Some IIoT devices are still playing catch-up with security, but technology advances now help protect connected devices from sophisticated cyberthreats.
By Scott Coleman, director of product management/marketing, Owl Cyber Defense Solutions, Inc.
Editor's Note: This article is adapted from a white paper, "The ‘S’ in IIoT Stands for ‘Security’." Download the free, full white paper to learn how and why connected devices evolved without security at top-of-mind and how that affects you now. Also learn the three types of effective security methods now being used by industrial firms to combat sophisticated cyberthreats.
Like other technological advances, the Industrial Internet of Things (IIoT) has had significant security growing pains. Myriad breaches and device vulnerabilities have weighed heavily on potential optimization and automation benefits. However, while IIoT systems and devices still have a long way to go before they’re considered highly secure, industrial firms have finally begun elevating connected device security throughout the operations technology (OT) and IT infrastructure.
Mobile technology and connecting the virtual world to the physical world has become the norm. Its growth has continued despite significant security challenges.
As a result, the IIoT devices are playing catch-up while the prospect of still-greater connectivity looms ominously in emerging technologies such as 5G. Let’s examine some of the causes and influences of why IIoT security sometimes is playing catch-up.
OEMs are incentivized to reduce the cost of goods on their equipment, and that means optimizing them down to only the most necessary — and sometimes cheapest — components. Devices are optimized for factors such as peak productivity, energy efficiency and long lifespan, and security can be last on the list, or left off altogether.
Changing one thing within the device may involve changing many others to accommodate. The entire device may need to be redesigned, and it could be months or years before the first iteration that includes security hits the market.
Lack of Investment
Beyond the changes to the equipment itself, adding in security would also mean additional costs in staff, new components and development. While this is a valuable investment for the OEM, the added overhead costs cause a longer time to production and higher cost to the consumer, which can severely hamper competitiveness in a tight market.
As they were initially developed and adopted, industrial automation systems and controls typically weren’t Internet-connected. Because OT networks were disconnected from the outside world, end users and OEMs focused on productivity and safety. As such, the OT environment never really needed much of a cybersecurity element.
As connectivity and smart devices crept in, however, industrial users began to demand the valuable performance and monitoring data they generated, and OT systems began to converge with IT. The problem, of course, is that while the IT security systems had years of maturity behind them, OT security had gone nowhere.
In addition, the traditional IT security systems were ill-equipped for OT networks and equipment, so they couldn’t simply be extended into the OT space. This left connections into exposed, vulnerable OT infrastructure and inevitably led to successful IT-to-OT malware attacks such as Stuxnet, Shamoon and BlackEnergy.
Maintenance and Reliability
Historically, OT has been designed to last, and because most operators subscribe to the “if it ain’t broke, don’t fix it” mentality, the life cycle its systems and devices may stretch on for decades. Because they probably haven’t been upgraded — or if add-on security isn’t possible — they’ll need to be replaced to be secure. This causes significant disruption to day-to-day operations, requiring months of planning, and any downtime is far more costly and significant than in the IT space.
This longer life cycle also means IT-based security (firewalls, etc.), which are designed to follow the IT replacement cycle, require specialized security skills, and have ongoing maintenance, don’t fit as well in the typical OT space.
Adding connected third-party technology also can create security issues. Additional update schedules, unknown or backend APIs, proprietary services, and configuration limitations are only a few of the potential problems. In some cases, the vendors themselves will require access to their equipment, opening yet another possible attack vector into the OT environment.
More Secure Than Ever
With advancements from OEMs, automation suppliers and security vendors providing a pathway to protection from the perimeter to the edge, the way ahead for IIoT looks much brighter and far more secure.
Owl Cyber Defense, based in Danbury, Connecticut, is an EncompassTM Product Partner in the Rockwell Automation PartnerNetworkTM program. The company provides next-generation cybersecurity. Its hardware-enforced data diode technology for cybersecurity has been deployed in more than 2,000 solutions across government, military and critical infrastructure networks.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.