The Internet of Things (IoT) has changed the way we connect with the world. From wearables and accessories to speakers and thermostats, these devices connect to the Internet or use specialized hardware to help you monitor your bodies and your home. The advancement of IoT is also changing the way industries conduct business, but the transition to the Industrial Internet of Things (IIoT) has not been as easy.
Industrial IoT aims to provide the same at-a-touch-and-glance convenience of existing IoT devices to Industrial Control Systems (ICS) that are made up of interconnected control systems for industrial process control. As these technologies are adopted and implemented, where does security fit in? The data of our wearables, the accuracy of the data in industrial control systems, and the high availability of these networks make up the three pillars of security: confidentiality, integrity, and availability (CIA). Confidentiality is limiting access to information, Integrity is the assurance that information is trustworthy and accurate, and Availability is reliable access to information for an authorized group of people. However, IoT and industrial IoT devices do not prioritize the same areas, where IoT wants to protect your personal data, industrial IoT wants to protect human lives.
Figure: An example of an industrial IoT bottle-making unit.
Naturally, the need to protect lives is clear, but all aspects of CIA are necessary for safeguarding those human lives. The time has come for industrial IoT to embrace information security the same way it has embraced human safety.
IoT and IIoT Security
As IoT grows in usage and innovation, security concerns become more imminent. But aside from direct security threats, organizations in these industries have vastly different security priorities. For instance, if you’ve ever used a wearable device to track your health, you might have wondered where your data ends up, or if anyone can view it. You’re not alone, and for this reason, wearable security has focused on privacy as it becomes a legitimate and growing concern for IoT users. In contrast, industrial IoT focuses heavily on the safety and availability of their internal networks, pipelines, and instrumentation—where IoT security focuses on protecting the Confidentiality consumers, industrial IoT security focuses more on protecting the Availability and Integrity of ICS.
The differences in security priorities complicate matters because each layer of security brings its own set of requirements. The kind of requirements also heavily depends on the type of software at hand. For instance, an IoT device has an average lifespan of 5 years, whereas an industrial IoT device may have a lifespan of 20+ years. With such long lifespans under consideration, the security standards will require much more elaborate development. Fortunately, there are currently software standards to start with. The international standards ISO 62443 and 27034, provide guidance on building security controls in software. Covering the entire CIA triad, ISO 62443 is considered an industry-specific standard that defines the technical security requirements for automation systems, and ISO 27034 offers guidelines for information security related to application systems.
Today, software security is not being fully addressed for either IoT and industrial IoT systems because there is not always a strong enough case for businesses to invest in it. However, it is far more challenging to achieve robust software security for industrial IoT technologies. This is mainly due to ICS being designed to function in closed systems that never having had a need for robust software security or even software standards. Moreover, much of the legacy infrastructure used by ICS cannot be easily retrofitted for industrial IoT—for example, consider the process for securing the software in connected vehicles, just one branch of ICS. Industrial IoT and ICS are lagging behind in terms of software security and the standards that govern it. Without a concerted initiative to establish a set of guidelines for industrial IoT security, modernizing ICS will continue to be a struggle.
The Challenges of Industrial IoT
Reconciling Software Security with Legacy Infrastructure
As industrial control systems transition to IoT, Cloud and technology risks increase, creating complex security challenges. To put these hardware and IoT software systems together in a functional way, however, is very costly; it can be exorbitantly expensive to update legacy hardware systems, and changing such systems may even lead to safety issues. Furthermore, these industries have highly-complex supply chains with multiple tiers and fragmented technologies. In fact, out of 200 organizations, most could not identify 40% of the devices on their networks or have visibility into what these devices were doing at any given time. Often, different components come from different vendors. Relying on third-party vendors, who move at their own pace and according to their own processes, means that difficulties will likely arise in the attempt to implement uniform secure IIoT software processes across all systems.
Unifying on Security Standards
Since IIoT is new frontier, there are no widely accepted security standards in place. To add, creating appropriate standards and best practices for these industries is a uniquely daunting challenge. Governments and commercial businesses are independently working on such standards at the same time. However, they now need to ensure that their standards don’t diverge, which could exacerbate the problem of using a uniform set of best security practices.
The Business Value of IIoT Security
Put simply, if organizations don’t have a business case to adopt modern security best practices, they won’t. But, once industrial systems transition to IoT technologies, the attack surface and technology dramatically increases. Gartner predicts that by 2020, more than 25% of recognized attacks on enterprises will involve IoT-connected systems, despite less than 10% of IT security budgets being put towards such systems.
With IoT technologies transforming how businesses run, the way that software security is managed also needs to be transformed. The need to establish a uniform set of standards that serve as a guideline for industrial IoT organizations is essential for aiding in their transition. It’s no surprise that organizations are already working to create these standards, independent from the government; however, without strong collaboration from the industry, the effort is delayed. Application security is not a simple task, and as the attack surface for industrial IoT and ICS increases with its connectivity, software security and human safety guidelines become indistinguishable—they both serve to protect us.
“Gartner Says Worldwide IoT Security Spending to Reach $348 Million in 2016”. Retrieved 11 May 2017.
About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/