Design Engineering’s IIoT security primer

The past few years have seen an explosion of the IIoT/Industry 4.0 movement within engineering circles. News outlets, industry conferences and company meetings have pulled these concepts every which way to discern if, why and how to implement them. But like any shiny new toy, companies can be too eager to jump on the potential of IIoT before fully understanding it.

One concern that continues to stifle uptake of the technology is security. Opening up manufacturing facilities that have traditionally operated in a closed system to the wilds of the Internet raises understandable worries and an abundance of questions.  

“The first thing you’ve got to do is understand what you have at your disposal,” says Sean Harris, a regional manager of U.S.-based IIoT software firm, Pixel Velocity. “Until that’s done, you can’t really do anything about your security.”

For industrial cybersecurity companies like Claroty or Nozomi, asset identification is the crucial first step they perform for clients to establish an IIoT security foundation. For example, Harris says, clients often under-estimate how many connected devices live on their network. What seems like 500 turns out to be more than a 1,000 after a routine port scan of the facility network. This situation often results from companies’ overeager efforts to expand, connecting systems that haven’t been “OK’d,” by the IT department.

“By adding more devices and more sensor data to help hit your ROI, you’re putting stuff out on the edge at a rate that your network can’t keep up with,” Harris says. “So you’re putting these makeshift wireless networks out on these remote sites as well and you’re bypassing your SCADA system for a large part.”

For Daniel DesRuisseaux, director of cybersecurity for Schneider Electric, working in phases not only gives customers control over how they implement IIoT solutions, but it adds a layer of control as to how quickly a device network expands.

“You could say, for example, that ‘our goal is to enable all of this functionality,” he says. “In the first phase, we’re only going to go after information from these cells or these locations and we’re only going to focus on data for preventive maintenance,’”

“From there, you’d do your analysis and say ‘Here are our risks, here’s what we should do,’” he adds. “In the future, you would implement phase two: You would increase the scope of the geography or add additional features. It just gives you more control over your expansion and there’s fewer opportunities for mistakes to be made regarding security.”

After identifying what’s connected to your network, the next logical step is to define end results. Whether it’s predictive maintenance through a platform like Canvass Analytics, or automating certain functions on a production line, implementing solutions without understanding your ROI is a recipe for creating security vulnerabilities, IIoT experts say.
For Ben Hope, business development manager for electric automation at Festo Canada, the security conversation should begin early, during the practical application phase. Too often, he says, customers misunderstand the fundamental workings of IIoT and look to implement security through containment.

“The big fortune 500 manufacturers are very concerned with security; often they want to leave the internet and the cloud out of the equation,” Hope says. “They’re saying they want the benefits of IIoT but they don’t want to be on the internet. Of course, we can keep everything contained and off the cloud, but certain services, readily available on the cloud, would be prohibitively time consuming and costly to implement independently within the enterprise.”

Given that IIoT, by its nature, requires some connectivity to services outside the enterprise, security through obscurity isn’t a viable strategy, says Joe Slowik, adversary hunter for Cybersecurity firm Dragos.  

“Short of industries where it is legally required for no connectivity to exist, operators have to assume their network is connected,” he says. “Thinking that it is air-gapped or isolated is a false assumption. Instead, [companies] should try to orient their defense around recognizing the eventuality of an attack while still allowing IIoT systems to function.”

To strike that balance between security and functionality, says Harris, companies need to bring their operation technology (OT) and information technology (IT) together. Unfortunately, collaboration between these two realms hasn’t always been harmonious, he says.

“Seven or eight years ago, it could be pretty nasty,” Harris says. “[IT and OT] didn’t really like each other and neither one wanted the other snooping around in their responsibilities. Now,  we’ve seen a change after events like WannaCry, attacks or disruptions that really do some damage on an operational level. With the rise in popularity of IIoT, they can’t afford to be as siloed as they once were.”

Even so, Slowik warns that blindly applying IT security measures to an OT environment isn’t a workable solution. While IT cybersecurity techniques may be applicable, they require adaptation to function properly.

“It’s not so much that OT is different and that IT is not applicable,” he says. “The reality is that there’s been an IT-ifcation of the OT environment. IT technologies and practices might be applicable, the issue is that a simple copy/paste isn’t going to work because it’s going to result in operational impacts or operationally limiting results.”

Ultimately, IIoT security experts recommend that enterprises adhere to internationally recognized security standards as a best practice approach to harden operations. ANSI/ISA 62443, for example, provides end users and machine designers with procedures for implementing electronically secure automation systems.

“ISA 62443 is a fairly comprehensive standard in that it will say ‘Here are seven different areas of security features,’” says Ruisseaux. “If you have a general standard that ratchets up [in levels], I think that’s applicable across any industry. The hardening of features and products can be generically done.”

On a more granular level, implementing such broad security standards can be complicated but one of ANSI/ISA 62443’s strengths, DesRuisseaux says, is the ability to create modular “profiles” that can be tweaked to fit different industries.

“You have the concept of saying ‘I’m going to create a special profile where I can look at my 62443 standards, and say that ‘I’m going to create my water-waste profile.’ The water-waste profile is all of the features in security level one plus these three features in security level two, plus this feature from security level three. And then the oil and gas profile can be different and specific to its needs. This approach gives you a certainly modularity.

Slowik believes the ideal way to implement industry-specific best practices is through professional organizations like ISACA.

“That way, you get the best ways of doing these operations plus examples of how to execute security in these environments,” he says. “That also goes for specific companies and niches within industries so that the most relevant models are pushed out.”