By 2020 the IIoT is expected to be a multi-billion dollar market. With massive scale comes massive security challenges. Security expert Lancen LaChance share his enterprise security best practices checklist.
The Internet of Things (IoT) is a term used to describe networked objects. For consumers, "smart devices" can range from watches, to refrigerators, to chairs. For example, in the analogue world, a chair is simply a chair. IoT chairs, however, might be equipped with sensors that report data like posture, weight change over time, time spent sitting, and other metrics. When combined with sophisticated software, these stats provide unique and useful insights.
The Industrial Internet of Things (IIoT), is a broad term that refers to the rapid rise of industrial automation in the past decade and encompasses networked, "smart," homes, cities, and electrical grids. "The IIoT holds great potential for improved communications, productivity, quality control, supply chain efficiencies, and overall business operations," said Lancen LaChance, VP of IoT solutions at GlobalSign.
IIoT devices are switched online every day. In 2014 the International Data Corporation (IDC) estimated that the total IoT market could hit $7.1 trillion by 2020 and account for nearly half of all connected devices. Lux Research estimated the Industrial IoT market alone would hit $151 billion by 2020.
Due to rapid growth and lack of standard security protocols, the Industrial Internet of Things is as vulnerable to exploitation and cyberattacks as the consumer IoT. "Many of the attacks in the IoT mirror traditional cyber attacks like man-in-the-middle, denial of sleep, eavesdropping or snooping, or a replay attack," LaChance said.
The Samsung smart fridge, he said, is a great example of a man-in-the-middle IIoT attack. The Samsung exploit allows attackers to launch a man-in-the-middle attack using a linked Gmail account and spoofed SSL certificates. "More devastating could be a scenario where a malicious actor fakes temperature data from a monitoring device in order to force a piece of equipment to overheat, bringing not only financial damage to the organization, but potentially physical harm as well," LaChance explained.
"Some of the most common vulnerabilities we see surround authentication practices," he continued. "There are numerous incidents documented where devices are provisioned with weak, shared, and non-updateable authentication credentials. These types of scenarios lead to easily compromised credentials, which then open up a whole realm of exploits in the solutions."
Industrial IoT attacks could cause result in significant economic harm, mutilate a company's reputation, and, as was the case with the Flame and Stuxnet worms, damage a nation's defence capabilities. To illuminate the high stakes of large-scale IIoT hacks, in a recently published infographic GlobalSign tracked the history of IIoT security leaks. "In the industrial space it's much more common that the compromise of the system can result in physical harm to the environment or persons involved," LaChance said.
Companies entering the IIoT market must couple adoption of emerging technologies with smart security protocol. "Manufacturers are in a rush to create the newest and coolest IoT devices, and industries are anxious to reap to benefits of real time data the IIoT provides," he said. "But there is often a lag between innovation and security, with security taking a back seat. Security is a key design consideration for smart connected devices, so the onus is on manufacturers to integrate security into their products, not attempt to retrofit it in later."
LaChance shared several tips for implementing and improving Industrial Internet of Things security in the enterprise:
Implement security by design: Build security into your IIoT systems as early as possible, as changes are much easier and more cost effective to make early in the product lifecycle, especially as proper security and privacy features are rarely ever "bolt-on."
Apply information security principles: In regards to building IoT and IIoT products, some of the core information security concepts are authentication (authenticating devices to cloud services, between users and devices, and from thing to thing), encryption (which allows for private communications), and data integrity (to ensure messages can be trusted and have not been altered in transit).
Use proven technologies and standards: Combining secure hardware, like Trusted Platform Modules (TPMs), with Public Key Infrastructure (PKI) enables robust identity assumptions.
Leverage the cloud: The SaaS model allows for high scale certificate deployments without the cost and setup of on-premise hardware.
Don't go it alone: Finding the right security partner is key to realizing the business benefits of the IIoT.
- The Internet of Things: What you need to know (TechRepublic)
- Beware of these IoT designs with security flaws (TechRepublic)
- Smart cities: 6 essential technologies (TechRepublic)
- Explore the Smart Home (CNET)
- 17 ways the Internet of Things can go horribly wrong (ZDNet)
- The Power of IoT and Big Data (ZDNet)