When it comes to cybersecurity, industrial IT—consisting mainly of operational technology (OT) and industrial control systems (ICS)—has failed to keep up with development in the enterprise IT world. That’s mostly because industries’ adoption of internet technology has been slower when compared with enterprises.
It would take some time to close the gap, but concerted efforts have already been made to upgrade the security of industrial IT and improve the efficiency of OT and ICS. These are reflected in the emergence of multiple standards and guidelines for the cyber-protection of industrial systems.
Unfortunately, it seems that Industrial Internet of Things (IIoT) needs to catch up to the Internet of Things (IoT) devices that we all use. What are some of the major considerations for developing industrial cybersecurity standards?
Security by Design
Cyber attackers often launch their assaults by manipulating the functioning of a system. Building systems with security in mind ensures that they have robust defense mechanisms against cyber-attacks. Security by design is implemented by anticipating attacks and patching security holes in accordance with global cybersecurity standards.
Gone are the days when only asset owners were responsible for securing their systems. Now there is a base level of inherent and customized cybersecurity configurations organizations can specify when acquiring industrial systems from suppliers. According to the NIST Cybersecurity Framework, “a key milestone of the design phase is validation that the system cybersecurity specifications match the needs and risk disposition of the organization....”
According to Kaspersky’s The State of Industrial Cybersecurity 2020 survey, the two biggest tech trends that are leading to revised industrial cybersecurity practices are Industrial IoT and cloud computing at 55% each. As industries become more connected and controlling infrastructure goes remote, companies need to adjust their cybersecurity priorities to meet the changing needs of an increasingly digitized world.
The IIoT (Industrial IoT) Challenge
IoT has proved effective in industrial operations over the years, particularly in the manufacturing sector. Experts predict that the Industrial IoT value will reach a value just short of $1 trillion by 2025.
However, the continued penetration of connected devices (and not just IoT but web connectivity in general) into industries also poses a threat by widening the attack surface. Cyber attackers have mastered the act of stealthily breaching systems. The bigger impact on the company in such cases is financial. Such an unfortunate disruption may also bring the company into disrepute.
To emphasize this issue, Tripwire recently asked security professionals how they are feeling about an influx of IoT and IIoT devices and do they feel confident in their ability to secure these additional products.
Of the 312 security professionals who participated in the survey, 99% of them informed Tripwire that they had encountered challenges in the process of securing their organization’s IoT and IIoT devices. Two-thirds of those respondents said that they had experienced difficulty in their attempts to discover and remediate vulnerabilities. They were followed closely by those who encountered issues in tracking an inventory of their IoT devices (60%), validating compliance with security policies (58%), establishing secure configurations (56%) and detecting changes on those devices (55%). More than a third (37%) of security professionals also revealed that they had a hard time gathering forensic data after a detected incident (to learn more about the study, click here).
In consumer IoT, for instance, a user can often fix issues by checking online support sites (verifying a FireStick remote for example, or checking Google Home components) without any cohesive standards necessary. By contrast, IoT in industries engenders the need for unifying and all-encompassing cybersecurity standards and regulations against limited vendor-specific standards.
A useful methodology for protecting IIoT devices is one advocated by the Idaho National Laboratory: Consequence-driven Cyber-informed Engineering. The approach rests on the following steps:
- Consequence prioritization – Determine the most critical functions.
- Systems-of-Systems analysis – Evaluate complex systems.
- Consequence-based targeting – Identify methods an adversary could use to compromise the critical functions.
- Mitigations and protections – Apply proven engineering, protection and mitigation strategies to isolate and protect an industry’s most critical assets.
Cloud Security and Remote Access
One of the fast-rising challenges in cybersecurity (and not just for industrial systems) is remote access. With the limited movement and physical contact due to the pandemic, threats to critical infrastructure need to be addressed off-site via remote connections. The concept of air-gapped systems disconnected from the internet presents additional security risks, particularly for these industrial systems.
In this regard, industries can take a cue from enterprises in implementing a zero-trust security model for access control. The premise of the zero-trust model is to never trust any source (even if it is a known person) but instead to authenticate every connection request. That means every activity is considered suspicious unless proven to be genuine and approved. This is inconsistent with traditional OT cybersecurity, which assumes implicit trust. The functional difference between both approaches is that zero-trust is arguably more proactive.
Zero-trust, implemented through technologies such as Software-Defined Perimeter, also rests on the principle of least privilege, which prescribes granting just enough access to meet a specific need rather than system-wide permission. By implementing these strategies, industries can enable a proactive approach to protect their critical infrastructure.
In addition to these approaches, network monitoring is important for ensuring secure remote access. That’s part of why the integration of IT and OT in the industrial environment is crucial. Both complement each other by providing increased visibility to enable active network monitoring. Remote access is beneficial for OT if implemented correctly and securely.
Conclusion
One of the key factors that have slowed the growth of industrial cybersecurity is the lack of codified, coherent standards and guidelines to be adopted by both infrastructure owners and suppliers. Today, standards such as the NIST Cybersecurity Framework (risk management), NERC CIP standards (for critical infrastructure), the ISA/IEC 62443 series of standards (for ICS/OT specialists) and ISA99 (automation), among others, exist to improve the cybersecurity landscape for industries. Companies need to adopt new best practices to successfully adapt to the changes ongoing in industrial cybersecurity.
About the Author: Abiola Esan is a Content Writer, Thought Leader and Tech enthusiast. She writes about Blockchain, Info Security, Artificial Intelligence and related topics.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.