Industrial IoT security: how to protect your enterprise against modern threats

29.09.2020
10 min.
title

Over the recent years, the manufacturing industry has come to be one of the most enthusiastic adopters of IoT. The technology brought about the digital revolution to the production floor, allowing owners to increase efficiency, deliver higher-quality products, and optimize resource management. The history of IoT proved it to become a powerful differentiator in this tech-heavy sector.

The COVID-19 pandemic uncovered another critical advantage of industrial IoT (IIoT) — the ability to render a manufacturing enterprise resilient to crises. Amid the lockdown and economic turbulence, IoT development became instrumental in ensuring continuity and cost-efficiency of business operations as well as employee safety at production sites.

This makes IIoT the best solution for safeguarding against similar emergencies and making up for disrupted production, and many manufacturers are already aware of this. Hence the projected steady growth of the industrial IoT market that, despite the current post-pandemic recession, is to pick up shortly and reach $263.4 billion by 2027, according to the Meticulous Research forecast.

But the path to connectivity is thornier than ever. Throughout the pandemic, commercial IoT systems, which were made vulnerable by the shift to remote work and the ensuing lack of control, saw a considerable increase in cyberattacks, many of which were novel. Apart from this, 24% of manufacturing companies are expected to cut their security budget after the crisis, the 2020 State of Industrial Cybersecurity survey by Kaspersky reports. These factors, coupled with the persisting tendency to treat IoT security as an afterthought, make post-crisis IIoT projects or scaling-up of existing systems a high-risk undertaking.

Which aspects of cybersecurity initiatives might the coronavirus pandemic influence in your organization?

In this context, the security of their IIoT systems, existing or prospective, becomes the most pressing issue on manufacturers’ agenda. We have devised a detailed guide to help industrial company owners and CSOs safely navigate the Industry 4.0 landscape of human-machine interfaces and smart devices.

The culprits of IIoT security breaches

Let’s look into the weak points of an average industrial IoT system and how hackers use them to get a foothold in industrial networks.

Poor device and endpoint visibility

Lack of real-time visibility over connected devices, sensors, endpoints, and their configurations and compliance is perhaps the most persistent security challenge in the IoT landscape. Even today, when IT monitoring technologies proliferate and security awareness is high, 20% of enterprises recognize IoT devices as the most poorly supervised assets, as the 2019 Panaseer Security Leader’s Peer Report found out.

Assets with least visibility

It’s obvious that such gray-area devices are bound to fall victim to exploits. But how do manufacturing companies end up in the dark with their IoT networks? Reasons differ.

One enterprise may ramp up its connected infrastructure at such a high pace that some devices are left out of the inventory records due to oversight. Other manufacturers tend to lose track of devices deployed decades ago, which are hardly ever utilized but have internet access nevertheless. Some IT departments simply lack tools or resources to monitor the vast array of connected assets, while others fail to properly group their IoT networks and let some devices slip through the cracks.

The consequences of poor device and endpoint visibility in industrial environments are particularly grave. If gaining control over unmanaged and unsecured connected equipment, malware may not only intercept critical production data, but also compromise end-product quality, cripple manufacturing lines, cause supply chain delays, or even put workers’ safety in danger. This way, something as simple as negligence and oversight can entail huge material and reputational losses.

Off-the-shelf setups

Keeping default settings on connected devices is another type of high-risk oversight on many IIoT owners’ part. For one thing, device manufacturers rarely use sophisticated credentials, which makes them easy to discover in a brute-force attack. Moreover, device manuals, containing initial configurations and passwords, can end up online and fall into hackers’ hands. This way, because of either ignorance or neglect, companies might leave their systems vulnerable to breaches.

The most notorious IoT device security threat of today is Mirai, a botnet that has been crippling high-profile systems since 2016. The malware is genius in its simplicity: it scans the internet for open devices and tries to log in with common login-password combinations. If it succeeds, Mirai hijacks the device and goes on to take control of the whole network.

During the pandemic, brand-new Mirai variations appeared, targeting telework-associated vulnerabilities such as in web cameras, modems, and routers. Since these very devices were widely adopted by many manufacturers to remotely monitor production lines, their poor protection became a critical vulnerability.

To safeguard your system from such exploits, make it mandatory to change off-the-shelf device credentials and settings before it is put in service. Another great practice is to restrict access to connected devices for outsiders and low-level staff to minimize the risk of intentional and unintentional configurations or password reset.

Outdated software

Up-to-date software and device firmware is a critical requirement for an efficient, sustainable and secure IIoT network, yet not all companies succeed in keeping it this way. For one thing, a typical industrial IoT system is vast and distributed, and keeping track of all the updates, upgrades, and patches as well as performing them timely is taxing tasks for an average-size IT department. Also, in many cases, a connected device can go out of service or fail to function properly throughout the upgrade, and for some production sites even a short downtime can prove disruptive.

Faced with such challenges, many IIoT owners choose to put off updates indefinitely. In the meantime, outdated software and firmware start lacking relevant protection mechanisms, critical patches, and bug fixes, which leaves the connected infrastructure vulnerable to the latest malicious software devised to exploit such vulnerabilities.

For instance, this year, the leading cybersecurity company TrapX reported it identified the new Lemon Duck malware that targets manufacturing IoT devices that use the discontinued Windows 7, and causes their malfunctions. As for industrial equipment, their Oss can be particularly hard to upgrade, and in some instances, the owners have no options but to replace devices with newer OS versions pre-installed.

Apart from security loopholes, using obsolete IoT software is fraught with increased incidents of crashes and system downtime, poor productivity, and increased maintenance efforts. All this makes keeping outdated firmware unprofitable to keep, even when compared against the high cost of updates.

Inefficient data security policies

For industrial companies, IoT-generated data is not simply sensitive — it’s a part of the trade secret, and this is what cybercriminals are typically after. Verizon’s 2020 Data Breach Investigations Report found that extortion and industrial espionage are two core motivations behind outsider attacks in the manufacturing industry.

External actor motives in Manufacturing industry breaches

Aware of this, IIoT adopters reinforce their software and firmware security to prevent attacks. Amid all these measures, the protection of IIoT-generated data itself regrettably tends to slip off the radar.

A whopping 98% of IoT device communication is unencrypted and circulates in the connected ecosystem in plain text, states the 2020 Unit 42 IoT Threat Report. Thus, if attackers manage to infiltrate an IIoT network, which, as stated in the paragraphs above, does happen despite the safeguards, confidential data from sensors, endpoints, and wearables will be here exposed and easy for them to collect.

In April of 2019, the Russian hacking group Strontium exploited this typical security oversight for a massive espionage campaign. They targeted vulnerable IoT devices at hundreds of organizations, from governmental agencies to industrial companies, to gain access to their systems and then capture the network traffic.

Considering the devastating consequences of trade secrets made public, manufacturers should better be safer than sorry and encrypt their device communication logs and transactions as a mandatory security practice.

No segmentation

Another quite common mistake of IIoT adopters is the failure to logically divide their connected environment into smaller groups of devices and subnetworks. A flat, unsegmented IIoT network is easy to maintain and manage when it is small, but this is as far as its benefits go. In the long run, such infrastructure becomes a nuisance as well as a fatal flaw undermining enterprise cybersecurity.

For one thing, an unsegmented IIoT network is a single large attack surface, so one vulnerability will be enough for malware to gain access to the entire network. Also, inventorying a vast IIoT environment, abundant with devices of different periods of service, specifications, and purposes is a taxing task, so security flaws and potential risks may go unnoticed due to human oversight. Besides, as the system expands, it gets harder and harder to fit new devices into the tangled security architecture and ensure its end-to-end protection.

Physical segmentation using firewalls used to be a common practice for protecting IIoT networks, but of late, virtual segmentation using VLANs and ACLs gained prominence as a more efficient method. Due to the sheer size of an average IIoT, a full-grade internal firewall architecture proves very costly and complex to implement and maintain. Micro-segmentation, in its turn, is not only a cheaper and easier solution but also the one allowing for a more flexible and fine-grained grouping of devices.

Guidelines for a shell-proof IIoT security

Lately, industrial IoT has become one of the favored attack vectors for hackers. Today, manufacturers have to thwart new and ever-evolving malware injections while also routinely handling vulnerabilities arising from legacy hardware and software, disjointed infrastructure, and, most recently, the shift to remote work.

A holistic approach to IoT security is the only way to stay protected and efficient in these turbulent times. These guidelines will help industrial companies embrace a sustainable and all-encompassing IIoT security strategy.

Take essential measures

Respecting IoT security basics is the first step to safeguard your connected industrial environment. These measures, though seemingly simplistic, will nevertheless prove effective in shielding your IIoT from the most common security exploits or minimizing the adverse effects of a breach. Moreover, they can serve as a solid basis for more advanced security controls you might choose to adopt down the line.

Here are the best tried-and-true security practices worth introducing into your industrial IoT environment:

  • Segment the IoT network
  • Introduce two-factor authentication
  • Encrypt device communication
  • Manage user access to data and smart devices
  • Filter outbound and inbound network traffic
  • Implement a real-time security monitoring system
  • Install software patches and updates timely

Promote IIoT security awareness

Transforming their workplaces with IoT, manufacturers should promote staff security awareness respectively. In such a highly connected environment, the system safety and integrity become a shared responsibility, and a poor understanding of an IIoT architecture, devices, and data storage on employees’ part is bound to result in an unintentional security breach sooner or later.

Thus, to safeguard your future implementation, make sure to provide all employees with ample information about industrial IoT, its operation, capacities and vulnerabilities, and explain the security guidelines accepted at your company. Also, educate your staff on common-sense security measures and train them to recognize security threats.

Cybersecurity training should not be a one-off event; with each system integration or policy change, security incident, or new risk factor, employees’ knowledge needs to be updated. Last but not least, do not forget to make IoT security training a part of employee onboarding.

Assess IoT regularly

Through routine security testing, IIoT owners can stay up to speed regarding their connected ecosystem’s security state, timely identify any existing vulnerabilities and potential threats, and address them before they undermine operations.

Penetration testing, the white-hat hacking method where QA experts simulate a malicious attack on your IIoT, is particularly efficient for revealing hidden loopholes in device firmware and embedded software, which confirms the viability of defense mechanisms. Additionally, companies can carry out risk analysis to identify the flaws in their IoT architectures, enabled devices, APIs, and protocols that may end up as security weaknesses.

Adopt an incident response strategy

Finally, just in case a security breach does occur, IoT-powered manufacturing companies need their corporate action plans on how to promptly and effectively handle it. Primarily, it should contain instructions for the IT security team on how to identify the threat and its source, isolate the affected area from the rest of the connected ecosystem, assess the damage, and manage the incident. Apart from this, the strategy should include guidelines for employees, detailing how they should carry on working during and after a security emergency.

Also, it's a useful practice to include the steps for analyzing the incident retrospectively, allowing security specialists to understand its implications and root causes and take deliberate measures to prevent it from happening again.