By David Bisson, Associate Editor of "The State of Security" blog, Tripwire
The Industrial Internet is currently one of the most exciting prospects for our web-connected world. This phenomenon, as Belden Inc explains, involves combining industrial machines with data-driven analytics to better understand business processes, reduce unplanned downtime, and increase profitability and efficiency. As such, the Industrial Internet is beginning to influence other aspects of the web that have been traditionally associated with IT systems only. For example, the Industrial Internet of Things (IIoT) emphasizes the utility of big data with respect to helping business owners understand how its machines and employees are communicating, thereby providing information which can, in turn, allow operations to reach their full potential.
Clearly, the Industrial Internet has ample promise in the business world. But as with the non-industrial Internet of Things, enterprises must couple their excitement to embrace new technology with a focus on security. Industrial Internet systems can provide valuable business intelligence, but this data could be stolen and sold to competitors if left unsecured. If companies intend to truly capitalize on IIoT, they need to invest in security measures now.
The means by which businesses go about to do this is somewhat unclear, however. After all, most users of the CIS Critical Security Controls are in information technology (IT) and not operational technology (OT). (IT and OT can get work together to secure the Internet of Things, however, as we have shown here.) We as security practioners must therefore come up with some guidelines that can help begin paving the way for Industrial Internet system security.
Fortunately, some entities are all ready at the forefront of this endeavor. One of these organizations is the Industrial Internet Consortium (IIC), an international not-for-profit consortium that is dedicated to mapping the architecture framework and direction of the Industrial Internet. Towards this end, the IIC hosted a TweetChat on Thursday, October 29 that sought to gain experts' opinions on how we can protect the Industrial Internet. Some points of consensus from this TweetChat are presetned below. You can also view all tweets from this discussion by using the hashtag #IICSecurity or by reviewing the conversation on Storify here.
Thought #1: The Importance of Strategies and Authentication-Based Solutions
Participants in the TweetChat generally agreed that we need strong authentication of devices. This is especially true for IIoT products that are actuators and not just sensors. Fortunately, there are a number of solutions already available that emphasize the importance of authenitcation. For instance, German semiconductor manufacturer Infineon shared one of its security solutions in the discussion that, among other othings, makes sure that the right people and machines are communicating and investigates whether production systems have been manipulated.
Discussants also emphasized the importance of combining protection and detection strategies in order to adequately protect industrial wireless applications. This need has all ready given rise to Intrusion Detection Systems, Deep Packet Inspection, whitelisting, protocol encryption, and signing and access control solutions, as Kepware pointed out during the chat. Tim Erlin, the Director of Product Management at Tripwire, also drew the conversation's attention to a number of monitoring tools that Chris Sistrunk recently shared at EnergySec. A slideshare of those tools can be accessed here.
Thought #2: The Need for Comprehensive Security
The threats facing IoT, and therefore IIoT, can be divided into two different groups: intentional and unintentional. As revealed by an infographic published by the Industrial Internet Consortium, approximately 20% of threats originate intentionally from either hackers/terrorists or insiders, whereas nearly 40% of risks surface as a result of device and software failure. Clearly, these threats must be addressed differently. For intentional external threats, such as APTs, Belden Inc. recommended that we need comprehensive security solutions to protect our systems. Meanwhile, Deloitte emphasized the need to design Industrial Internet systems in such a way that they could fail safely when they do ultimately malfunction.
Thoughts #3 and #4: Open Standards Provide Further Incentive to Deploy Industrial Internet Solutions
Participants in the Tweetchat overwhelmingly articulated their belief that the benefits of deploying Industrial Internet solutions outweigh the security risks. Some were careful to caution, however, that this is the case only if IIoT applications are properly secured.
Additionally, when faced with choosing open standards or proprietary solutions for IIoT security, most discussants chose the former due to this choice's ability to drive growth and innovation as well as ensure continuous interoperability and stability.
Thought #5: Remote Infrastructure Will Introduce New IoT Security News
During the discussion, Smart Industry US noted that advancements in remote critical infrastructure will bring about new needs in IoT security. To meet these demands, we will need to implement a number of changes. Belden invoked the need to secure-by-design devices that are part of a security chain from devices to apps. We can also focus on making sure we can patch and update IIoT devices, as recommended by Tim Erlin, and enabling all available authentication/privacy features. Steve Hanna at Infineon went on to share a full list of features and functions that we might want to consider going forward.
Thought #6: Emphasize Ongoing Security Assessments of One's Environment
To ensure that Industrial Internet systems are secure, most participants emphasized the importance of regular, ongoing security assessments of one's environment. This involves vulnerability assessment/penetration testing cycles that are complemented by regular security patch updates; implementing a chain of trust between devices, data, and systems; and potentially hiring outside consultants to review one's environment. Tim Erlin also emphasized the importance of knowing one's environment, a perspective which one can leverage in one's log analysis to monitor network traffic for anomalies. For older ICS systems designed years ago, discussants went on to suggest layering security on top of legacy systems and segmenting parts of one's network. This includes protecting certain legacy devices behind firewalls, per Belden's suggestion.
Conclusion
The TweetChat hosted by the IIC is just the beginning of a larger discussion of how security, the Internet of Things, and Industrial Internet systems intersect. To learn more about this particular conversation, please refer to the hashtag #IICSecurity or review the conversation on Storify.