Industrial applications across the globe are being transformed by connecting a greater number and wider range of 'things' that create tremendous opportunities to innovate and drive out inefficiency (an estimated $3.88 Trillion value at stake over next 10 years). However, there are some important security questions to answer as your organization creates an Internet of Things strategy:
What criteria should be considered in deciding whether a device is a candidate for IoT?
There is no debating that more and more “things” are being embedded with smart sensors and gaining the ability to communicate. These “things” then become the tools we will use for better understanding complex processes, they can help create smarter machines, and these intelligent machines can then be better controlled - there-by increases efficiency. All these “things” are linked through wired & wireless networks using the same network technology as the internet, so securing the architecture from attacks, data authentication & access control become increasingly more important. Simply put though.. What is the value of having it on the network? Just because you can connect something, doesn’t mean you should. If the value of connecting is greater than the risk, then it is a likely candidate. If you do decide to put it on the network, make sure it uses standard Ethernet IP technology and conforms to standards and best practices. This helps ensure that data is delivered in a consistent manner and that there are levels of security technologies that can be leveraged.
What must one do to ensure that control systems are protected from IoT communications?
Do your homework and put a proper plan in place that not only addresses your needs today but looking ahead into the future, as more and more devices start to be connected (estimated to be 20B by 2020). We all have seen or been in those nasty traffic jams, caused by the rising population in that area, but the roads didn’t change. That is what your network can look like without careful planning. It is important to realize that no one product, technology or methodology can fully secure industrial applications. It takes a Defense in Depth approach to address both internal and external threats. This approach uses multiple layers of security including Physical, Policy and Technology. As an example, ensure all unused ports are locked either programmatically or physically using lock-out connectors, put your controller into “run mode”, use passwords, things that can be done today. Put policies in place to control human interaction with your systems whether they are internal or external, on-site or in remote operations. Authenticate who is on your network, Authorize what they can do, and then Account for what they are doing on your network. Use best practices for segmenting your networks. Establish domains of trust, and leverage network infrastructure technologies like VLANs, VPNs, firewalls, ACLs, & passwords to limit who and what has assess on your network. Segmenting your network into smaller VLANs can also help maintain them as well as provides a level of isolation, as an example, avoid taking your entire network out due to a problem on one machine line (VLAN). With the Internet of Things comes great opportunity but not without its challenges, but remember you don’t have to do it alone, there is help out there for you, like the Industrial IP Advantage.
How are IoT and ICS cyber security different? Can they/should they be managed separately?
There is not a major difference, a good cyber security plan includes PREVENTION – setting policies and procedures to reduce risks & RESOLUTION – if there is a security breach how do you remedy that threat? This is fundamentally the same for ICS, and in fact may be even more important, as downtime of operations can be very costly to the company. To truly gain the advantages and opportunity of the Internet of Things promises, you need to accept the convergence of IT and OT network infrastructures. This does however, allow you to manage the entire network using the same technologies and personnel, helping to reduce assets and training, 1 staff instead of 2, 1 common objective instead of 2 disparate. This however is not a simple journey, better collaboration between departments, facilities and suppliers will need to happen. We have to remember that many plant networks we never designed to connect with the enterprise, so a comprehensive assessment is probably a good start to developing your strategy and execution plan. Once again, don’t think you have to do this alone, Rockwell Automation has a Network & Security Service business that can assist you along the way.
Who should be responsible for IoT Cyber Security?
Just as there is no one product, technology or methodology to fully secure your control system, there is no one provider either. Each needs to keep security in mind when they are providing products or solutions for your business, this should include your entire supply chain. Owners of the networks need to design the networks using validated designs and best practices and plan for who, what and when information will be available on the network. ICS providers need to provide control systems that follow global standards and regulatory security requirements and have common, secure design requirements in their product developments. OEMs or equipment builders need to follow best practice designs in their machine networks as well, they need to ensure their machines can be easily integrated into their customers operations, meeting the IT security policies, as well as OT performance objectives. This integration also allows the machine builder to drive even more value to their customers. As an example, with the ability to establish secure remote access from anywhere in the world, machine downtime, and travel expenses are minimized.
What is the role standards in managing IoT Cyber Security? Will the world wait for this?
Standards are critical to realizing the promise of the Internet of Things. Without them these “things” aren’t going to connect in a consistent fashion meaning more work for everyone. They ensure that technologies and methodologies are proven and provide greater interoperability. They help ensure that when these “things” get put on the network the data gets to where it needs to be, when it needs to be, and gets there securely. The world doesn’t need to wait, there are solution providers out there today that can help you better secure your network with existing products and solutions built on today’s standards. Following these standards today will allow better evolution of your infrastructure, as the standards and technologies evolve so can your network, avoiding those traffic jams.