With the acceleration of digital transformation and convergence of IT and operational technology (OT) networks, Internet of Things (IoT) and Industrial IoT (IIoT) devices are becoming essential tools for companies in sectors including oil and gas, energy, utilities, manufacturing, pharmaceuticals, and food and beverage. Whether optimizing individual processes or entire factories and other critical infrastructure ecosystems, these devices are helping drive production efficiencies and improve reliability, responsiveness, quality, and delivery.
However, as companies introduce more IIoT devices that typically are not designed with security in mind, they also introduce risk to their environments. Nearly four years ago, NotPetya impacted a wide swath of multinational corporations in sectors including healthcare, energy, and transportation, bringing operations for many to a standstill and causing an estimated $10 billion in damages. Over the years, we’ve seen examples of how hackers can compromise connected cars to tamper with critical systems, such as the engine and brakes. And, recently, we narrowly avoided an attack aimed at contaminating a water supply in Florida.
It isn’t a big leap to imagine scenarios like threat actors disrupting production of the top pharmaceutical companies to create shortages or tampering with the quality of products by food and beverage companies. Some of the latest threats to critical infrastructure include seigeware, where a hacker compromises the systems that every business relies on to run their office infrastructure – lights, elevators, air conditioning and heating, and physical security systems. And GPS spoofing allows attackers to interfere with navigation systems and dupe vehicle operators to go off course. There are many ways adversaries can use connected devices to take bold actions or operate in the background to disrupt our economic well-being and, worse, cause physical harm. And the risk is real.
Gartner refers to the combination of these networks and assets as cyber-physical systems (CPSs) and predicts that the financial impact of attacks on CPSs resulting in fatal casualties will reach over $50 billion by 2023. They note that even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Adding urgency to address the situation, Gartner expects that by 2024, 75% of CEOs will be personally liable for CPS incidents.
How to Mitigate Risk
To address the rising use and risk associated with IoT devices, the IoT Cybersecurity Improvement Act was officially signed into law on December 4, 2020. Recognizing a lack of uniformity in identifying vulnerabilities and supply chain risk introduced by IoT devices, the Act seeks to replace today’s largely ad hoc approach with standards and guidelines. The Act includes several provisions, but the bottom line is that any IoT device purchased with federal government funds must meet new, minimum security standards – and the deadlines are approaching quickly.
While aimed at government agencies and the vendors and service providers they work with, critical infrastructure companies across all sectors would be wise to take their cues from the new law to enhance and formalize their IoT/IIoT security best practices.
So, where to begin?
Critical infrastructure companies need to be able to identify and track threats from IoT/IIoT devices that cross IT and OT boundaries. But the reality is that OT networks have been a blind spot for IT security professionals for decades. As more legacy OT assets become internet-facing, and industrial companies add more internet-connected devices to their environments to drive automation and modernization, the challenge of mitigating risk will only grow. Due to lack of visibility and telemetry, OT and IT security teams are often in the dark, unaware of CPSs already deployed in their environment and their behavior.
Proactive risk management requires being able to examine and address risk from different yet complementary perspectives to bring context to the overall security of an OT environment. Critical to accomplishing that is having a clear understanding of an organization’s asset risk posture and network traffic.
Understanding asset risk posture begins with visibility into industrial control system (ICS) networks and endpoints, and centralizing IT, OT, IoT, and IIoT asset information without the need for added connectivity. This way, human-machine interfaces (HMIs), historians, and engineering workstations (EWs) can be enriched with information about IT threats and vulnerabilities, improving the security of these assets without impacting productivity or downtime.
Contextual security information related to network traffic is also key to identifying and tracking threats that cross the IT/OT boundary. Many attacks that impact OT environments begin on the IT network, so defenders require threat signatures for ICS devices and OT networks as well, in addition to those built for IT systems. Having a technology that secures CPSs, without the need for signature reconfiguration or manual updates, accelerates detection and response.
IIoT devices are quickly becoming a hallmark of modern OT environments and an accelerator of competitive advantage. Let’s learn from insights into risks and costs, and from guidelines put forth in new regulations, to get ahead of the risk IIoT devices can introduce to industrial environments.