By Joe Robertson, Director of information security and EMEA CISO at Fortinet
Digitization is transforming how businesses operate. This transition is often referred to as the Fourth Industrial Revolution or Industry 4.0 because it represents the fourth manufacturing revolution. The first industrial revolution was mechanization, the second was mass production and assembly lines using electricity, and the third was the adoption of computers and automation.
Now the Fourth Industrial Revolution is upon us, with the digital transformation of businesses largely consisting of automation, artificial intelligence (AI), and rapid technological innovation. Industrial processes and machines are becoming smarter and more modular, with automation and data exchange that include the Internet of Things (IoT) and the Industrial Internet of Things (IIoT). These smart, always-connected devices provide real-time contextual information with low overhead to optimize processes and improve how companies and individuals interact, work, and live.
It’s no wonder McKinsey estimated that investments in IoT technology would grow at a rate of 13.5% throughout 2022. This growth in IoT is contributing to an escalating explosion in production and industrial data. This data is being collected and analyzed to improve productivity, monitor activity, and enhance predictive maintenance. With so much business-critical data passing through IoT and IIoT devices, organizations must take measures to secure their technology.
Why is IIoT Security Important?
Digital has not gone unnoticed by cybercriminals, who seek to exploit IoT and IIoT as weak links in the data chain. The increasing volume of structured and unstructured data being generated by these devices, and their oftentimes anomalous behavior spanning across global ecosystems challenges even the best organizations. Further complicating the situation is that many of these devices are wireless (WLAN or 5G) and often have communication channels to their manufacturers for maintenance and troubleshooting purposes, which can make them a potential backdoor into the production network.
Most organizations are not well prepared for IoT and IIoT device vulnerabilities. The ubiquitous interconnectivity among devices, users, and distributed networks presents a substantial challenge for traditional siloed security solutions. Focusing defenses on a single point in the network is becoming increasingly ineffective. The lack of single-view visibility across devices, users, and the entire network creates blind spots that cybercriminals can exploit. According to a study conducted by EY, almost half of enterprises indicate they are concerned about their inability to track security across their IoT and IIoT assets, keep them virus-free, and patch vulnerabilities. This complexity is exacerbated by comingling IIoT devices with wired devices on the same network segments, and can lead to uncertainty as to exactly what is connected where.
IoT and IIoT Security Risks to Be Aware Of
From a security perspective, IoT and IIoT devices present a number of risks. One problem is that most of these devices were not designed with security in mind. Many of them are headless, which means they do not have a traditional operating system or even the memory or processing power required to include security or install a security client. In addition, an alarming number of devices have passwords hard-coded into their firmware.
The result is that many IoT devices cannot be patched or updated. And even when security can be installed on the device, the underlying installed software is often cobbled together from commonly available code or is untested, which means that most installed security tools can be circumvented by exploiting a wide range of known vulnerabilities. Additionally, most IIoT and IoT devices have limited or no configurability. And when devices are compromised, most IT organizations admit they are unlikely to be able to detect the event before it impacts systems and data.
How to Mitigate IoT and IIoT Security Risks
Some organizations are working to address these issues by promoting authentication, key, and credential management, and other capabilities. But these tools must be tested, integrated with the network architecture, updated, managed, and monitored. So, what is the answer? Simply sticking your head in the sand will not work. IoT and IIoT devices are a vital part of most businesses and they are here to stay. It is important to view IIoT as part of your broader security environment rather than as isolated units. Here are a few additional recommendations for securing this technology:
- Segmentation of the production environment, with all IIoT and wireless devices in segments outside of the SCADA or ICS network. In many cases micro segmentation should be performed to further restrict communications between devices to further isolate and confine them to only authorized communications.
- Network Access Control for accurate information on what is connecting to the network and verification of each device’s security posture before allowing it to connect.
- Security must be redesigned to provide seamless visibility on what is happening across all networks and devices, from IoT to multi-cloud networks.
- Because of the minimal intelligence and security functions included in most IIoT devices, an Intrusion Protection System upstream of these devices should be used to detect attacks on known exploits and to provide “virtual patching” of devices that cannot have software updates applied.
- Security monitoring and management must be done through a single console. Enterprises must be able to see all devices, assess risk levels, segment traffic, and assign policies across the entire network in real-time. This should include both production and IT networks to reduce the risk of attacks on IT resources propagating into the production network, and vice-versa.
- Active protection solutions against unknown threats should be deployed, including sandboxing technology (to determine if files, attachments, or other code is malicious or not), and deception technology, (also known as honey pots), to attract attackers, confirm their presence in the network, and expose them to tools to block and eliminate them.
- Zero trust access can provide simple, automatic secure remote access that verifies who and what is on your network and secures application access no matter where users are located.
- Security solutions should automatically adapt to network changes, anticipate threats, interpret and implement business language commands, and interoperate in a cybersecurity mesh architecture to share threat intelligence, and proactively coordinate responses to threats across all security devices and network ecosystems.
Going Forward
Unfortunately, IIoT devices are typically not designed with security in mind and finding ways to secure every device on your network is daunting. Because of this, organizations must take immediate action to protect their systems from attack.
A new generation of tools is helping organizations meet today’s ever-expanding attack surface, delivering not only visibility of the network environment, but also enforcement and dynamic policy control. Whether devices are connecting from inside or outside the network, they can automatically respond to compromised devices or anomalous activity.
Fortinet has developed products, services, and tools that directly meet the operational and regulatory requirements of industrial and manufacturing networks. The expansive Fortinet Security Fabric platform offers a cybersecurity mesh architecture approach that includes centralized management and a unified context-aware security policy that provides complete visibility and granular control over the entire organization.