Can IIoT’s Biggest Security Challenges Be Overcome?

When it comes to industrial applications, the IoT is quickly moving past the prototyping and experimental phase and moving to being a core requirement for successfully competing

With this rapid rollout, however, comes questions about security: Can industrial IoT devices be properly secured with existing technology, or is the rapid pace of adoption simply too fast to expect secure operations? While some steps can be implemented successfully with modern IIoT devices, more fundamental change might be needed in the coming years.

Device Security 101

While IoT devices in general are new technology, they’re still fairly standard computing devices. IoT devices often rely on IP addressing, and their operating systems are typically based on Linux or simpler embedded operating systems. The basics of security still must be met, and devices need to rely on strong firewalls and other technologies to prevent unauthorized use. Devices that are easy to compromise can quickly become part of botnets, and the widespread use of IoT devices will make them a prime target. Security challenges present on typical hardware are still present on IoT devices, and companies need to realize that, from a security perspective, IoT devices need a similar level of maintenance compared to their more traditional counterparts. Companies must implement basic security policies, but many aren’t. Default passwords, for example, are often left unchanged, making hacks trivial in some cases. Education about the nature of IoT devices and their potential risks can go a long way toward helping companies use their devices in a secure manner.

Update Must be Mandatory

Unfortunately, many early IoT devices were marketed and sold as black boxes, where the internals of the device were de-emphasized. As a result, many companies invested in devices with no clear update path, meaning security vulnerabilities may be left unpatched. Companies must invest in products with clear security update capabilities, as even the simplest of devices likely have potential security problems. This must be factored into overall operating costs as well, as rolling out patches across networks presents logistical issues. Note that reducing visibility isn’t sufficient to prevent unsecured devices from attack, as the sprawling and connected nature of IIoT networks means any minor vulnerability can lead to potential attacks on all other devices.

©Andrei Merkulov

Focusing on the Data

Compromised data is perhaps the biggest threat to secure IoT infrastructure, so knowing where data is kept is critical. Devices that transmit temperature readings, for example, aren’t typically a top priority, as there’s little that can be exploited with this data. Any customer or client information, however, can lead to major problems if it’s uncovered. Companies need to prioritize their centralized data storage, but special attention is needed for edge devices as well. Moving operations to edge devices is a great strategy, but processing on the edge means it needs to be secured as well as centralized servers to prevent critical data from being compromised.

Nimble Responses

Ideally, there would never be a need to react to attacks or hacks. In practice, however, most companies will face hacking attempts, and many of these attacks will succeed to some extent. Manual monitoring is still fundamental for securing devices, but companies also need to consider investing in artificial intelligence and machine learning to detect attacks early, especially subtle attacks people might not notice. Industrial operations tend to be fairly predictable, and software dealing with predictive maintenance and scheduling is already great at collecting and analyzing data. Folding security into these systems can lead to smoother operations.

Following Best Practices

Encryption alone won’t prevent data or devices from being compromised, but it’s a powerful tool for preventing certain types of attacks. Companies should ensure their devices can encrypt data, especially if it’s sent over the open internet. Passwords are a viable option in many use cases, but industrial IoT devices are also well-suited toward more sophisticated authentication systems. Logs related to IIoT operations can be especially large, but forgoing thorough logging may be a poor way to save a bit of storage space. Every industrial user of IoT devices will have different needs, but C-level executives and managers need to keep up with standard security practices in their industry to ensure their security investments follow tested and verified security practices.

For industrial operations, IoT devices provide tremendous power, and nearly all industrial users will quickly see a return on their investment when implementing IoT and edge devices. The basics of the IoT, however, are also fairly described as a security nightmare, and these risks must be managed to avoid potentially catastrophic attacks. Fortunately, expert help is available, and there’s been a general shift in the IT field to place a greater emphasis on secure implementations. However, companies can’t afford to view security as something that can be bolted on to IoT infrastructure; security planning must play a central role when designing, expanding, and running IIoT devices.