Improving efficiency and identifying potential savings are just some of the benefits of the Internet of Things (IoT). For example, when operating systems are connected to a network via the IoT, controls can be maintained by monitoring and collecting data from the system and analysing the saved data, which can significantly improve productivity. However, the communication between human and machine generates huge amounts of highly sensitive data, which must be protected in the best possible way. In order to effectively minimise potential security risks while maintaining business continuity, there are a number of key considerations to take into account when selecting appropriate solutions.
Reducing the attack surface using network segmentation
In the past, IT and OT were considered separately, because production was not connected to the Internet and control elements were not based on IT protocols. Today, as the boundaries between IT and OT become increasingly blurred because industrial plants are controlled and monitored digitally, the attack surface is increasing.
Network segmentation allows IT and OT networks to be separated to maintain control over security. Because both the complexity of networks and the number of devices continue to increase, security requirements, including regulatory compliance, are increasing too. Network segmentation helps to improve the level of security. It also helps to optimise transparency, allowing granular control of networks. Network segmentation allows the creation of delimited zones, which necessitate different security requirements. This also makes it possible to grant access and authorisations for individual areas. In order to decide on a suitable approach or solution provider and achieve long-term success, it is advisable to first gain an overview of the existing IT and OT environment and also to take into account the current security guidelines.
Eliminating the threat with Identity and Access Management
Mobile applications, cloud-based services, M2M systems and the Internet of Things are technologies that make up modern production. Company portals are used to manage these assets and systems. These portals are accessed not only by employees, but also by customers, distributors and suppliers. Users expect real-time information, at any time, anywhere. Protection against external access is therefore a top priority. In the Industry 4.0 environment, only authorised users should have access to business-critical systems and data — preferably only to the resources they need for their work.
Identity and Access Management can help prevent data loss and system failures with maximum login security. This ensures that the login process that allows access to company resources is assigned to a dedicated person. Identity management controls access by comparing previously defined identities that have user rights and restrictions, and assigns appropriate user roles, groups and policies. Access management, on the other hand, controls users’ access to digital data, services and applications according to the rules established by the company. Access requires authentication and authorisation by the IT system.
Intrusion detection and prevention as an early warning system
Intrusion detection and prevention systems (IDS/IPS) help to detect and ward off potential threats at an early stage, even before they can cause any major damage. There are several approaches: While network intrusion detection and intrusion prevention systems scan traffic for anomalies and suspicious activity, allowing unusual behaviour patterns to be detected and threats to be isolated, host-based IPS/IDS focus on activity on individual systems or endpoints. Behaviour-based analysis is also an important aspect in this context. It is based on the “normal” behaviour of the users. An alarm is raised as soon as deviations indicating a threat can be detected. However, organisations should not forget that the attack tactics of hackers are constantly changing, so IPS/IDS should be updated regularly. The systems of choice must also be able to detect and respond to threats in real time by taking automated countermeasures and blocking suspicious traffic or isolating compromised systems.
Encryption to protect sensitive data
Whether unauthorised access to production data, attempts at sabotage or blackmail attacks — protecting sensitive data requires special attention. New areas of risk are emerging for companies, especially in an environment in which the networking of plants and systems leads to data being collected in real time. Ensuring the security of this critical data requires strict security policies and procedures. In addition to the obligatory and regular vulnerability checks and the secure authentication of users, this also includes the use of effective encryption technologies. Some of the most common encryption technologies in the Industry 4.0 environment are TLS (Transport Layer Security), a protocol designed to securely transfer data over a computer network, end-to-end encryption, which ensures that data can only be read by authorised users, PKI (Public Key Infrastructure), a system for creating, managing and distributing digital certificates, and blockchain, a technology for secure transactions in Industry 4.0 applications. The most appropriate encryption technology depends on the individual requirements and risk profiles of the application in question. In some cases, it is also advisable to use a combination of different technologies to ensure a particularly high level of security.
Patch management to address security vulnerabilities
One of the biggest challenges in the Industry 4.0 environment is to keep track of the entire business environment. This means that in many cases, risks remain undetected. If you do not know which devices communicate with each other over which network, it is difficult to monitor them. For hackers, loopholes that are particularly promising include missing updates for applications, systems or drivers. Firewalls and antivirus programs are shockingly easy to bypass. However, companies can counteract the danger with reliable patch management: If the system automatically detects anomalies, such as errors in the program source code, these can be remedied in a timely manner and updates or extensions can be created.
No IoT security without device security
Security begins at the hardware level. For example, vulnerabilities can already be present in the production of IoT equipment — if the original components are replaced by counterfeit ones, for example. Security-by-design is the key word here. This concept describes the principle of avoiding remediable security vulnerabilities as early as the planning phase. In addition, the execution of programs should also be secured at the hardware level.
It should be added that today’s production facilities and operational systems are not as well protected as IT systems. However, as investments in industrial production systems take years to amortise and also have a considerably longer service life than IT equipment, they sometimes remain in operation for decades. Many systems are not designed for use in a networked environment, so they have vulnerabilities that sophisticated hackers could easily exploit. This is definitely a challenge for security: If older OT devices do not meet current security standards, they are an entry point for cybercriminals. The security level of these legacy devices can be increased, for example, by a zero trust approach.
Limiting potential damage with an incident response plan
There is no such thing as total security. In addition to investing in robust technologies, this makes it all the more important to design a systematic policy to deal with the consequences of a cyber attack, for example by minimising recovery time after an attack in order to maintain business continuity. The goal is to quickly eliminate the threat, restore operations as fast as possible and thoroughly analyse the incident to reduce the risk of further attacks. This doesn’t just involve technical measures — communication must be regulated so as not to lose customers’ trust. However, in order to create an effective plan, a comprehensive understanding of the IT and OT environment is required. This includes a comprehensive risk assessment to identify potential threats, vulnerabilities and critical assets. When developing an action plan, clear roles and responsibilities must be defined and incidents must be categorised into severity levels, allowing for consistent documentation and the creation of a recovery plan.
Using security awareness training to curb sources of human error
Implementing state-of-the-art technologies is only worth half as much if all those involved do not pull together. However, many companies are leaving their strongest force out of these matters—their employees. In most cases, the introduction of Industry 4.0 technologies and security measures also entails an adjustment of workflows and processes. In some circumstances, new skills may be needed to understand data-driven processes. Training sessions, including awareness training, don’t just ensure that the solutions used are fully successful and used effectively. If employees are not able to cope with systems given to them, these systems are sometimes bypassed and replaced by other unmanaged and untested systems. In the field of cyber security, it is all the more important to raise the risk awareness of all parties involved and to inform them of the current dangers. This is because at present, the greatest security risk still comes from humans. However, since it is not possible to fully control people in a digital, connected world, it’s important to establish the correct processes in order to involve people in IoT security.
Conclusion
Under pressure from tight budgets, a dynamic market and strong competition, cybersecurity is (still) a hot-button issue in many places. In many cases, the information and required expertise is lacking. Given the lack of qualified staff and the precarious cybersecurity situation, this development will continue to get worse. However, those who put the security of their IT and OT systems at the bottom of the list risk far more than a halt in production. External specialists provide support by offering neutral advice. Not only do they help in selecting the appropriate solution for individual requirements, they can also take over the core tasks of IoT security.
