How To Can Protect Connected Machines With Industrial IoT Security

Many industries and businesses are experiencing digital transformations. There are many hotspots of investment and innovation in Industry 4.0, including big data platforms in supply chain and finance; automation in warehouses; AR in corporate training; and the Industrial Internet of Things.

Any professional who is responsible for vetting, deploying, and using connected devices and machines in the industrial IoT sector must be concerned. While IT budgets will continue to grow through 2022 and beyond, cyber-physical overlap will increase. However, cybersecurity incidents are not discriminating. Businesses large and small are at risk when they fail-secure their expanding networks of IIoT devices.

What’s the Deal with Industrial IoT Security?

In a matter of years, the IIoT has grown tremendously. The security issues are obvious when you have the right perspective.

The first step in a company’s digital transformation could be to install connected sensors on its machinery. These are potential attack vectors, provided they are protected from the right conditions.

The problem becomes more serious when companies use connected IoT technology in close proximity to customer records and company IP. It seems strange that Target’s customer-data breach, involving internet-connected air conditioners, was not foreseen with the benefit of hindsight. It was inevitable that it would happen at some point — and now it is, we should all be able to see the risks.

This is business as usual. Companies are accustomed to vetting HVAC companies that boast robust security protocols for their internet-connected A/C units.

Data mobility may be possible in-house during the early stages of digital transformations. Continuous connections to remote servers may be required for later upgrades. What happens if the risk vectors grow beyond one retail chain’s customers? Public utilities in the United States are usually owned and managed by opaque, private entities.

Utility companies have many reasons to use IoT devices, including water, electricity, and natural gas. This is to improve service and reliability. This rapidly expanding web connectivity presents many points of failure in cybersecurity.

The core of the industrial IoT security issue is that hackers could gain access to every connected CNC machine and every lathe, and every sensor along every mile of gas or water pipeline. While telemetry is not valuable, an unsecured IoT sensor could provide a way to more valuable prizes, such as financial information or intellectual property (IP).

The IIoT Security Situation by Numbers

Industrial IoT security is a problem that affects all sectors.

Tenable and Ponemon Institute released a March 2019 report that found that 90% of the organizations actively deploying operational technology — including transportation and manufacturing — had suffered one or more data breaches within the past two years.

Critical public services are the most vulnerable targets of IIoT-based attacks.

Colonial Pipeline and CNA Financial Corp. proved that many financial institutions, including the most serious attacks — and most public or quasi-public utilities companies might not have taken sufficient measures to protect their digital system. One of these attacks resulted in a compromised connected workstation.

IBM discovered that cyberattacks on manufacturers were most common in 2021. This is not surprising. Manufacturing companies are some of the most avid adopters of IIoT products.

It is extremely beneficial to combine the physical and cyber by studying or modeling the data and sourcing, fabrication, manufacturing, and transport operations across the industry.

This trend will reach its peak by 2025. Edge computing will soon be the norm in industrial settings such as plants and distribution centers. This will allow professionals to anticipate that 75% of operational information can be gathered using edge computing.

The IIoT’s defining feature is likely to be edge computing. Unfortunately, it comes with a double-edged sword. Cybersecurity in the industry today is a result of decision-makers being excited about the IIoT’s potential but not considering possible harm.

What should entrepreneurs and business leaders know about industrial IoT security?

1. Factory-Default Passwords Can Be Changed

In 2020, Deloitte research found that as high as 70% of connected sensors devices and devices use default passwords. It is vital that every device connected to the internet be changed at every stage of its life, regardless of whether it is being brought on a factory floor or in a smart home by remote employees.

Another issue is the use of weak passwords or repetitive passwords across multiple IIoT devices and other digital properties. Companies should create unique passwords that are strong and secure each time. Training materials should stress this importance as well.

2. Choose your Technology Partners Carefully

Synopsys research shows that almost all software on the market contains some open-source code. However, 88% are out of date. Additionally, outdated code can often contain unpatched software that has vulnerabilities.

Business decision-makers need to have a basic understanding of cybersecurity risks and be able to ask the right questions about potential technology and vendors. Any third party whose systems can pose a risk to a company’s digital system.

3. In Industrial IoT Security, Create Structured Update Processes

It may have been simple for small companies to manually update their IIoT systems. Today updates may not occur as often due to the sheer volume of devices that are being used. IT departments don’t always remember how to turn off auto-updates.

Researchers discovered an exploit in 2021 named Name: Wreck. It leverages four flaw TCP/IP stacks millions of devices use for DNS connections. Although these known vulnerabilities have been fixed, devices with older versions of the software are at risk from a hostile remote takeover. This means that billions of devices across all commercial and consumer technologies could be at risk.

Each company that adopts IIoT devices should understand how they will be updated throughout their lives and what happens when they become obsolete. Businesses should choose systems that provide automatic updates and have a long-anticipated operational lifespan.

4. You Might Consider an Outside Management Team

It is understandable to feel overwhelmed at the benefits and potential drawbacks that come with investing in technology for manufacturing, or any other sector. Companies that lack the resources and personnel to understand information technology and IoT security culture are at risk of successful attacks and vulnerabilities.

With investments in Industry 4.0, companies may not look before they leap. This could lead to a “set it and forget it” mentality that leaves software vulnerable and makes devices more susceptible to attacks. One of the most important trends in cybersecurity for 2022 will be more companies turning to external parties and technologies for secure and reliable identity management and ongoing access.

5. For Industrial IoT Security, Outsource Connected Technology

Software as a Service (SaaS), robotics as a Service (RaaS), manufacturing, and other similar business models are on the rise. Companies can’t afford to spend the money necessary to upgrade their software and invest in new technologies. It is often more economical to have the monitoring and installation of cyber-physical infrastructure outsourced to remote management teams.

This relieves you of some of the daily work and allows you to access the most recent technologies. It also reaps the benefits of delivering security updates to hardware as soon as they are available. This makes IIoT maintenance (including cybersecurity) more manageable and allows enterprise planners to concentrate on the actual value-adding work that they do.

6. Segment IT Networks, Implement Robust Device Management

Each IT network that controls connected machines must be kept separate from those that provide general back-office connectivity or guest connectivity. You should keep them hidden and limit the number of credentials that you have access to.

Poor or inexistent device management can also lead to data breaches by loss, theft, and social-engineering attacks against personal devices.

Hackers have an easy way to get into networks through poorly managed mobile devices, workstations, or connected machines. This is what companies need to know about device management.

• Connected devices that process company data must be eliminated or strictly controlled.
• Remote-wipe is a great way to delete sensitive data from mobile devices that have been lost or stolen.
• Make sure that team members know not to leave unattended logged-in computers or workstations.
• A credential lockout can be implemented on all connected devices and computers.
• All APIs and add-ons from third parties to digital products must be carefully reviewed.
• To protect the most important logins, use multifactor (2FA/MFA) or two-factor (2FA/MFA).

Safeguard Industrial IoT Security

Distributed computing presents a greater threat surface. The IIoT sector is still a young one. Some of these lessons were costly.

Companies considering IIoT investments will find many examples of what to avoid and resources to learn about cybersecurity expectations for connected machines. The guidance provided by the U.S. National Institute of Standards and Technology (NIST), on IoT device cybersecurity, is an example. The National Cyber Security Centre in the United Kingdom has similar resources regarding connected places and other things.

There are many options available to companies for protecting their IIoT-connected devices. It would be smart to put in as many safety protocols and procedures as you can.