According to analysts cited in AT&T’s report, “What Every CEO Needs to Know about Cybersecurity,” the number of connected devices could reach nearly 50 billion by 2020. You are probably seeing that happen inside industrial facilities around the globe.
Close to 35 percent of U.S. manufacturers are using smart sensors to improve operations. These devices are transmitting data, such as equipment operations, environmental conditions, and maintenance needs. Manufacturers are deploying sensors that measure and report machine tool tolerances, fluid temperatures, and other critical data. The growth of IoT is ushering in a new era of increased production and efficiency.
However, with every new device introduced to the network, they also introduce new possible attack vectors and vulnerabilities.
When you connect sensitive data and sophisticated machinery completing essential tasks to the Internet, it is easy to see the risk for manufacturing and industrial operations. Further, you are often connecting information technology and operating technology, creating additional complications.
For this reason, IoT security goes hand-in-hand with physical safety. It is entirely feasible for hackers to compromise connected robots or other remotely actuated machines, potentially resulting in manufacturing errors, equipment or parts damage, or even injuries to employees.
IoT security is a formidable challenge for organizations of all sizes, and we realize each situation is unique. There are four universal steps that you can apply to the manufacturing sector:
No.1 - Assess Your Risk
You cannot defend yourself against an unknown adversary. We found that just 14 percent of companies have a formal audit procedure in place to identify the devices connected to their network and whether or not they are secure.
Examining the risk from a network perspective is a good place to start. Network architecture alone can be a significant source of risk. Today’s IoT devices in a manufacturing environment combine industrial networks with information technology. This combination introduces new risks and possible threats, making it essential that these networks are brought together with security top of mind. Industrial networks often lack some of the fundamental network security controls that we take for granted on IT networks, like network segmentation to firewalls to deep packet inspection.
Unfortunately, industrial networks may be very difficult to retrofit with a more modern highly secure design, due to the highly customized nature of the environments, the long life cycles and extreme focus on availability. Therefore, manufacturers must be careful to understand the vulnerabilities this combination might create.
Beyond the network, it’s also essential to assess the risk for your entire IoT system. Each partner, vendor, and contractor adds new layers of risk, and manufacturers should collaborate to understand if IoT devices were built with the appropriate security, if the operating system is highly secure, and whether information transmitted outside of the company or vice versa can be transferred in a highly secure manner.
No. 2 - Securing Information and Devices
At AT&T, we talk a lot about using a layered approach to help secure data and your device network. There are four key layers: the device layer, the connectivity layer and the data and application layer, and overarching threat analytics.
Existing security policies will need to be adapted to embrace these new security challenges for IoT. Securing the devices means thinking about things like enterprise mobile management systems that allow manufacturers to rollout applications, updates and upgrades across all devices while controlling who can access each device.
Helping to secure network connectivity means establishing authentication controls throughout the ecosystem, monitoring who can access the system and how often they can access it, and encrypting data and information as it crosses the network. You can even take it one step further and partition the networks of major industrial processes to help isolate and prevent a cyberattack from spreading throughout the organization.
Each individual data set and application should have detective controls to help identify breaches as they occur. The sooner you know about a possible attack, the sooner you can execute your response plan. This is a key priority, and our strategic alliance with Bayshore Networks is exploring solutions to solve for industrial IoT ecosystems. AT&T and Bayshore are exploring ways to help to see to it that not only the appropriate devices communicate with the operations control center, but also that the communications being transmitted make sense.
Manufacturers need to filter the data from each layer of an IoT connection through a threat management system to help identify risk and accurately understand how secure their IoT devices are, and address any possible vulnerabilities.
No. 3 - Align Your Organization and Governance for IoT
You are only as strong as your weakest link. The cliché rings even truer when discussing data security. IoT security needs to be a top-down effort that starts with the boardroom and filters to all frontline employees. Every employee should understand what function the IoT devices have, and the risk associated with those devices if they were to be compromised.
Leadership needs to be involved in the planning of an IoT deployment to see to it that security is at the core of all business decisions related to IoT deployment. Further, our research indicated that in businesses that actively involve their board members in IoT security, 70 percent of respondents are confident in overall IoT security plans.
No.4 - Define Legal and Regulatory Issues
Many issues can be unique to your particular industry or line of business. When it comes to legal and regulatory concerns, it is vital to engage your legal counsel and experts to help you navigate potential pitfalls.
Organizations should embrace the rise of IoT. The age of connectivity is likely taking your business to new heights. It is important to understand the risks inherent in adopting these technologies. More information regarding how best to implement IoT technology can be found in our report, “AT&T Cybersecurity Insights Volume 2: The CEO’s Guide to Securing the Internet of Things.” You can read the full report here.
Bindu Sundaresan is a Strategic Security Solutions Lead at AT&T.