Why Segmentation is More Effective Than Firewalls For Securing Industrial IoT

The Internet of Things (IoT) has become a genuine phenomenon in recent years. It’s not only changed the everyday lives of ordinary consumers – there’s a plethora of IoT-connected devices, from smartphones to thermostats – but it’s also had a huge impact on the world of business.

The sheer ubiquity of the IoT shouldn’t be underestimated. According to a study from market research firm Gartner, the global total of IoT assets had risen to a massive 4.8 billion by the end of 2019, with further growth of 21 per cent forecast for 2020.

While the explosive growth of the IoT over the last few years presents immense opportunities for businesses, it also poses serious challenges too. One of the most pressing of these challenges is security. Indeed, security has been a major bone of contention concerning the IoT. Although this hasn’t yet materialised, it was initially felt to be a potential barrier to the growth of the tech. The security of Industrial Internet of Things (IIoT) assets is, therefore, particularly sensitive. Ensuring reliable security and confidentiality is also a fundamental customer service duty as much as anything.

One of the crucial questions facing businesses today is how to keep IIoT assets safe and secure. Businesses across the board – from manufacturing and services to transportation and utilities – are reaping the rewards offered by the IIoT. Such networks of interconnected devices allow for major gains in efficiency and reliability. Nevertheless, security threats are an ever-present reality, and the rapid expansion of the IoT has complicated matters. The increasing overlap between voice over internet protocol (VoIP) and the IoT has also made VoIP cybersecurity another pressing issue for firms and organisations across the world.

The key decision with which businesses are faced, then, is whether to opt for a firewall or segmentation to protect their IIoT assets. Here, we’ll weigh up the pros and cons of each, and argue that segmentation offers a more effective and robust security option for securing IIoT assets than firewalls.

The security challenge

The IoT, as we’ve noted, has been the subject of frenzied growth in recent years. Given the speed with which the IoT has risen to global prominence, there inevitably remains some uncertainty about security issues. The sheer variety of security considerations to take into account makes it particularly difficult to establish a clear set of best practices for everyone to follow. There has, unavoidably, been a degree of confusion and improvisation in terms of developing IoT security processes.

Some IoT (and IIoT) devices lack effective, integrated security controls due to initial oversights at the design and manufacture stage. This means that manufacturers and users are forced to attempt to patch them further down the line. That’s the only option left to them to resolve security vulnerabilities that weren’t adequately addressed at the outset. We have seen similar issues with Android cybersecurity, with system updates continually being released to resolve security problems.

What further complicates things is the sheer complexity of IIoT ecosystems. They’re often composed of a melange of devices of different ages, which serve varied purposes. This complexity and difficulty in inventorying IIoT environments means that security flaws may go unaddressed, and potential risks may go unappreciated. When new devices are introduced, for instance, there may not be a clear appreciation of how to integrate them without disrupting the wider security architecture. There are also gaps in people’s knowledge of how IIoT devices interconnect with one another. All of this poses a very elaborate set of security challenges.

Securing your IIoT assets

We have established that there remains a considerable amount of confusion and uncertainty about securing IIoT assets. Part of the problem is the duality of the role of operational technology (OT) teams. They’re often having to deal both with IIoT devices and industrial control systems that may have been in operation for decades. Furthermore, the fact that OT teams have been tasked with managing IIoT-connected devices means that many information technology (IT) teams lack knowledge, experience, and understanding of them.

However, as IIoT assets aren’t directly connected to the internet, hackers have to find and exploit other weaknesses in order to breach their security. These might include duping people with phishing emails – which is why staff need to be trained and reminded to be vigilant about the links they open – breaching weak passwords, or attacking inadequate remote access security. HD video conferencing calls may also be targeted by attackers seeking to gain access to confidential information. Viruses are another potential security threat, though the aforementioned security threats are in fact more common.

Regular, detailed risk assessments must be carried out in order to determine security risks. This becomes all the more important as more devices are added to any network. That makes it that bit harder to determine which IIoT assets need protection, and what form that protection might take. Another problem is that security budgets are often strained, failing to grow in tandem with the proliferation of new IIoT-connected devices being adopted.

Segmentation vs firewalls

 With all this in mind, businesses are faced with an important decision. That is whether to protect their IIoT assets via segmentation or through the deployment of internal firewalls. As we’re so accustomed to using firewalls in our everyday lives (particularly on our own private computers, tablets, and smartphones) it might seem intuitive to use a firewall as a safeguard for IIoT-connected devices as well. However, the choice isn’t quite so straightforward as it might at first seem.

Internal firewalls are expensive and complex to implement. It could be that for genuinely reliable protection, you need to install a firewall at every IIoT connection point. This could mean that hundreds (perhaps even thousands) of firewalls are required. We’ve already discussed how businesses’ technology security budgets are often overstretched. Taking this into account, security spend needs to be very carefully calculated and targeted.

Segmentation, on the other hand, makes it possible to keep particular types of devices siloed off in a certain segment, thereby enhancing security. It also helps to enhance visibility and simplify classification of different device types. Organisations can then create risk profiles and relevant security policies for device groups.

Effective segmentation, what’s more, makes it much harder for hackers to work their way laterally through the network. That reduces the risk of them compromising more systems and causing more damage. In the event of an incursion, an attacker would only have access – and be able to do damage – to the precise system they breached.

Segmentation, therefore, is a more viable option for most organisations than internal firewalls. It fits with the complexity of IIoT ecosystems, can efficiently repel or blunt cyberattacks, and is cost-effective.    

About the Author

Sam O’Brien is the Senior Website Optimisation & User Experience Manager for EMEA at RingCentral, a Global VoIP and Call Centre software provider. Sam has a passion for innovation and loves exploring ways to collaborate more with dispersed teams. He has written for websites such as Channel Partners and Best Company. Here is his LinkedIn.