The Internet of Things (IoT) is transforming industrial applications across the globe by connecting and optimizing a growing range of processes, machines and people. But to fully realize the commercial value of the IoT ($3.88 Trillion value at stake over next 10 years), manufacturers must be vigilant against the security risks inherent with the Internet.
Here are some important security questions to answer as your organization creates an IoT strategy:
What criteria help determine whether a device should be connected to the network?
Just because you can connect something doesn’t mean you should. If the risk of connecting a device outweighs the value, consider keeping it off the network. If you do decide to put it on the network, make sure the device uses standard Ethernet IP technology, and conforms to standards and best practices for delivering data consistently and securely.
By doing this, everything in the IoT is linked through wired and wireless networks using the same technology as the Internet. That means cyberattack prevention, data authentication and access control can be managed using the same security tools.
How can I ensure control systems are protected from IoT communications?
No one product, technology or methodology can fully secure industrial applications. Do your homework and devise a plan that addresses your current and future demands — because the number of connected devices will only grow (estimated at 20 billion by 2020). An unplanned network leads to sprawl, which in turn can lead to security lapses and breaches. A Defense in Depth approach, which combines multiple security layers, is optimal to address both internal and external threats.
At the physical layer, for example, ensure all unused ports are locked either programmatically or physically using lock-out connectors. Put policies in place to control human interaction with your systems, on-site or remotely. Authenticate who is on your network, authorize what they can do, and then account for their strict adherence to that authorization. Use best practices for network segmentation. Establish domains of trust, and leverage network infrastructure technologies like VLANs, VPNs, firewalls, ACLs and passwords to limit who and what can access your network.
Segmenting your network into smaller VLANs can help maintain security as well as provides a level of isolation, which can help avoid taking your entire network out if a problem on one machine line (VLAN).
How are IoT and Industrial Control System (ICS) cybersecurity different? Can they/should they be managed separately?
A good IoT cybersecurity plan includes prevention (setting policies and procedures to reduce risks), and resolution (mitigating the threat if a security breach occurs). This is fundamentally the same for ICS, and in fact may be even more important, considering the high potential cost of downtime for a company.
To truly gain the advantages and opportunities offered by the IoT, you need to accept the convergence of IT and OT infrastructures. This allows you to manage a unified network using the same technologies and personnel, which helps reduce asset and training costs. However, convergence is not a simple journey; increased collaboration will be required between departments, facilities and suppliers.
Most plant networks weren’t designed to connect with the enterprise, so a comprehensive assessment should be the starting point for developing your strategy and execution plan.
Who should be responsible for IoT cybersecurity?
Just as no single product, technology or methodology can fully secure industrial applications, no single provider can either.
Infrastructure owners need to use validated designs and best practices, and plan for who, what and when information will be available on the network. ICS providers need to furnish control systems that follow global standards and regulatory security requirements. OEMS and equipment builders need to follow best practice designs in their machine networks as well, so their machines can be easily integrated into their customers’ operations and meet their IT security policies, as well as OT performance objectives. Integration also saves money for customers: Machine downtime and travel expenses are minimized with an OEM’s ability to establish secure remote access from anywhere in the world.
What is the role of standards in managing IoT cybersecurity?
Standards are critical to realize the promise of the IoT. Without standards, digital devices won’t consistently connect, leaving room for failure. Standards help ensure technologies and methodologies are proven and interoperable. They also help ensure that when “things” are put on the network, the data goes where it needs to, when it needs to, and arrives securely.
Solution providers are available to help you better secure your network with existing products and solutions built on today’s standards. Following these standards today will allow you to guide the evolution of your infrastructure and avoid network sprawl.
The opportunities presented by the IoT far outweigh the challenges if managed with the right information and partners. Rockwell Automation, Cisco and Panduit established the Industrial IP Advantage as an educational community where manufacturers can share best practices for the use of standard, unmodified Ethernet for industrial applications. Look here for answers about how you can effectively and securely deploy information architectures that deliver true business value.
Mike Hannah of Rockwell Automation writes on behalf of Industrial IP Advantage.