Understanding The Cybersecurity Risks Of IIoT Machines

With each passing year, new technologies make us all more mobile, flexible and productive. Unfortunately, that level of convenience comes with elevated levels of risk.

Mnet 191858 Cybersecurity 1
Megan Ray NicholsMegan Ray Nichols

With each passing year, new technologies make us all more mobile, flexible and productive. Unfortunately, that level of convenience comes with elevated levels of risk. Nowhere is this truer than in the ongoing rollout of the Industrial Internet of Things, or IIoT.

The Risks and the Rewards

The potential rewards of embracing connected technologies in industry are clear. Networked devices help us learn more about the work we do and let us identify easier and more efficient ways to do it. Businesses have always generated large quantities of data, but the IIoT makes it more actionable by connecting each business process to the others. We can identify waste and opportunities and generally make better use of our time and resources.

It should go without saying, but connecting a panoply of physical objects to each other and to the internet, all at once, comes with certain expectations of risk — some of them very serious. If you haven’t yet familiarized yourself with the 2016 attack on Dyn — along with its fallout and implications — you should start now, because as things stand, the IoT and IIoT are veritable wild wests when it comes to avenues for attack.

Dyn provides an all-important service in helping direct internet users where they need to go whenever they type a URL into their browser. When attackers turned literally hundreds of thousands of unsecured IoT devices against Dyn, they brought major internet services to their knees, including The New York Times, PayPal, Netflix, Spotify, Twitter and many others. It was, at the time, unprecedented — and it’s only the beginning.

That’s scary, particularly when you start reading some of the predictions about the expected applications and massive rollouts of connected devices all across industry. Those in the know already see its potential and predict networked devices will be absolutely vital — not merely optional — if companies want to realize and maintain growth into the future. Accenture Technology is one such voice, prophesying that the IIoT will help bring about a new era of innovation and efficiency — along with untold potential for revenue growth.

What does this all mean? To put it mildly, it means you need a plan.

How to Protect Your Business in the Era of Ubiquitous Computing

No industry lives by the credo “time is money” quite like manufacturing. If your organization is forced to shut down manufacturing for just a single minute, it could cost you more than $1,000.

Again, we’re still figuring out just what this IIoT technology will look like when it’s safely scaled to suit industry and manufacturing. Even now, though, there are some basic things you can do to ensure your company and its assets stay safe as you ready your processes and workflows for IIoT adoption. Here are three of the main ones to consider.

No. 1 - Take Authentication Seriously

Start with the basics. If your company depends on a network with multiple users logging on and off throughout an average business day, there are absolutely no excuses for not taking authentication seriously. Ignoring this central tenet of cybersecurity is perhaps the best way to paint a big target on your IIoT devices and networks.

Pay attention to the credentials required for users to log on to computer terminals, hand scanners and any other connected devices you use in your facility. These machine-to-machine (M2M) networks are only as strong as their weakest link, which in too many cases is exceptionally weak.

Some industrial technology in the IoT realm comes with credentials literally programmed into the device. This is a strong security measure and should factor into your decision next time you need new equipment. In other cases, authentication — including proof of identity, passwords, physical keys, etc. — is quite up to you. So take it seriously.

You shouldn’t have unsecured devices on your network. Each time someone attempts to access your network, there should be measures in place to ensure they are who they claim to be. These include passwords, obviously, plus two-factor authentication and, in some cases, physical credentials like RFID-equipped badges or keys. The most secure networks will use some combination of these to comply with the immortal security mantra of something you have and something you know.

No. 2 - Created Siloed, or Segmented, Networks

The cascade failure we witnessed during the attack on Dyn wouldn’t have been nearly as bad if the networks leveraged by the attackers had made use of segmented architecture.

What this simply means is that your network is broken into discrete subnetworks. Whereas you used to have a single network in which each connected device interfaced with each of the others, network segmentation means that if one subnetwork falls victim to a third-party attack, not all your assets become vulnerable in turn.

Don’t worry if that sounds a little intimidating — best practices and regulatory guidance are available to help you through it. It’s also worth noting that segmenting your network in this way is difficult and perhaps impossible if you don’t actually know how many, or which types, of IT assets your network actually contains. If you don’t currently perform regular inventories of your connected technologies, it’s time to start.

No. 3 - Follow Existing Best Practices for Cybersecurity

Experts predict we haven’t seen the last of these kinds of widespread attacks on IoT, IIoT and other types of connected devices. For this reason, it will pay off in a big way to know your level of risk before you make too many sweeping changes.

Those same experts indicate that companies that do business in the energy and utilities, finance, health care and public sectors are most likely to be targeted. That’s not to say everybody else can breathe easy, though.

The best news is that cybersecurity experts aren’t really prescribing too many brand-new or prohibitively expensive security fixes to head off these kinds of attacks. Instead, they say, simply getting serious about adopting existing standards and best practices and staying informed about new developments is a great start to really protecting yourself. Dismaying polls reveal that a majority of companies out there today aren’t prepared for a widespread attack on their networks — so make sure you stand in that proud and hopefully ever-larger minority.

Thankfully, simply bringing existing network infrastructure into compliance with modern standards and adopting existing security controls should help harden the networks used in even the most heavily targeted industries.

Megan Ray Nichols is a freelance science writer. 

More in Cybersecurity