Ensure cyber-security is integral to your IIoT solutions

Security needs to be built in from the outset when implementing an IIoT platform if you want to protect valuable data, says Joseph Da Silva, CISO at RS Group

“Anything that is on the internet will be found and will be attacked,” says Joseph Da Silva, Chief Information Security Officer (CISO) at RS Group. “That is unfortunately just a fact of life.”

It’s a fact of life that all internet users need to acknowledge, not least those working in industrial environments where more and more assets are being connected. Ignoring cyber risks or thinking they won’t affect your facility as it’s small or not a household name is not an option. No matter who you are, you are a target, argues Da Silva.

“Criminals are very well-resourced,” he explains. “They realise there is an opportunity to make money from holding an organisation to ransom, threatening to either shut down their factory or steal data.

“But these threats can extend beyond just a single factory being unavailable. If that factory produces, for example, vital foodstuffs or pharmaceuticals, or is a component of a major utility, it can have huge societal ramifications.

“One example is when a regional power grid in Ukraine was attacked in 2015, with the loss of energy supply to more than 230,000 consumers.”

Cyber-security is a business function

While cyber-security within factories may not have been as important ten years ago when industrial environments were not typically connected to the Internet, with IIoT now effectively streaming data to and from various industrial assets, processes and devices directly via the Internet, it is critical.

Industrial systems are extremely valuable to a business therefore their protection must be taken seriously too. Otherwise, according to Da Silva, “It’s borderline negligence.”

Moreover, cyber-security cannot simply be left to an IT team to sort out. The emergence of IIoT has elevated potential risk to the point where industrial network security must be recognised as a key risk area by senior management and organisations must have a clear security strategy in place to protect their industrial environments.

Create a security ecosystem

IIoT implementation expands the overall attack surface of the whole organisation – and thereby increases entry points for potential attackers. As a result, the whole environment of an industrial facility needs to be considered, everything from physical security to electronic security.

“Each physical device, each method of connecting these devices, the gateways used for communication, as well as other interfaces in the environment offers a route into the overall environment,” says Da Silva.

“It really needs to be looked at as an entire ecosystem because, as already established, if it’s on the internet it will be found.”

7 Steps to better security

Da Silva offers the following advice to help ensure your IIoT implementation is as secure as possible.

1. Change defaults

Most IIoT devices, even most IT software, ships with default passwords. Get these changed immediately to something strong and unique – and don’t use the same password for everything. Furthermore, avoid any equipment with hard-coded passwords; if it’s hard-coded, it’s already known by every hacker out there.

 2. Separate networks


Do not put IIoT devices on your corporate network or the same network you use for operational technology equipment as this is asking for trouble. Nor should a single device be able to access multiple networks, otherwise they can be used as a ‘bridge’.

3. Disable unnecessary functions


See the television on the wall of your meeting room? It’s probably a smart TV – and no-one has turned off the Bluetooth functionality. Or the microphone. Or the webserver it operates.

Unnecessary functions can be used as a way in, both to the device and the wider network that it sits on. Turn things off programmatically or physically disable them; a pair of pliers or liquid epoxy can permanently disable a USB socket, for example.

4. Stay up to date

Software vulnerabilities are common, but even more common is known fixes not being applied promptly. Ensure firmware and software are regularly updated and have a process to do this, particularly if it involves planning in downtime. You’re not going to be able to take a 24/7 assembly line down, but you should be able to tolerate downtime in condition monitoring sensors.

5. Test, test and test

Hire a penetration tester with industrial equipment and operational technology expertise (not all of them do). It’s a specialist area that requires specialist knowledge of PLCs and SCADA equipment.

Afterwards, be sure to follow their recommendations. While you may not be able to fix everything, you can make risk-based decisions about what to address, what to mitigate through another route and what to accept.

6. Be clear who’s doing what


Even if you’re buying a supposedly ‘turnkey’ solution, it’s never quite as simple as that, particularly if the service provider is relying on several third parties. Understand where your data is going, who has access to it and how it’s being protected. “It’s in Big Cloud Provider’s data centre so it’s secure” is not a good enough answer.

7. Have a plan for when things go wrong


Run some scenarios and regularly test the system via a simulation or dry run. In the event of a security incident, it needs to be clear who does what and when, so having this information (including templated communication) clearly documented and easily accessible is vital.

Work with trusted partners

When developing its own IIoT solution, RS Industria recognised the importance of security from the outset and its cyber-security team were involved at the earliest opportunity.

“From the very first day, when we came up with the proposition for our end-to-end IIoT platform, we actively considered security at every stage,” confirms Da Silva. “It hasn’t been bolted on as an afterthought.”

“We’ve taken a lot of headaches away for our customers as there’s an awful lot of work that needs to be done to make your IIoT environment secure,” he continues. “We’ve worked with our partners to make sure that all the different scenarios have been considered and all the different ways they can be attacked or compromised.

“And, most importantly, it’s been tested by specialists and continues to be actively tested as we evolve the solution.”

However, RS Industria doesn’t simply hand the system over with the claim it’s completely secure, says Da Silva. A conversation about security takes place that involves the RS Industria team carrying out a risk assessment in conjunction with the customer. This helps to build an understanding of the industrial environment together with the security measures already in place.

4 Reasons why RS Industria is secure by design

1. Secure hardware

Our Edge Gateway has been custom designed to our security specifications. Both the hardware and software layers have been penetration-tested by independent third-party specialists to identify potential security vulnerabilities (details are available).

2. Secure cloud application

The RS Industria application has been secured from both ends: data ingest and user interface.

3. Secure cloud hosting

RS Industria has been developed using AWS (Amazon Web Services) technology and is hosted in Amazon’s Data Centres in Europe. These facilities run much of the internet, are used by hundreds of thousands of leading corporations and have world-class digital and physical security measures in place.

4. Dedicated customer cyber-security team


RS Group has a dedicated cyber-security team, members of which are available to engage directly with RS Industria customers and respond to any security concerns they may have.

“It’s also not just existing customers,” Da Silva points out. “We are also facilitating conversations with organisations that are interested in discussing security and what things they should be considering in their industrial environments.

“We’re very consultative in that regard; it’s not just about selling a product. After all, it’s in all our interests to improve the security of our industrial environments and prevent them from getting hacked.”

To explore the benefits that IIoT can bring to your organisation, read our article about how condition monitoring can drastically reduce costly unplanned downtime

A version of this article originally appeared on RS Industria