By Don Schleede, Information Security Officer at Digi International
Throughout Cyber Security Awareness Month in October, many organizations shared their thoughts on the state of cybersecurity and reflected on the processes and steps that can improve it. However, the discussion largely focused on protecting end-users rather than building security into networks and devices from a systemic perspective. In addition, through its theme of “If You Connect It, Protect It,” however, Cybersecurity Awareness Month has also opened the door to conversations about IoT cybersecurity.
Most IoT discussions focus on consumer IoT – the smart trend-of-the-moment. That’s not surprising since consumer-centric applications and devices are increasingly visible in everyday life and provide that “living in the future” feeling that grabs attention. However, industrial and enterprise IoT applications have just as many implications – though perhaps slightly less visibly, which means they receive far less attention and are less understood. It’s easier to assume that industrial IoT is more secure than its consumer counterparts since those applications are backed by large organizations facing greater security risks. However, that’s a mistaken notion: The industrial IoT’s struggle with security remains a challenge that is largely unaddressed.
Understanding the Industrial IoT
When we talk about IoT, we tend to think of devices and connected “things” – smart TVs, home security systems, self-driving cars, to name a few. We rarely consider the resources these “things” rely on or the networks that connect them. Yet these systems are underpinned by hundreds – perhaps thousands – of connected devices that, when compromised, can have far-reaching consequences.
To talk about industrial IoT security, we must first understand the types of disruptive security threats:
- Confidentiality threats – These intrusions expose sensitive or confidential information, including the viewing of data in the actual device or the theft/cloning of the device firmware itself.
- Theft of service – Authentication weaknesses or failures creates critical vulnerabilities. Upgrade features, unlocked without authorization, are also an important threat.
- Data integrity threats – Unauthorized messages are introduced into a network, or an unauthorized party takes control of a device.
- Availability threats – Denial-of-service (DOS) attacks prevent the device from sending messages by flooding it with hostile traffic.
All of these disruptions can arise through different methods, from reverse engineering, micro-probing a chip, or exploiting unintentional security vulnerabilities within a code to exploiting weaknesses in internet protocols or crypto or key handling. No matter the source, one thing is clear: We need to know where to improve security and how to close those gaps.
Building security from the ground up
Our analysis of active devices found that 43% of IIoT devices communicate insecurely. That’s certainly far better than consumer IoT devices (98% of which are unsecured), but the reality is that the number is still far too high, and the potential repercussions of these lax protocols are serious. From manufacturing, transportation, and utilities to healthcare and other industries, organizations must adopt key strategies to prevent and mitigate security issues:
- Security-by-Design: Vendors and customers repeatedly choose lower costs and faster go-to-market options instead of investing the necessary time and effort to design and build top-level security into their devices and applications. As vulnerabilities and attacks continue, organizations are – at last – beginning to factor in the risks (think: liabilities and compliance issues) caused by faulty security settings and inadequate encryption/privacy protection. Security is also gaining importance over the long run because it reduces the costs of potential breaches.
- Device Authentication and Identity: Passwords remain one of the most common forms of authentication – and one of the most common ways threat actors penetrate systems. Many organizations are opting for multi-factor authentication (MFA) that adds a second layer of access protection by requiring additional forms of authentication. From location-based options such as an IP address to something the user physically possesses like a phone or a key fob, MFA offers flexible controls for easier management and a smoother and faster user experience, while improving overall security even for physically dispersed devices.
- Updates and Upgrades: IIoT devices have much longer longevity than consumer IoT devices – as much as 10-15 years. Updating and upgrading the firmware and software for each device becomes increasingly challenging as the volume of devices in the field rises. An organization cannot just deploy thousands of devices. It must manage them throughout that lengthy lifecycle. IIoT leaders can offer centralized device management solutions to help administrators manage updates and patches, troubleshoot through out-of-band-management, reconfigure devices, and monitor the health of the entire network. This holistic approach provides insight when a specific device is at risk and helps them mitigate issues before they worsen.
- Risk Assessments and IoT Regulations: As we move into 2021, the number of IIoT devices will continue to grow, requiring organizations to assess both devices and networks. For security professionals, this is already a best practice for all deployments. However, soon it will be the standard thanks to guidelines within the NIST’s IoT security framework, legislative and industry regulations, and other mandates. This is a move in the right direction and a long-overdue step since large swaths of the IoT remain vulnerable today.
Awareness, Understanding, and Action
Embedded security is a critical requirement for a growing number of connected IoT applications and devices, especially as threats continue to rise. Although we continue to play catch-up with threat actors, we are seeing a gradual shift in the right direction. More leaders understand the need to improve security, and new regulations have identified and highlighted a problem that has been lurking for years. It is time for IoT vendors, developers, admins, and engineers to make security a top priority.
About the Author
Don Schleede is the Information Security Officer for Digi International, a Minnesota-based manufacturer of embedded systems, as well as routers, gateways, and other communications devices for the Industrial IoT. He has 27 years of experience in high-tech security and has been with Digi for more than seven years. Earlier, Don held positions as a developer, IT Operations Director, and IT Architect. Don can be reached online at (EMAIL, TWITTER, etc..) and at our company website http://www.mycompany.com/