Today, IIoT adoption presents both high potential and high uncertainty. According to the 2019 Forrester Wave Global IoT Services report, most business leaders recognize the new opportunities, new business models and new revenue streams made possible through IIoT. After COVID-19 mandates downsized the onsite workforce drastically, IIoT use cases for asset visibility, remote connectivity, monitoring and management became more crucial than ever. But business leaders can’t lose sight of the security holes exposed by these uses and architectures.
The surge in IIoT adoption pushes new security paradigms. Traditional IT-centric cybersecurity is giving way to a security evolution that may well-deserve the term “Cybersecurity 2.0”. In scope, it has to cover more than industrial or industrial control systems (ICS) cybersecurity. After all, IT/OT convergence acts as a dual-edged weapon that may hit in new ways, not only ICS, SCADA and OT assets but also enterprise IT and cloud infrastructures.
Moving from the edge to cloud and the shift to open protocols
IIoT architectures introduce two fundamental changes in industrial infrastructure, starting with the edge-to-cloud layer. Industrial systems have been traditionally isolated from external network domains. However, IIoT opportunities revolve around gaining insights from IoT data collected from sensors and other connected assets. Edge devices aggregate the data and process data locally, but much of the data insights are derived using apps hosted in the cloud.
Public cloud environments have inherent vulnerabilities. The edge-to-cloud connectivity now exposes industrial networks and assets to external threats like data infiltration, ransomware, malware injection and more. These threats are well known in IT domains but impact the OT world more severely.
Cloud analytics also requires industrial data to now traverse through enterprise IT and public networks. Often the data must pass through multiple organizational domains, which adds new vulnerabilities unforeseen in traditional OT settings. Cybersecurity 2.0 involves protecting the entire enterprise against threat vectors induced by this north-south IoT traffic.
The second IoT-induced architectural change adds several new connected sensors, actuators, meters and a host of other IoT devices that now interplay with legacy systems. Also, traditionally, OT infrastructure protocols have been propriety with limited built-in security.
That’s probably OK when the network is segmented away or air-gapped from the external world. But to support IoT data, new open standard protocols are implemented across the OT networks. Standard protocols with open stack and more accessible vulnerabilities weaken the OT security posture. In addition to north-south traffic, mutations in lateral connectivity and traffic patterns need cybersecurity protections in the east-west direction as well.
In Irdeto’s Global Connected Industries Cybersecurity Survey covering 700 healthcare, transport and manufacturing companies, nearly 80% of the participating organizations experienced an IoT-induced cyberattack. About 50% of them experienced operational downtime as a result of the attack. The average financial loss was more than $280,000.
Although IoT-induced ICS security incidents attract much attention and airtime, organizations can’t lose sight that in many attacks, weak OT infrastructures made more accessible to adversaries are weaponized to target lucrative corporate IT resources. Thus, the Cybersecurity 2.0 framework extends beyond ICS security and must focus on protecting both IT and OT sides of the business now exposed due to IT/OT convergence.
Industrialization of cyberattacks
Cyberattacks have evolved from discrete incidents to organized crime. Hacking is now a lucrative business backed by an industry of players, funded by large organizations and nation-states. Industrial espionage, political gains, and international rivalry are traced as motivations for many reported incidents.
An analysis of the concurrent cyberattacks on Ukrainian power grids shows how the attacks use a solid end-to-end strategy, social engineering tactics, intellectual caliber, sophisticated technology and substantial funding. The intensity of these security incidents’ fallouts leaves minimal scope for the traditional reactive approach to cybersecurity. Cybersecurity 2.0 is about proactive security posture and threat prevention.
Beyond IT-centric defenses
The classic IT-centric defenses pivot on protecting the domain perimeter. Intrusion detection systems and intrusion prevention systems (IDS/IPS), IP firewalls, host protection using antimalware scanners, password-based identity and access management and VPNs for remote access are some of the common defenses.
Traditional cybersecurity, aka information security, evolved around the confidentiality, integrity, and availability (CIA) triad. IT-centric defenses have been primarily reactive. Financial and business reputation are the primary consequences of IT security breaches. In a converged IT/OT world where well-funded, organized threat actors routinely weaponize devices, people, networks and processes, organizations must rehash security practices. Unlike the CIA triad, OT security prioritizes control, availability, integrity and confidentiality in that order. When human and environmental safety is at stake, risk mitigation assumes more significant dimensions. Cybersecurity 2.0 has to factor-in physical threat vectors as well.
New paradigms, new solutions
The projected 20 billion IoT devices by 2021 outnumber the global human population of 7.8 billion. The machine-to-machine world defines new paradigms in security. Minimal human intervention and minimal downtime is the guiding mantra. Machines do not authenticate as humans. Password-based security must evolve to password-less identities and access policies.
With a rapid explosion of connected assets, organizations need runtime asset visibility and location-vectored asset inventory. Endpoint security must be planned around both new and legacy industrial devices.
As remote access connections explode in the post-COVID era, zero trust network access and other cloud-based scalable solutions may scale better than traditional VPNs.
Continuous event monitoring covering multi-layered resources such as IT and OT networks and devices, software, and containerized environments helps detect and act on threats early.
Advances in AI offer promising capabilities for scaling these solutions to thousands of endpoints.
Security involves both cost and complexity. Security budget and resources are practical challenges for most organizations. That’s when rightsizing security is necessary.
After all, the security controls for a smart farmland need not match that of a defense infrastructure. The risk levels of the two use cases widely differ.
Every use case has its unique risks. Regular threat modeling and risk management exercises can determine the security control that can protect a given use case. What’s essential for the future IIoT landscape is to converge IT and OT risks in a combined security program.
Closing the cybersecurity skill gap
Cybersecurity talent deficit is a prevailing concern. A Cybersecurity Ventures study predicts a stunning 3.5 million unfilled cybersecurity jobs globally by 2021. Compared to 1 million unfilled positions in 2014, this is a 350% jump. This widening deficit urges innovative solutions.
Just as in cloud security, security and development teams converge into what’s known as DevSecOps. A similar convergence can help across industries.
In the new security paradigm, security is everyone’s business. Control engineers, machine operators, development engineers, managers and leaders need to understand their role in securing the IIoT deployment. Instead of entirely relying on major security teams, transitioning security training, awareness and ownership, a distributed model is a more practical approach to secure the future IIoT landscape.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.