There is an urgent need to integrate the connected, and software-enabled devices and systems that constitute the Industrial Internet of Things (IIoT) into a cohesive system to ensure they are less vulnerable to cyber-security threats, noted the 2018 SANS Industrial IoT Security Survey.
The report noted that even though some companies are starting to provide independent guidance on how to reduce risks to IIoT solutions, no internationally recognised standard yet embodies a comprehensive reference architecture that can aid companies in their pursuit of reducing security risks to IIoT solutions.
Thanks to the proliferation of Internet-connected devices and systems as well as the growing reliance on analytics, artificial intelligence (AI) and machine learning, today's organisations are quickly transforming themselves to adapt to the digital age and to optimise efficiency. However, a lack of security in such devices and systems could render information technology, engineering and operational services vulnerable to cyber-attacks.
The survey revealed that many organisations are poorly-equipped to handle cyber-security incidents and suffer from lack of visibility into their IoT infrastructure. Sid Snitkin, vice president for cyber security services at ARC Advisory Group said that while organisations are concentrating on predictive maintenance and operational improvements, the major concern areas are over-dependence on cloud services, dependence on equipment manufacturers (OEMs) to provide secure devices, lack of control over development processes, and complex supply chains.
Considering that the installed base of IoT devices is forecast to triple from 23.14 billion in 2018 to 75.44 billion in 2025, not only is there a need for expansion of the Internet's address space to accomodate this growth, but also corresponding advancements into increased visibility, efficiency, security and control over these connected assets.
More than 200 IT security experts who were surveyed by SANS Institute said that while 32 percent of their IIoT devices connect directly to Internet, bypassing traditional IT security layers, 72 percent rely on IP suites to control, configure and collect data from devices, 71 percent of devices are already used for monitoring (process health, condition monitoring), and only 41 percent collect specific security and operations data about IIoT devices and systems.
The report added that in the next two years, the leading threats will pertain to IIoT life-cycle management issues and human error, while the top reported risk will related to security considerations in product and system installation, configuration, service, support and maintenance.
"Organisations need a road map that can guide stakeholders—users, integrators and vendors, asset owners and operators—in blending together formal definitions, data standards, common protocols, connectivity requirements and best practices to achieve the interoperability needed to have IIoT systems work together securely. The confusion over what constitutes an endpoint is just one example of why a framework specific to IIoT is needed," it noted.
Existing industrial standards on IT security are not suffifient to provide guidance for segmenting and safeguarding contemporary systems because none account for the borderless automation and control system architectures that IIoT has brought to industry. Many devices supplied by vendors also do not conform to consistent standards, such as communication protocols, enabled or disabled services, or methods for configuration, thereby making it difficult for organisations to manage or safeguard them.
When asked about the top IIoT concerns over the next two years, 56 percent of OT security experts told SANS Institute that their greatest concern is difficulty or lack of patching IIoT devices and systems, leaving them vulnerable, 41.67 percent cited accidental exposures resulting from user error and system complexity, 39.29 percent cited the difficulty in controlling, locating, tracking, preventing and managing IIoT connectivity to critical infrastructure and other mission-critical systems, and another 39.29 percent cited their failure to incorporate good security practices into the IIoT design, build, operate and maintenance lifecycle models for systems.
Other major concerns raised by the respondents included the possibility of IIoT "Things" being used as infection vectors to spread in the enterprise, lack of device and technology standardisation in a multivendor environment, shortage of vendor investments to incorporate security into the design of IIoT devices, systems and supporting products, and the possibility of denial of service attacks on IIoT devices and systems that cause damage or loss of life.
Commenting on the vulnerability of IIoT systems and devices to cyber-attacks, Dean Ferrando, systems engineer manager at Tripwire told SC Magazine UK that the development and deployment of an Industrial Internet of Things brings safety to the top of risk assessment as IoT manufacturers ship devices with little or no security, thereby making it critical for product developers to thoroughly examine the technology in the devices and guarantee that security is being programmed at the software stage to remove any flaws.
"When connected devices can make material changes in the physical world, life and safety become especially relevant to cyber-security. This is why security within critical infrastructure must be addressed at the highest level.
"Thankfully, as new devices and issues arise, there is an abundance of defence mechanisms and technologies to choose from. If industrial organisations are to avoid being hit by a cyber-attack, implementing a security hygiene strategy that incorporates educating the workforce alongside investing in the right technology needs to be in place," he added.