The Internet of Things (IoT) and operational technology (OT) devices behind so many advances in manufacturing are also responsible for creating the largest and fastest growing attack surface within an organization. Sensors, cameras, access control systems, printers, and many other non-IT devices exist to provide business value to the organization. But, as connected devices, they are very attractive to threat actors and easier to breach than other IP-connected systems.
Like traditional IT systems, emerging digital technologies contain compute, storage, and networking capabilities, everything cyberattackers want to exploit. Since IoT/OT devices don’t support software agents, traditional IT security solutions won’t work. This leaves otherwise “smart” systems especially vulnerable to compromise.
Clearly, new approaches are needed in the form of cybersecurity solutions, corporate governance, and industry compliance requirements. These mounting risks are why manufacturers are facing increased cybersecurity mandates, more expensive and harder to obtain cyber insurance, and more board-level scrutiny—and the stakes are getting higher.
Fortunately, there have been many efforts in recent years to establish guidance and best practices to contain attack surfaces as the threats from IoT/OT rise. Some key concepts and practices can significantly reduce IoT/OT security risks.
It’s a best practice to keep IoT/OT devices on separate networks (separate from corporate networks as well as from each other). Using a network access control solution can reduce risk by limiting the traffic allowed between networks (for example, so lighting systems can be connected to access control). In addition, network access control can limit the damage from a breached device by preventing it from communicating on the network.
With traditional IT security solutions, the assumption is that a Windows or Linux-based system is being used and can accept security agents to run on them. IoT/OT devices don’t allow agent operability, thanks to their unique operating systems and memory structures. When using agentless solutions, such as performing asset discovery by analyzing network traffic, it’s critical to have a complete inventory of what needs to be managed. Most agentless discovery solutions either include or have connections to threat assessment solutions, making asset discovery the main “pane of glass” to see vulnerable devices in need of remediation.
The world of IoT/OT devices is vast, ranging from Nest thermostats and Fitbits to IP cameras and building automation systems, with significant differences among them. Many consumer IoT devices are “loosely coupled,” meaning they operate independently of one another and the applications they feed into (think Fitbit). In manufacturing, many IoT/OT devices are “tightly coupled,” with a workflow involving multiple devices and applications (think video surveillance systems).
Manufacturers need to pay close attention and use automated solutions that understand such relationships. The goal is to ensure that when these devices are remediated, through firmware updates for example, they also are repatriated back into the workflow as full network citizens.
IoT/OT devices exist in the enterprise at a much higher scale (typically 10x to 20x) than IT systems, existing across a large physical geography such as a factory floor, outside buildings, or throughout a warehouse. Managing cyber hygiene at that scale and distance requires automation. In many cases, manual methods of firmware, password, or certificate management on IoT/OT devices are more than 80 times more expensive than automation.
Manufacturing organizations tend to manage and govern their systems by themselves. When it comes to IoT/OT security, it is more of a team effort. For example, procurement should be involved to control supply chain risks that come from IoT/OT devices. IT security personnel can contribute specialized knowledge on how to secure systems. Other lines of business, such as physical security, facilities, or shipping, should also be part of the dialogue. If your organization does not currently have communications flowing across these teams, it is best to be proactive instead of waiting until disaster strikes when time is of the essence.
Prioritizing based on the business impact of a system being taken offline is a good starting point in understanding the consequences of IoT/OT devices being breached. Likewise, prioritizing and remediating the most vulnerable devices can be the best path to reducing organizational risk. If you are using manual methods of finding and fixing device vulnerabilities, explore ways to free up those resources through automation.
While IoT/OT devices have become one of the largest (if not largest) attack surfaces, there are proven ways to reduce the risk and get ahead of cyber criminals. Avoiding or ignoring the threat from bad actors breaching IoT/OT devices is a recipe for disaster—these systems are often breached and exploited.
Just think of the explosion in the volume and frequency of distributed denial of service (DDoS) attacks. DDoS is a category of malicious cyberattacks that hackers or cybercriminals employ to make an online service, network resource, or host machine unavailable to its intended users. DDoS attacks come from botnet armies (malware) that are often housed within IoT/OT systems because they are not a focus of attention from a security perspective. In addition, consider the cost to your business if ransomware gains a foothold and stops operations for weeks.
Working across organizational boundaries, focusing on automation, and addressing the unique aspects of IoT/OT devices are all actions that will lead to stronger defenses for IoT/OT. These actions will put manufacturers on a security journey that will evolve over time and pay dividends across the organization.
Connect With Us