Six best practices for implementing and securing IIoT products

The practice of “securing by design” can help companies protect against potential cyber attacks on Industrial Internet of Things (IIoT) products.

By Jalal Bouhdada, Applied Risk June 9, 2018

The benefits of IIoT technology are undeniable. Business value is extracted from a myriad of connected sensors and devices via cloud computing, analytics, and artificial intelligence (AI) within industrial processes. While chasing the potential benefits of IIoT technology, the challenges of the consequences of digitization have become apparent.

From the personal damage of data harvested illicitly from social media networks to large-scale damage caused by ransomware attacks on industry and governments, it is clear the benefits of the fourth industrial revolution cannot be reaped without accepting cyber risks. Companies must reduce these risks. by following the idea of "securing by design." 

IIoT device risk

Many IIoT devices used industrial environments such as water, oil, gas, chemical, and manufacturing plants have been deployed with multiple security weaknesses and vulnerabilities.

The even more serious consequence of increased IIoT deployments is the blurring of boundaries between operational technology (OT), which controls the physical hardware of an industrial enterprise, and information technology (IT).

This is a result of the desire to improve remote monitoring and data gathering from industrial control systems (ICS) and OT. However, providing network access to these systems has led to an increasing number of instances in which systems designed for monitoring, control, and safety of infrastructure have become exposed to Internet-based attacks designed to disrupt critical infrastructure within industrial processes for commercial or political gain. 

Securing the IIoT

Though the merging of OT and IT is inevitable, industrial facilities can and should, however, take steps to mitigate the risks of using IIoT products. Adopting industry best practices will reduce these risks.

Follow this six-point checklist for basic security when implementing IIoT products. These items need to be considered at the start of the planning process to help identify and counter potential IIoT threats: 

1. Secure interfaces: Insecure interfaces can result in data manipulation, loss, or corruption; lack of accountability; denial of access; or complete device takeover.

2. Update software and firmware regularly: It is crucial IIoT devices perform updates regularly to protect against the latest threats, and that cryptographic checks are implemented to ensure updates come from a trusted source. 

3. Control access: Strong passwords, the protection of credentials, and separation of roles must be ensured to prevent compromising a device or a user account. 

4. Secure the network: Only necessary ports should be available and exposed. Insecure network services may be susceptible to a variety of attacks, including denial of service (DoS), which renders a device inaccessible. 

5. Eliminate backdoors: No IIoT device should have undocumented backdoors or hidden functions that an attacker could exploit.

6. Configure for security: Attackers often exploit a lack of granular permissions to access data or controls. Security hardening, encryption of data in transit, and logging security events can counter this risk.

These six points, combined with strict lifecycle management regimes and regular, constant testing can give firms the security, safety, reliability, resilience, and privacy controls needed to deploy IIoT solutions effectively. Manufacturers, end users, and integrators must adopt a "secure by design" mindset that anticipates and mitigates potential threats at every stage of an IIoT product’s lifecycle.

Overlooking any of the six points on the checklist can leave an IIoT solution at risk of being exploited, as well as put other systems at risk.

Jalal Bouhdada is founder and principal ICS security consultant at Applied Risk. This article originally appeared on, a CFE Media content partner. Edited by Chris Vavra, production editor, Control Engineering, CFE Media,


Keywords: IIoT, cybersecurity

Manufacturers and end users should focus on securing Industrial Internet of Things (IIoT) products.

Best practices include software and firmware integrity and no security loopholes in an IIoT device.

Strict lifecycle management regimes and constant testing are needed.

Consider this

What additional best practices can help ensure IIoT security on the plant floor?

Original content can be found at