being noticed, and correcting or mitigating the problem may not be possible or practical.
We’ll have more in-depth posts in the future regarding the security of IIoT. In the meantime, you can find good information at industry sites like the IoT Security Foundation, IEEE Internet of Things, or the Industrial Internet Consortium, or more general IoT overviews from podcasts like Stacey on IoT.