IIoT security challenges: Dealing with cutting edge technologies
Dr. Jesus Molina is the Director of Business Development at Waterfall Security Solutions, and in this interview with Help Net Security he talks about the security issues related to emerging technologies.
What is the rate of adoption of the Industrial Internet of Things (IIoT)? What industries are ahead of the curve when it comes to cutting-edge technologies?
There is no question that IIoT has hit a lull in the hype cycle. Industrial vendors in several sectors have created projects connecting IoT devices to cloud systems in a way that provided marketing materials and news, but little more. To truly embrace the IIoT requires a long term vision not solely focused on short term gains, a vision that creates a path to connect and make use of edge/OT systems that is scalable and goes beyond conventional IT thinking.
Vendors and owner/operators in verticals such as automotive and energy have adopted sensible long-term projects. Entities in manufacturing and rail though, generally started with small IoT sensing projects that provided enough functionality to show some dashboards, but in the end did not deliver scalability.
IIoT enables companies to become more flexible and enhance their intralogistics operations. What are some of the most overlooked aspects of IIoT security that IT professionals should be paying attention to?
No one with physical reliability and safety considerations front of mind will write a blank check when it comes to connecting devices on operations networks to cloud or IT networks. A critical rail network or airport operation for example, will only agree to add an IoT gateway after careful consideration of physical safety, operations reliability and other risks.
IT professionals think of heavy data exchange as a good thing; OT people rightfully think that large amounts of data coming into their systems is a serious threat. IT practitioners generally regard theft of data or a lawsuit as the worst outcome of a cyber hack; the worst case scenario for OT people is generally not a data compromise but losing control of physical operations, or worse incorrect control of such operations. Disciplined control of incoming data is paramount to correct, continuous and efficient physical operations, and such discipline of data is often overlooked.
What advice would you give to a newly appointed CISO of an organization that aims to take maximum advantage of smart manufacturing? What digital transformation pitfalls can be avoided with proper planning and security considerations from the get-go?
My advice is to “unlock” data at the edge for use in IT decision making in a way that is scalable and does not alter manufacturing processes. Smart manufacturing requires a rethinking of most manufacturing networks, which are too often “spaghetti networks,” full of devices and computers with specific functions in the plant but whose internal data flows have never been properly evaluated within the framework of a strong security policy. A common pitfall is to attempt to connect some devices or networks in a plant out to a cloud using an all-purpose IoT gateway, without a sensible connectivity policy. This becomes a nightmare in the long term.
A better way to approach smart manufacturing is to evaluate what data is being produced by our manufacturing devices, understand the value of this data and decide where and how it should be aggregated, stored and managed. We can then start sending information from selected data aggregators, such as historians or OPC servers out to external IT and cloud destinations. unlocks the data, providing essential visibility into operations and enabling the enterprise to use the data and profit from it.
With this data flow analysis and design in hand, we can start scaling and adding data sources, without requiring direct interaction between OT systems and IT/cloud infrastructure. Unidirectional gateways are a good example of a kind of product that can be used to enable effective cloud analytics, by selecting operations data sources to send to IT and cloud systems without risk of OT network compromise.
Large organizations working with complex systems require an infrastructure with distributed cloud capabilities and edge computing. What are the main advantages and security challenges of modern edge computing architectures?
In the cloud, mechanisms such as virtualization and orchestration, coupled with improved endpoint security, have helped to protect data centers and to create novel security architectures. A serious challenge, however, arises when detailed results of central/cloud analysis must be communicated back to edge devices and acted on by those devices. Guaranteeing the integrity of large data, complex sets moving back into sensitive operations networks from external analysis engines is very difficult. This is true even when edge devices are protected by strong endpoint protection technologies and data flows are heavily encrypted. Such protections are unable to address the threat of complex, compromised data sets.
Edge computing alleviates this problem by distributing analytics computations closer to or within edge devices, reducing or eliminating the need for large or complex data sets, whose integrity is difficult to validate, to be sent back into sensitive operations networks.
In “The Mobile Economy 2019” report, GSMA notes that 5G is now a reality. In fact, 18 major countries will have launched 5G networks by the end of 2019. How will the global adoption of 5G technologies impact IIoT deployments and security in the near future?
I believe that 5G networks will revolutionize the IoT and IIoT. At the Industrial Internet Consortium, I have the pleasure of working with 5G experts as we draft the document Communications and Connectivity Security Best Practices. The new 5G radios are designed to cover many use cases, one of which is reliable, low latency communications, ideal for IoT devices.
From the security perspective, 5G adds important new functionality such as the addition of EAP authentication that allows non-SIM based credentials, such as certificates, to be used.
This means that 5G networks will allow for the expansion of connectivity for many kinds of IoT devices in ways we have never imagined. However, this ease of connectivity also adds complexity from the perspective of creating a sensible security policy. More than ever, an understanding of control-critical security perimeters will be required. “No wires” does not mean “no perimeters” – wirelessly connecting devices in control-critical zones to non-critical zones is and will always be a bad idea.