What does built-in IIoT security look like?
What Does Built-in IIoT Security Look Like?
Companies are racing to take advantage of new revenue opportunities, operational efficiencies and cost savings offered by the multitude of IP-connected devices that make up Industrial Internet of Things (IIoT).
According to Gartner, growth in IIoT is projected to reach 3.17 billion devices in 2020. Technology developments in this space are fast outpacing industry standards, earning them an unwelcome reputation for exposing data to risk.
Business spending on cyber security for IoT devices is meant to amount to $134 billion/year by 2022 (Juniper Research). Some industry commentators are now calling for IoT devices to have built-in security.
There are several recommended properties for built-in security. One of the most important is encrypted communications as features in virtual private networks (VPNs).
IIoT Security Challenges
Typical IIoT or machine-to-machine (M2M) products include manufacturing field devices, process sensors for electrical generating plants and real-time location devices for healthcare.
At present, developments in IIoT data protection are failing to keep up with the rate of innovation and demand. Securing the confidentiality and integrity of data passing between all these devices remains a major challenge for many businesses. IT professionals have to familiarize themselves with multiple IIoT designs, often with immature security features, that present clear data breach risks.
According to recent research by Forrester, the top three challenges are IIoT integration, migration/installation risks and privacy concerns. In the study 92% of C-level respondents have implemented security policies for managing IoT devices. Yet less than half (47%) have enough tools in place to enforce those policies.
Undeterred, businesses are continuing to invest in IP-connected devices with 49% of respondents expecting to increase spending on IIoT security this year.
Built-in Security Properties
Today, IIoT devices are already in widespread use, but this is just the tip of the iceberg compared to what the market will become in a few years’ time. Technology advances will bring down costs leading to development of devices of every price and description.
Increased competition will force device manufacturers to start building better security into their products. If manufacturers start sticking to a number of established principles and practices it should be possible to build devices to a more trustworthy standard of security.
Examples of the types of principles and practices in question are:
- In-depth protection: Device software should have multiple defense layers
- Automated security patching: An ability to patch/update IIoT device software automatically in line with prevailing threat developments
- Unique hardware identity: Every device will be assigned a unique identifier inextricably linked to its hardware that marks it out as trustworthy
- Independently tested trusted computing base: Device operating systems and security mechanisms including access control, authorization and authentication, virus protection and data backup are verified according to recognized industry standards
- Compartmentalization: Application of the principles of network security segregation within the device hardware to prevent attacks from spreading
- Software failure alerts: Software failures automatically reported to the manufacturer
- Authentication with certificates: Device authentication should always use certificates rather than passwords
Encryption is Essential
Even when the above properties are built into IIoT devices there is one overriding security measure that tops them all.
Data from M2M systems is especially prized by cyber criminals seeking to intercept intellectual property and personal identifiable information (PII) and trade it for profit. It is therefore essential for all remote connections and monitoring of IIoT devices to be secured with industry-proven encryption technology such as Virtual Private Network (VPN) software.
VPNs can secure the IP-connection of every IIoT device so that data traffic is encrypted as it passes between individual devices and the remote central management point over the Internet.
When combined with remote access controls and certified authentication measures, VPNs form an effective barrier that shields company confidential data from the unwanted attention of unauthorized parties.
In summary, the phenomenal growth in development and adoption of IIoT devices is fast outpacing manufacturers’ ability to make them completely secure. In the next few years we will see more manufacturers building in best-practise security measures into devices.
Already, centrally managed VPN software can provide vital data encryption for the many thousands of remote connection points that make up an IIoT environment. In combination with built-in security features and processes, they provide robust protection for maintaining the privacy and integrity of highly sensitive IIoT data.