Industrial IoT, Security, and Privileged Access Management
Erin Duncan
The convergence of operational technology (OT) and information technology (IT) has propelled “Industry 4.0” into the spotlight as the next wave of the industrial revolution. The Industrial Internet of Things (IIoT) brings IT and OT together in industries such as manufacturing, logistics, smart buildings, utilities, and critical infrastructure.
Companies that get IIoT right will have a distinct competitive advantage. Automation saves resources and provides agility to develop new products and business models. Intelligent technology for predictive maintenance, energy savings, and production has the potential to change how even the most “old-school” industries operate.
It also increases risk.
More than half of industrial facilities have experienced some form of a cybersecurity incident, resulting in downtime of factories, power outages, and even risk to national security. In one of the most high-profile incidents, the Ukrainian energy sector was hit by a cyberattack that caused a power outage for more than 86,000 homes.
Malware such as NotPetya, Industroyer, and Triton specifically target industrial controls and operational technology used in critical infrastructure.
In this short video Joseph Carson talks about IoT risk assessment and calls for a redefinition of IoT to achieve clarity from a security perspective:
The industrial sector faces unique challenges for cybersecurity leaders
Industrial organizations tend to have legacy and custom software. Often, these systems were never meant to be connected and weren’t built with secure architecture. Many legacy systems lack the granular functionality required to enable traditional firewalls to block cyberattacks. Retrofitting them is difficult as organizations can’t afford the downtime of taking them offline.
The current push to move systems to the cloud … can increase cybersecurity concerns
At the same time that industrial organizations are adopting IoT, they’re also moving rapidly to the cloud. For example, Supervisory Control and Data Acquisition (SCADA) systems have been in existence for three decades as the de facto method for providing operator interface functionality, logging, and reporting. The current push to move these systems to the cloud eliminates expenses and problems of the hardware layer but can increase cybersecurity concerns, especially for companies not used to managing cloud security controls.
Increasing automation of industrial control functions expands the attack surface with more access points. Access points may be used by remote employees, contractors, customers, and vendors of control systems and third-party equipment and software. Lack of central oversight and control can lead to misuse, both accidental and intentional.
Many industrial organizations are still operating with an outdated management model—with siloed operations and IT teams—even as the technology converges. Only 9% of CISOs in industrial organizations currently oversee OT cybersecurity as well. When you consider the variety of systems and privileged users involved in operations, it’s clear that security leadership must play a larger role.
How do you prioritize your IIoT cybersecurity strategy?
Compliance requirements from NIST in the U.S. and NIS in Europe provide a framework for IoT security, but they don’t tell you how to achieve it. The security market is congested with vendors targeting the industrial market with different solutions (monitoring, SOCs, encryption, etc.). Where do you focus first?
First, consider your risk profile. Assess the types of devices and data they’re gathering or participating in processing. What can that data be used against? Is it something that could potentially attack the network? Is it providing an access point for an attacker to enter the network?
Once you evaluate your systems, do all you can to protect the #1 attack vector: privileged accounts.
Gartner recommends application control for OT endpoints through limiting activities of OT-based endpoints to essential tasks. Compared with IT endpoints like servers, operational endpoints are often required to fulfill much more focused tasks supporting a limited number of functions, processes, and applications. Following the principles of least privilege, restrict operational endpoints to those tasks they are deployed for, and to the applications required.
Privileged Access Management gives operational security managers visibility and control over all types of privileged accounts and credentials. PAM solutions govern authentication and authorization for privileged users, including service accounts that connect applications, databases, and other systems in an industrial environment without human intervention. With an immutable audit log, session control, and reporting, PAM gives you the ability to track every activity conducted by every type of privileged account.
It’s critically important to know how cyber criminals target their victims and how you can make it more challenging to steal your information or damage your systems.
IT security should be easy. We'll show you how