IIoT Security: Obscure, Encrypt and Design Wisely
With data being the “new oil,” now more than ever it needs securing. This is especially true when it is coming from the manufacturing floor and as part of the Industrial Internet of Things (IIoT). A single successful cyber attack on the IIoT can cripple critical services, civic infrastructure, agriculture or energy and put people’s safety at risk.
Security breaches of the IIoT have been happening over the past three years. A great example was the Mirai botnet. It infected thousands of IoT devices, including cameras, to level a high magnitude DDoS attack, resulting in websites such as Etsy, GitHub, Netflix, Shopify, SoundCloud, to fail from the traffic. The compromised code relied on the stark reality that network deployment pros rarely change devices to update their default usernames and passwords.
Data and Manufacturing Investments are Exploding
According to IDC, real-time data is set to grow at 1.5x the rate of total data creation growing from under 5% of the global data-sphere to over 25% with IoT devices accounting for 95%+ of data generation, and nearly 20% of the 163ZB of data generated critical to daily lives by 2025. From a total spending perspective, IDC also forecasts that discrete manufacturing and transportation will each exceed $150 billion in IoT spending by 2022, as the two largest sectors for IoT spending overall.
An Acute Need for Securing the IIoT’s Data
There are multiple and separate issues when addressing the security of IIoT data. Traditional security approaches, such as VPNs, Anti-Virus (AV) and firewalls will not necessarily work with today’s IoT devices and multi-cloud systems in part due to the nature of ultra-lightweight software on the devices being connected, such as sensors attached to factory machines, cameras and RFIDs.
The majority of devices has software (and a lack of chips) and as such, they do not support deep security functions on board. And so this needs to be compensated for.
The Core Principles of IIoT Security
To help ensure IoT security, the following core security principles need to be adhered to for IoT Platforms:
- Adopt universally accepted communication protocols and network security standards
- Embrace only approved and validated/certified libraries or build these in-house to assure their integrity
- Conduct continual updates to ensure most current and strongest futureproof defenses are in place
- Commit to having no secret or master permissions, and therefore no loopholes. Have your default set to none to ensure the most robust security.
Edge of the IIoT
When it comes to the edge, knowing where sensitive data is being transported and ensuring it is never exposed along the way is one key to security success with the IoT. All edge gateway to cloud traffic should be secured using encryption, such as TLS 1.2. This allows for an obscurity of data using key-based security systems that feature strong encryption and hashing. More specifically, there should be certificate validation with a handshake phase to ensure it is connecting to an authentic server on the cloud. Each data packet’s signature is calculated by edge gateway using a designated secure key. A server verifies data integrity by recalculating its signature. Non-confirming packets are immediately discarded.
The Wide Area Network and Cloud
At the “transport tier,” organizations must secure the cloud, where ‘data in flight’ will traverse the Internet. As cloud services like AWS and Azure are now “ready-made” for IoT applications, so ensure that the package compensates for all weak points. The systems in the cloud should perform edge device authentication and data integrity checks using a key-pair (access/secret key) based mechanism. Key pairs can be shared among multiple gateways.
Alternatively, software defined perimeter technology approaches are emerging that rapidly support lightweight devices at the edge, and also make use of strong encryption over the network. Think of a Virtual Private Cloud) with private IP addresses.that is protected and encrypted just for the IIoT flowing through the less secure Internet This is in place of VPNs in the traditional security systems.
Where IoT data is kept within the enterprise local network within databases, Virtual LAN policy enforcement must occur on all servers by default, where policies are enforced for specific traffic. All other traffic is rejected; no ping or passwords. At the OS level, there should be an immediate application of urgent security patches across all assets, and these should be charted, recorded for successful version updates. Disks should be Azure SSD-based and automatically backed up. Disk-level encryption deployed on all servers should have daily database backups over the cloud, and older data gets archived when it expires.
Data ingestion servers which sit behind the hardware load balancer are provisioned in Azure Cloud. LB comes with its own DDOS and security breach detection and prevention system. All database connections are encrypted on TLS 1.2, authenticated using a user name and password, and data is stored on encrypted disks.
The Data Presentation Layer
Lastly, at the data presentation level, or applications layer, data owners must protect IIoT data once it reaches databases, where it can then be shared across mobile devices and apps, desktop applications and other endpoints. Here at the presentation level, edge connections to downstream systems like OPC U/A can be configured over TLS 1.2 and certification verification. This provides total encryption right from the data acquisition to the point where data gets stored in a database on the cloud.
SECURITY: CENTAL FACTOR FOR IOT
Despite massive investments in cybersecurity programs, research and a survey of 4,000 practitioners found most businesses are still unable to stop advanced, targeted attacks — with 59 percent believing they are not realizing the full value of their defense arsenal, which ranges from 10 to 75 security solutions, according to the Ponemon Institute.
Securing the IIoT is surely a different animal from securing mere enterprise software, but using the right principles can protect manufacturing and industrial data effectively, letting the IIoT do its productive work. Achieving this at the highest levels takes many steps to account for the varying layers of the network and the liabilities of edge devices, but putting these measures in place means enterprises can protect their data, andharness the power of IIoT to improve their business processes.
Vinay Nathan is Cofounder & CEO at Altizon, a global IIoT (Industrial IoT) platform company. He is a strategic thought leader with 15+ years of global expertise in corporate sales and engineering. Vinay holds three patents in the US and four globally pending patents on work related to USB, wireless and security code. He holds a Master’s degree in Computer Science from the University of Southern California, LA and a Bachelor’s degree in Computer Engineering from the University of Pune.