Why is Security so Important in Industrial Internet of Things?
Why is Security so Important in Industrial Internet of Things?
In this blog post, we’ll explain why security is so important in IIoT. We'll go through the main points we regularly discuss with our customers.
This blog post explains why security is so important in the industrial internet of things (IIoT). We regularly get asked about security by our customers. In this blog post, we'll go through the main points.
WHY IS SECURITY SO IMPORTANT IN IIOT?
When we get this question from our customers, we say, "Yes, it definitely is." Typically we connect the operational technology (OT) and information technology (IT) space. We're connecting things, for instance, a ship—a traditional big bulk carrier ship, out at sea, sailing halfway around the world—to the internet, thus we're potentially opening it up to possible threats. For instance, someone could be sitting in his bedroom, hacking around. In theory, we're opening up the ship's control system to this person. Imagine how upsetting it would be to know the car you're driving to work every day could be controlled by this random person and that this person could also steer you off the road.
Hence, the worst-case scenario is that we're putting people's lives at risk. Never mind the potential loss of earnings and credibility. That is why our highest priority is to ensure that security in our customer's organization is handled well.
WHAT DO YOU HAVE TO CONSIDER, AND HOW DO YOU MAKE SURE YOU ACTUALLY HAVE A SECURE SOLUTION?
A secure solution is something we discuss and advise our customers on regularly. There are lots of different ways to achieve this goal. It all depends on the company's size, whether a company is building or buying a solution, etc. However, there are some common things everyone needs to do.
Firstly, companies always need to look for transparency. It doesn't matter whether a 10 or 20 000 person organization.
How to create transparency across your whole organization? By showing everybody:
This is where we believe our threats are
This is what we think we're doing to mitigate those threats, and
These are the consequences if one of those threats happen
Let's imagine you're managing credit card debt. It'll get worse if you hide it and put it under the table. If you bring it out and talk about it, it'll be easier to see how you're going to handle it.
There are many resources on how to improve transparency. Typically, searching for security resources, you get hundreds of pages of long documents, and you don't even know where to start. Microsoft released an impressive 12-page whitepaper walking you through setting up a threat model and how you can translate that over to technical solutions. We'll try to demonstrate this for you:
1. WHAT THREATS DO YOU HAVE?
First, you must look at what kind of threats you might have. How do you mitigate these? Start by mapping them out. At a high level, that can be anything from:
A physical attack, for instance, someone stealing your device to get access to your data or access to other parts of your organization.
A natural disaster, for instance, a flood in your server farm which can bring down your whole organization.
An informational leak, for instance, someone printing out some important information and leaving it somewhere by mistake.
Hacking, for instance, the guy we talked about taking control of your ship.
There are many resources out there to help you discover where your potential threats are. There's one we like to recommend - ENISA. A European-run initiative that allows you to learn about actual threats.
2. WHAT CONSEQUENCES WILL THESE THREATS HAVE?
Second, you'll need to consider these threats' consequences. These can, for instance, be:
Brand reputation damage
Lawful problems, for instance, concerning GDPR
3. HOW DO YOU EVALUATE THESE CONSEQUENCES?
Thirdly, you need to evaluate these consequences. You can use some of the great evaluation techniques that are out there. Such as:
Network threat detection - scanning your network to make sure no weird things are happening on it
Reviewing your offboarding strategy and password policies
Penetration testing - have a third-party try to hack into your solutions
MITIGATING THESE THREE STEPS
So how do you mitigate these three steps? It depends. We suggest you look into techniques like ENISA, or one of these:
Microsoft's Stride is a threat modeling technique where you can classify your threats according to the acronym STRIDE:
Tampering with data
Denial of service
Elevation of privilege
OWASP was initially an open-source technique for evaluating websites. However, it has developed into an IoT specification with rules for mapping out threats and evaluating them.
Once you sit down and map out all threats and consequences, you'll start noticing the holes in your organization. Hence, step number one is mapping these out and communicating them to the whole organization clearly and concisely, ensuring everyone understands it.
HOW SECURE IS THE ACTUAL SOLUTION?
After our customers have followed these steps, we'll ask them to look at the solutions they actually put out in the field. Let's imagine you own lots of boats or factories around the world where you have put your devices transferring data. On top, you have a device transmitting data to a cloud solution. All these elements will have potential threats in them:
How can you make sure the device is secure? As with everything else with security, there's no one way to do it all. First, ensure you place the device in a secure area with locks and security badges, reducing the risk of the device being physically stolen. Regardless, ensure no intruders can access what's on the device.
Microsoft built Azure Sphere, a comprehensive IoT security solution to secure hardware. Even if someone steals the device, takes pieces out, and tries to re-engineer it, Azure Sphere makes it impossible to succeed with the attack. Even though this sounds extreme and seems unlikely, you should add cryptographic keys to your device. A cryptographic key tells you that this device is yours and not someone faking your device and sending fake data to the cloud.
Since your device is transferring data to a cloud solution, it's essential to ensure this transfer is secure. You can use encryption techniques like TLS, a protocol for encrypting data. If you're working with a third party that's transferring your data across the internet, ask yourself: Are they able to provide solid documentation of this transfer? How is the device getting its data? How is it handling keys?
THE CLOUD SOLUTION
Also, take a look at where your data is going. Is it going to a database? Is it encrypted?
Make sure your solution is secure. How you do that is related to what your real threats are and what their consequences are. This information will help you to know where to focus your efforts. In addition, document the whole process and be transparent with the entire organization.
CREATE A SECURITY-FOCUSED CULTURE
Security is a big, scary subject. We tend to look at security as something only experts can do.
Yet, security is essential whether you buy or build your solutions. Most of all, create a culture where you can openly discuss security. Make it a safe place to address security issues. For instance, how about hosting weekly meetings to discuss security breaches that you've seen in other companies, that have happened to you or you think might happen? What about discussing simple things such as transferring money to your bank? How do you know that's secure?
The worst scenario would be security people finger-pointing and shouting at someone when they're doing something wrong. You want to avoid scaring your colleagues and making them insecure in bringing up security breaches.
BUILDING YOUR OWN IOT SOLUTION
If you're building your own solution, you need to focus on different areas. Let's imagine you are building the Super Duper IIoT solution. You want to know you're doing it securely. You need to look through the whole process, understanding the phases from design to development to testing to deployment to operations. Each of these stages is different and has different levels of security.
In the design and development phase, you'll start your threat modeling. Focus on creating a security-focused culture that lasts into the testing phase. In your testing phase, you can do penetration/pen testing (yourself or third-party) or protocol fuzzing (mimic protocols to get different results). When you get to deployment and operations, do network analysis. Investigate whether anything weird is happening across your network. Also, be aware of your deployment routines: When deploying new patches, how do you ensure you're not implementing hidden things, making sure they're nice and secure?
As mentioned, the way you achieve a secures IIoT solutions depends. Are you buying or building your own solution? Do you have an IT organization within your company, or are you using a third-party? Do the job, use different techniques, be transparent and create a security-focused culture.
If you need help or support with your IIoT security, reach out. We're here for you.