Advice on securing the Industrial Internet of Things

Industry and utility companies need to develop new strategies to mitigate and manage cyber risks according to an IBM report, which has set recommendations for securing the Industrial Internet of Things (IIoT).
By Chris Middleton, Vinelake March 25, 2018

Image courtesy: Ilya Pavlov/UnsplashSecurity has been an afterthought for many Internet of Things (IoT) applications, but the Internet of Things cannot simply be left to become the "Internet of Threats," according to an IBM report: "Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies."

Industry and utilities companies need to develop new strategies to mitigate and manage cyber risks, said the enterprise services giant, which has set new recommendations for securing the Industrial Internet of Things (IIoT).

IBM’s Institute for Business Value (IBV) has produced a new report, Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies.

The document says that there is limited awareness of the need for IoT security. "An incomplete understanding of the risks posed by IoT deployments, coupled with a lack of a formal IoT security program, contributes to the gap between IoT adoption and the capabilities in place to secure it," it says.

IT-centric security frameworks and organizational structures are often not adequate to address the reliability and predictability needs of always-on IoT equipment.

While the IIoT represents a market that could add $14 trillion to the global economy by 2030, claims IBM, underlying concerns about the security and vulnerability of sensors and other devices "are justified", says the company.

An IBM/IBV benchmarking study of 700 industrial/utilities IT and operational technology (OT) leaders found that devices and sensors, followed by IoT platforms, are the most vulnerable parts of connected deployments. By 2020, 30 billion devices will be online, generating 600 zettabytes per year, says IBM. By 2035, more than 75 billion IoT devices will be connected.

When security plays catchup

Deploying IoT technologies at a faster pace than they are being secured can "open organizations to dangers greater than negative public sentiment", warns IBM. "For industrial manufacturing, chemical, oil and gas, and utilities, security breaches can lead to large-spread contamination, environmental disasters, and even personal harm."

Operational IT has become a growing target, accounting for 30% of all cyberattacks, continues the report. In the Middle East, for example, 50% of cyberattacks are directed against the oil and gas industry, creating major impacts to safety, productivity, and efficiency.

Despite this, most industrial and utilities organizations are still in the early stages of adopting best practices and protective technologies to mitigate IoT security risks, said IBM. "Only a small percentage have fully implemented operational, technical and cognitive practices, or IoT-specific security technologies," the report added.

As a result, the IoT security capabilities of most organizations "are in their infancy", with cybersecurity risks "still being evaluated and risk assessments performed on an ad hoc basis".

Part of this is down to an ongoing shortage of cybersecurity skills, and the slow emergence of IoT security standards. But what can organizations actually do about the expanding threat landscape?

Actions to take

First, organizations must recognize that IoT security doesn’t exist in a vacuum, says the report. "Procedures must be followed, practices and technologies adopted, and measures taken to meet key performance indicators (KPIs)."

Next, organizations should implement practices that follow an operational excellence model of people, process, and technology to build IoT security capabilities."

Increase employee visibility into IoT security operations, IT, and OT. Makers of next-generation connected devices and services may consider purchasing insurance against software malfunctions and any damage hackers might cause," suggests the report.

"Know when and how to be proactive. To prepare an effective response to cyberattacks, carry out breach simulations, regular field and plant situational awareness, and engage in security operation center monitoring."

Technologies to deploy

The IBV benchmarking study gauges the use of a number of technology solutions for delivering IoT security. These include:

  • Encryption to protect against attacks that could compromise sensitive information and lead to the destruction of property and equipment, or create personal safety issues.
  • Network security and device authentication, to secure deployments between IoT devices, edge equipment, and back-end systems and applications.
  • Security analytics, to identify potential IoT attacks and intrusions that may have bypassed traditional security controls.
  • Identity and access management, which can help enterprises and service providers manage and secure relationships between identities and IoT devices.

These are all excellent approaches, said IBM, but the overwhelming need is to look at IoT security as a strategic business issue, and not as a technology problem demanding point solutions.

Chris Middleton is the editor of Internet of Business (IoB). Internet of Business is a CFE Media content partner. This article originally appeared here. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See additional stories about the IIoT linked below.