Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Why it’s So Hard to Implement IoT Security

Harmonizing Security Across IoT Infrastructures that are Connected to Both Brownfield and Greenfield Systems is Easier Said Than Done

Harmonizing Security Across IoT Infrastructures that are Connected to Both Brownfield and Greenfield Systems is Easier Said Than Done

The Internet of Things (IoT) is integrating the physical world and computer-based systems more and more through a vast network of electronics, software, sensors, actuators and connectivity. According to Statista, the IoT juggernaut is growing nearly 20-percent annually and on track to hit $8.9 trillion by 2020. All the while, a quarter of all IoT remains devoted to industrial settings — the Industrial Internet of Things (IIoT).

Unfortunately, as the new opportunities for innovation, efficiency and convenience multiply, so do the IoT-related vulnerabilities and attack surfaces for malicious actors to exploit. And because cyber attacks take advantage of the weakest link in a chain, organizations can’t just pick and choose which IoT vulnerabilities to address — they have to deal with them all, in real-time. 

The reality is: IoT security is a tough challenge — involving everything from hard to implement standards; hard to reach industrial components; and hard choices on how to integrate security seamlessly around both older “brownfield” and newer “greenfield” IoT systems and equipment.

Lots of Guidance, but Not Enough of it is Practical

IoT and IIoT security challenges range from insecure web and mobile interfaces and network services, to poor encryption, authentication and physical security. Especially in industrial settings, organizations are realizing they must address the entire IoT ecosystem, including: operational technology (OT) running on factory floors; new devices connected to IIoT cloud platforms; IT systems that link to business systems; new devices and sensors, and everything in between. 

Groups like the National Institute of Standards and Technology (NIST) and International Society of Automation (ISA) have tried to help by issuing IoT and IIoT cybersecurity standards  — but such guidelines are complex, difficult to understand and hard to implement because they often lack clear implementation recommendations. Equipment manufacturers and integrators are left to determine how to achieve the appropriate safety, reliability, resilience and privacy for the requisite security levels for their devices. Oftentimes, this means that standards are not put into real-world practice because the perception is that they are too complex.

The Trusted Computing Group’s TPM 2.0 standards, for instance, give guidance for embedding a unique secret key into microchips and firmware to help prove the identity of IoT devices, but the technical documentation runs more than 3,000 pages. 

Securing Internet of Things (IoT) DevicesThese challenges have left the industry unprepared for IoT-focused attacks. In fact, a recent survey found that 97 percent of respondents believe unsecured IoT devices represent a significant risk for their organizations.  

The Industrial IoT is Especially Mission Critical — and Even Harder to Secure

From Stuxnet in 2010, all the way to expanded Triton-style attacks of 2018, industrial systems have become prime targets — a fact that’s particularly troubling and consequential. While a data breach at Target or Equifax can be devastating and compromise the privacy and finances of millions of customers, a cyber attack on critical infrastructure can cause incalculable damage, operational breakdowns and even the loss of life. 

Consider accidents like 1979’s Three Mile Island nuclear meltdown and the 2010 BP Deepwater Horizon Oil Spill; they may have both been accidents, but the control system breakdowns involved are the same kind that could easily be caused by a well-executed cyber attack. In fact, a purported 2014 hack at a German steel mill sabotaged a blast furnace — causing it to malfunction and create significant damage to the facility. 

Keep in mind that, for refineries and some other complex industrial operations, emergency shutdowns can take a year or more to recover from. This means lost revenue, damaged reputations and even the possibility of bankruptcy. 

Unfortunately, IIoT security is especially hard to implement. Many industrial components were built long ago and designed to run continuously. This makes it tough to retrofit systems for security; some industrial control systems have been in place for decades, with maintenance windows as fleeting as four hours every year.  

The Right Approach to IoT Security  

Enterprises are increasingly realizing that, to protect the organization and maintain operations, they must implement security across the entire IoT ecosystem — and especially in industrial settings.  

A top challenge is to overlay security onto “brownfield” problem spaces involving older equipment and legacy systems. At the same time, it’s critical for manufacturers to bake in security from the beginning for new “greenfield” devices that are being developed. 

Harmonizing security across IoT infrastructures that are connected to both brownfield and greenfield systems is easier said than done. On the brownfield side, some systems simply can’t be upgraded — meaning your only choice is to replace the system or find a way to place a secure gateway in front of it. Other brownfield elements may be incrementally upgraded with stronger authentication, more encryption or better web, mobile or physical security. On the greenfield side, security should be incorporated into the design of all the devices and components as early as possible in their development and production cycles. 

Finally, developers should understand that even if a brand new system is stamped secure from the factory, its operational capacity could still be compromised if it’s going into an environment that doesn’t have security across the board.

Implementing Better IoT Security in Your Own Organization

By now, it should be clear that there’s no one-size-fits-all solution that someone can simply buy and turn on with the flip of a switch. Instead, IoT security is something that must be implemented with the right strategies and industry partnerships tailored to your organization and its vulnerabilities. 

Whatever your specific implementation approach may be, it should involve a security stack that can address requirements across a diverse landscape of endpoints. Also, make sure your security solution is powerful enough to enhance security of storage, communications and containerized applications. And ensure any industrial devices meet requirements for US NIST 800-63B AAL3 — the highest level of authentication assurance. 

Most of all, your ability to implement these high levels of security should not be bogged down by reams of complex standards and guidance manuals. The right industry partners can package up that complexity to ensure you’ve got the proper security and compliance in place — without drowning in documentation. Demand comprehensive security from your vendors that is still simple enough to understand and implement.

Developing stronger IoT security has become a primary focus across all organizations —  especially those dealing with critical infrastructure. Whether you’re an equipment manufacturer or service provider, everyone benefits from a better understanding of the existing IoT security landscape, and how to strengthen it. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Taiwan-based networking and storage solutions provider Synology has informed customers about the availability of patches for several critical vulnerabilities, including flaws likely exploited recently...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...

IoT Security

Censys finds 30,000 internet-exposed QNAP appliances that are likely affected by a recently disclosed critical code injection vulnerability.