Industrial IoT Security Concerns Grow
Networked industrial systems are increasingly critical for conducting business in the digital age. But “always on” and “always connected” also translate into “always at risk.” As the industrial IoT (IIoT) takes shape, locking down data and systems ranging from networks and communications to clouds and devices is a significant challenge.
A newly released analysis from cybersecurity firm Forcepoint snaps the issue into clear focus. The 2019 Forcepoint Cybersecurity Predictions Report notes that while attacks on consumer devices are prevalent and growing, “the possibility of disruption in manufacturing and similar industries makes the threat all the more serious.”
Risk vectors include conventional malware and familiar man-in-the-middle attacks. But Forcepoint sees a new and more insidious danger emerging: direct attacks on the IoT infrastructure. “This target is more desirable for an attacker—access to the underlying systems of these multi-tenanted, multi-customer environments represents a much bigger payday,” the report notes.
Making matters worse, the growing use of clouds to support IoT and IIoT adds to the challenge. “Many cloud service providers managing these industrial IoT devices find it really difficult to patch and update these systems,” explains Carl Leonard, principal security analyst for Forcepoint. As a result, “The attackers are going to begin targeting the underlying infrastructure that these devices use.” Leonard notes that the IIoT introduces a new problem for industrial players: It’s possible to attack many devices through a single infrastructure provider.
According to the Forcepoint study, 81 percent of respondents describe the IoT in their Industrial Control Systems (ICS) as an important security issue for their organization. In addition, 76 percent call themselves concerned about the security of IIoT devices or infrastructure either within the company or across a supply chain. The threat extends across all industries and affects companies of every size and shape.
A separate study conducted by IIoT and industrial control system security firm CyberX examined more than 850 production ICS and SCADA networks across six continents. “The data clearly shows that industrial control systems continue to be soft targets for adversaries,” the report states.
The takeaway for integrators, MSPs, and others that package IIoT technologies and systems? Security must be embedded in basic business and technology solutions. Increasingly, vulnerabilities bypass software and firmware layers to leverage processor hardware exploits. The Forcepoint report points out that attackers rely on low-privilege programs to tap into critical data, including private files and passwords.
What’s more, the stakes are growing. In 2018, Spectre and Meltdown, hardware vulnerabilities in the speculative execution capabilities of modern processors, appeared. Forcepoint notes that almost all CPUs introduced from 1995 on may be vulnerable. “Organizations will need to move from visibility to control where the IT and OT networks converge to protect against these deliberate, targeted attacks on IIoT systems,” the report states.
Ultimately, IoT integrators can deliver greater value to clients by focusing on a few key factors. In particular, fully understanding a device’s operational requirements and capabilities, identifying its footprint and touchpoints across a supply chain, and thinking about security from a data-first perspective are all critical. The IoT and IIoT radically alter the flow of data. Any and all IoT and IIoT solutions must reflect this.
Samuel Greengard is a business and technology writer based in West Linn, Ore. He is the author of The Internet of Things (MIT Press, 2015).