IIoT security: Endpoints most vulnerable aspect

Posted on 24 Jul 2018 by Jonny Williamson

"Disparate and unrealistic" views regarding Industrial Internet of Things (IIoT) security means endpoints are often the most vulnerable aspects, according to a new report, which highlights the need for wide scale cultural change.

IIoT security - The installed base of IIoT devices is forecast to triple from 23.14bn in 2018 to 75.44bn in 2025 - image courtesy of <span style="color: #0000ff;"><a style="color: #0000ff;" href="https://depositphotos.com" target="_blank" rel="noopener noreferrer">Depositphotos.</a></span>
The installed base of IIoT devices is forecast to triple from 23.14bn in 2018 to 75.44bn in 2025 – image courtesy of Depositphotos.

IIoT focusses specifically on the industrial application of connected physical devices within critical infrastructures such as electricity, manufacturing, oil and gas, transportation and healthcare.

The installed base of IoT devices is forecast to triple from 23.14 billion devices in 2018 to 75.44 billion in 2025, according to the new SANS IIoT security report.

The research found that most organisations globally are forecasting 10 –  25% growth in their connected devices, a growth rate which will see the number of IIoT connected devices doubling every three – seven years.

This will ultimately result in increased network complexity as IT and OT become more connected, more demand for bandwidth, and the need for personnel skilled in best security practices related to the design, build and operation of IIoT systems.

Of the more than 200 respondents surveyed, over half reported the most vulnerable aspects of their IIoT infrastructure as data, firmware, embedded systems, or general endpoints.

At the same time, however, the survey reveals an ongoing debate over the definition of an endpoint.

What is an endpoint?

The Industrial Internet Consortium (IIC) Vocabulary defines an endpoint as a “component that has computational capabilities and network connectivity.”

IIoT endpoints support two basic connection types: “Direct – where the [endpoint] can either talk as a client … to whatever remote online application it interfaces with or where it can be seen online as a server; and indirect – where communication to the IIoT is mediated by some method other than IP.”

Surprisingly, the majority (40%) of respondents have fewer than 100 connected devices – though this shouldn’t be construed as having a “small set” of endpoints.

Other concerns around IIoT security include:

  • 32% of IIoT devices connect directly to the internet, bypassing traditional IT security layers.
  • Almost 40% said identifying, tracking and managing devices represented a significant security challenge.
  • Only 40% reported applying and maintaining patches and updates to protect their IIoT devices and systems.
  • 56% cited difficulty in patching as one of the greatest security challenges

The survey also uncovered a wide gap between the perceptions of IIoT security by OT, IT and management, with only 64% of OT departments claiming to be confident in their ability to secure IIoT infrastructure, compared to 83% of IT departments and 93% of business leaders.

Investing in a cultural change 

The report suggests that companies should invest in their personnel, growing their knowledge and skills to effectively manage risk throughout all phases of the IIoT system life cycle (design, build, operate, maintain).

Better educated employees can have a positive effect by creating improved system designs, product selections and life-cycle management.

These investments and improvements, combined with vigilance and partner collaboration that extends into a company’s supply chain, can also have a material effect on reducing risks often introduced during the procurement, factory-acceptance, installation and site-acceptance processes, as well as service/maintenance activities.

Personnel readiness: a critical factor 

Every new connection expands an attack surface to the IIoT solution and other systems with which it interacts. While investments in the staff skills building are already recognised as important, ongoing personnel readiness will become a critical factor as threats evolve.

The report also recommends investing in security knowledge, skills and abilities (KSA) that encompass OT-based security demands to help reduce the risks that are already showing up in today’s IIoT systems as they expand in size and complexity and be prepared to evolve skills as the threat landscape changes.

Clear and open lines of communication 

Organisations need a roadmap that can guide stakeholders—users, integrators and vendors, asset owners and operators—in blending together formal definitions, data standards, common protocols, connectivity requirements and best practices to achieve the interoperability needed to have IIoT systems work together securely.

The confusion over what constitutes an endpoint is just one example of why a framework specific to IIoT is needed.

The report recommends establishing clear and open lines of communication within the supply chain to ensure proactive, two-way information exchange relating to matters that can affect risks to IIoT systems.

Another crucial issue for manufacturers is to strengthen their life-cycle management procedures, especially for asset inventory and management, configuration management, and change management to address the complexities of IIoT.

Respondents cited the failure to incorporate good security practices in the IIoT life-cycle models for systems as among the top threats for the next two years.