Rethinking Cybersecurity for the IIoT: Integrated, Automated and Adaptable

The rapid convergence of IT and OT is opening up cybersecurity gaps; the manufacturing sector will need to address this problem in the year ahead.
Published: January 12, 2020

Roughly 50 percent of industrial assets will be connected to some sort of network or Internet-based data-collection system by 2020, according to a report from IoT Analytics. While IT and OT traditionally operated in two separate worlds, the rapid convergence of the two is opening up cybersecurity gaps in manufacturing organizations. Because many OT systems were never designed for remote or Web access, not all connectivity exposures were considered.

As IoT and OT devices are increasingly being connected to OT environments, organizations are being exposed to attacks because these devices usually don’t come with well-maintained or strong embedded security features. This is a major security challenge and operational risk that the manufacturing industry will need to address in 2020.

The rapid growth in cyberattacks and breaches comes at a time when the cybersecurity field is already facing a talent shortage and IT personnel are overwhelmed by their existing workloads. A survey conducted by nonprofit cybersecurity professional organization (ISC)2 found that nearly three million unfilled cybersecurity roles globally, with 63 percent of respondents saying that their organization is experiencing a shortage of IT employees. Fifty-nine percent said that the shortage was actively putting their business at risk, while nearly a third said they lacked the resources to do their jobs effectively.

As a result, many organizations with the most to gain from the Industrial Internet of Things (IIoT), particularly in the manufacturing, health-care and government sectors, are facing a catch-22 of being left behind by the Industry 4.0 revolution and having critical data compromised by insecure systems.

Traditionally, the enterprise has had a circular paradigm of exploring new equipment and systems to suit new business needs. As new systems are needed in the enterprise, the attack surface expands, exposing new vulnerabilities. When the risk becomes high enough, the enterprise looks for security tools that address the specific needs at the time. The amount of effort and the level of complexity for a security administrator to manage all these different tools is high, and often exposes organizations to visibility and controls gaps in what already amounts to a large attack surface.

With the IIoT, the attack surface will rapidly expand as entire factories are connected to make operations faster, more intelligence and more efficient. To keep up, the enterprise will need to approach cybersecurity from an orchestration perspective. Integrating security solutions that address the entire protection lifecycle—onboarding, monitoring, segregation and risk mitigation—can streamline the security-management process for maximum usability and enforcement. When controls can operate in tandem, they can support a Zero Trust model of verification before granting access.

This orchestration will ensure a variety of safe measures, such as negating malware being introduced to the environment and providing more granular, segregated system access. With Zero Trust, every user, device, system, communication and piece of infrastructure is vetted before being allowed least-privilege access. By focusing on endpoint and access management, the attack surface is minimized even as the IIoT connectivity scales across the enterprise.

Another serious security consideration for the IIoT is regulatory compliance. After years of haplessly watching technology race ahead of regulation, governments around the world have started to enact regulations to protect consumers and mitigate security risk. A big focus for those adopting IIoT technology will be the increase in compliance requirements around IoT and IIoT devices as they proliferate in corporate networks and OT environments. It is one thing to see home video security systems like Ring compromised, but it is another when corporate HVAC or lighting systems are exposed.

When organizations do not know where a device is on their network, or who is accessing it and what it is communicating with, that poses severe risks. As a growing number of organizations adopt IoT and IIoT devices in the workforce, there needs to be security policy and controls in place. In the United States, much of this regulatory reform has been spearheaded by the state of California, which recently passed SB-327, the first law to cover IoT devices. The law took effect on Jan. 1, 2020, and regulators around the world will certainly be watching to see how effective the legislation is at reducing IoT device security issues.

For industries like health care, energy and government, these regulatory changes will further necessitate secure access, endpoint and device security control synchronization. As such, orchestration will be crucial to maintaining compliance as these regulations will surely evolve.

IIoT governance is rapidly reaching a make-or-break moment at a time when cybersecurity is also facing serious challenges. To manage the risk, the enterprise will need to shift away from isolated security solutions that only address one particular threat and look to more integrated, interoperable solutions that can be orchestrated to protect the enterprise across a wide range of attack vectors and business needed. In 2020, manufacturing and other industrial equipment-dependent organizations must explore processes, policies and technologies with their security peers to enact coordinated discovery, provisioning, monitoring, enforcement and threat response capabilities.

Prakash Mana, the chief portfolio officer at Pulse Secure, is responsible for delivering the company’s Secure Access vision, defining product strategy and roadmap, and operationalizing different go-to-market motions. Prakash has more than 15 years of experience building networking and security products. Most recently, he was the director of product management at Citrix, where he was responsible for security and gateway business. He holds BE and MS degrees in electrical engineering and an MBA from Carnegie Mellon.