Three Practical Steps to Secure Enterprise IoT investments

In a digital world, the Internet of Things (IoT) is an undeniable reality for businesses to remain competitive. Most industrial companies recognize the IoT as a key driver to digitally transform their operations for improved efficiencies and revenue.

However, unlike consumer IoT products (e.g. smart watches), to adopt Industrial IoT at scale, enterprises must commit to significant investments to revamp their equipment, infrastructure, people and processes. Since IoT systems interact with the physical environment, their associated risks are much higher as well.

Greater exposure to cyber threats is the flip-side of connectivity and software technologies. Inherent software defects, unintentional errors, and malicious remote access into physical systems can cause damages to people, equipment and the environment.

There are already several reports of cyber-criminals hacking into critical infrastructure by using remote access and spear phishing emails. The compromise of New York State irrigation dam’s command and control system, power outage caused by BlackEnergy malware in Ukrainian power grids are a few notable examples.

According to SEC 10Q statements and European financial releases, in 2017 there were at least 1 Billion USD in losses due to infections in industrials.

Below excerpt highlights the serious nature of industrial cybersecurity threats.

“The consequences of an IIoT security breach are much more severe than compromises of traditional IT deployments. In the case of a hack in IIoT systems, in addition to the usual IT-based fallouts such as reputation damage and financial loss, there could be loss of life and/or environmental damage. Since IIoT systems interact with the physical environment, the security paradigms of e-commerce and IT infrastructures significantly differ in the cyber-physical domains in terms of attack vectors, threat actors, and impact.”

– Practical Industrial Internet of Things Security, Packt Publishers

To secure IoT investments, adequate vigilance must span board rooms to the factory floors. Let’s discuss a few practical ways to achieve this.

1.     Define the scope

IoT Security is trickier than Cybersecurity

 Any industrial IoT solution involves technical complexities, multiple vendors, and domain-specific behaviors. This makes both the IoT threat landscape and mitigation measures rather tricky. Traditional cybersecurity chiefly focuses on protecting software programs and data from malicious access, both during storage and transport. IoT security goes a few steps further. In addition to data privacy, the system must also be able to recover from an attack safely and reliably. For example, if the control software of an autonomous car crashes while the car is driving at 65 mph, the car should respond gracefully to avoid fatal accidents.

Thus IoT security must orchestrate at multiple levels that demands contributions from the developers, the operators and the management to secure IoT devices, compute platforms, communication and processes.

In the book “Practical Industrial Internet of Things Security” a four-tier approach is discussed to dissect and simplify the security management at every stage of the lifecycle. The four tiers are: 1) Endpoints and embedded software; 2) Communication and connectivity; 3) Cloud platform and applications; 4) Process and governance.

2.     Be Prepared

The key facets of an IoT Security Program

In a software-defined connected world, security is not only about speculating and preventing attacks. It’s also about gracefully wearing off the consequences if an attack happens. Enterprises which define a security program to protect their connected assets fare much better in lowering risks to their assets and liabilities.

 “In addition to data availability, privacy, and integrity, an IIoT security program must ensure resilience and reliability in the event of an attack, which can be from external or internal adversaries, or due to inadvertent misconfigurations or natural catastrophes.”

– Practical Industrial Internet of Things Security, Packt Publishers.

For most traditional organizations adopting IoT, having a security program encompassing IT and OT is a new concept. Having a security program is however one of the key steps to protect their IoT investments. An IoT security program encompasses both proactive and reactive security measures including: risk assessment, policy definitions, regulatory compliance, security monitoring, incident management and audits.

We find a detailed guidance on defining, implementing, and sustaining an Industrial IoT security program in the book Practical Industrial Internet of Things Security.

3.     Make it Practical

Sustenance depends on Achievable goals.

 “A practical security governance model must be able to right-size security for a specific business use case to ensure trust and compliance.”

– Practical Industrial Internet of Things Security, Packt Publishers. 

Security involves cost. It also adds complexity and demands additional processing cycles to regular operations. There are too IoT security products available in the market to choose from; their implementation and usage are usually far from being simple. Besides, in a rapid-paced digital economy, innovation and time-to-market often take precedence over security and reliability.

These factors result in confusions around “how much to secure” during the design, development, deployment and operations stages of IoT solutions. Securing everything is unrealistic and often unachievable. It must align to the unique risk profiles of the use case.

Every IoT use case has its unique technical and business requirements and also unique security postures and attack surfaces. The steps to secure a smart city use case for example, would be quite different that of a smart farming.

By combining the 4-tier security approach with proper risk assessment, enterprises can “right-size” their security program by defining practical methodologies and achievable security goals.  

IoT is a new concept. It converges the IT and OT paradigms and hence is inherently complex. So far there hasn’t been any single resource to provide comprehensive, practical and brand-agnostic understanding to secure Industrial IoT investments. Packt collaborated with the Industrial Internet Consortium (IIC) to come up with the book Practical Industrial Internet of Things Security, mainly to address this gap. The practical tools and guidelines for end-to-end protection of IoT assets are valuable for enterprises to secure their IoT investments, and are adequately explained in the book.

When executed properly, securing industrial IoT use cases need not be a nightmare. It’s rather a surefire way to digitally transform your business for greater efficiencies.

Industrial IoT Security is one of the top concerns in enterprise IoT adoption roadmaps. Yet, it is also one of the least understood topics. "Practical Industrial IoT Security" is designed for IoT practitioners and business leaders to gain expertise and actionable insights to secure their IoT architectures and investments. Find out more about this newly published IoT resource.