If there’s one truth to operational security that many don’t want to hear, it’s that any system can be compromised. As a multitude of industries like utilities, manufacturing, and oil and gas are adopting industrial internet of things devices — a market set to boom to 100 billion devices over the next five years, according to PricewaterhouseCoopers — ensuring security in these systems is a challenge that will grow exponentially in the near future.
While industrial companies that are taking a cutting-edge approach to IIoT to transform their industry and businesses are out there, many are still stuck in a more traditional IT cybersecurity mindset — focusing on network security defenses. If operational technology (OT) professionals don’t reimagine how to actually protect IoT endpoint devices, they could hamper the IIoT revolution.
Layered networks in information technology environments have traditionally allowed institutions to monitor and rapidly respond to any security threat. But when it comes to OT security, those defenses are simply not enough. Many critical infrastructure industries simply cannot tolerate downtime and risk human safety — detection and response approaches are too little too late. Cybersecurity breaches can result in millions of dollars lost, and also — and more devastatingly — the loss of life. Because of this, it is vital that industrial businesses take a proactive approach when ensuring IIoT security. Unlike IT security, OT security must ensure an attack doesn’t happen in the first place — and that means protecting only the network isn’t enough anymore.
There is a solution to this problem: Critical infrastructure operators must seek out IoT and IIoT devices with security built into these systems — not bolted on. At the chip level, extensively tested and secured cryptography can prove the trustworthiness of a device, ensuring a far more secure system, from boot to application execution. It’s impossible to guarantee 100% security on a device, but IoT and IIoT devices that have embedded security software integrated at the chip level create a nearly impenetrable system regardless of the network or environment.
Trustworthy operations in OT security are no longer just a target concept — it’s an achievable, measurable and demonstrable end state with built-in device security. The advantage of built-in security in the OT environment is each of these platforms has been built with a specific purpose. These aren’t general purpose chips, and thus, they can be built to combat security issues at an explicit level.
NIST, the International Electrotechnical Commission and the Industrial Internet Consortium provide excellent guidelines on cybersecurity and processes that will hopefully rise to the level of auditable and enforceable measures instead of merely guidelines. And in the meantime, silicon vendors and original equipment manufacturers (OEMs) are taking their own steps to ensure the fidelity of these devices right now. Frameworks like the Platform Security Architecture for Arm-designed processors provide silicon vendors with the guidance to protect a multitude of connected devices. By using cryptographic controls built into these processors and coprocessor subsystems, the OT community has a new starting point, whereby endpoints, gateways and communications operate in a trustworthy state.
Security in OT doesn’t just mean data privacy. Security means preventing the unimaginable, and that must start at device protection. The future is uncertain, but the recent HatMan malware attack, also known as Triton or Trisis, proves that critical infrastructure will continue to be a primary target of bad actors. To address these threats, it’s imperative that silicon vendors and OEMs take a leading role in embedding security into their systems. It’s far easier, cheaper and safer than imagining security can be bolted onto a device later. Gone are the days when OT security meant guns, guards and gates. It’s time to engineer OT systems that are tasked for these new challenges.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.