Walter Haydock is a product manager at PTC, where he leads cybersecurity strategy for the ThingWorx Industrial IoT Solutions Platform.
Cybersecurity is a big topic in the news today, and for good reason. Hacks impacting companies such as JBS and Kaseya have recently had serious impacts in the physical world. Even more alarmingly, ransomware incidents specifically targeting industrial entities have increased more than 500% since 2018 according to the security firm Dragos.
In this high-threat environment, it may be difficult to know where to start in terms of securing your Industrial Internet of Things (IIoT) deployment. Avoiding the following 5 common pitfalls, however, will give your organization a great start in improving its cybersecurity posture. Let's take a look:
1. Relying on your deployment’s “air gap”
Although operating your IIoT deployment on a network that is physically or logically separated from the Internet may serve as one of several security measures, you should not rely on it as the only one. The practice of air gapping networks requires extreme discipline on the part of your organization and sophisticated actors can still overcome it with sufficient effort and time.
Even if you are confident in your network’s isolation, you should still ensure proper vulnerability management, intrusion detection, and incident monitoring tools and processes are in place in case an attacker jumps the gap.
2. Not automatically managing user access to IIoT deployments
Many cyber incidents – including ones with real-world consequences – result from improper account management. Hackers often take advantage of older user accounts to target all manner of organizations. Manually reviewing and terminating such accounts in your information technology (IT) and/or IIoT systems is time-consuming and error prone.
Integrating these user accounts with human resources applications and automating their management through cloud-based identity providers like Microsoft Azure Active Directory is the best way to handle this challenge.
3. Scanning your third-party dependencies only once (or not at all)
Software supply chain security is a big topic in the news, especially following the breach of SolarWinds and a large portion of its customer base. Although organizations are increasingly aware of the potential threats posed by third party technologies and organizations, not all of them know exactly what to do to address them.
An important step is to ensure that you have a method to continuously review all of the third-party code upon which your IIoT deployment relies. Modern software contains a vast number of open-source libraries, and most IT deployments rely heavily on entirely open-source applications. Ensuring you have the technical and procedural tools in place to review these for known vulnerabilities on a consistent cadence is thus a vital step. New vulnerabilities in existing code are identified every day, so this cannot simply be one-time activity.
4. Over-indexing on the CVSS
Although it is an industry standard that is useful for understanding the relative severity of cybersecurity issues, the Common Vulnerability Scoring System (CVSS) is not a risk management tool (even according to its creators). Understanding the likelihood of a malicious actor exploiting a given security flaw is just as critical as knowing the consequences of such an attack.
Thus, blindly using the CVSS for vulnerability prioritization can cause organizations to make sub-optimal risk decisions. Frameworks such as the Microsoft Exploitability Index are important secondary tools you can use to help analyze and prioritize vulnerabilities identified in your IIoT deployment.
5. Not having an incident response plan
Although you will greatly reduce your cybersecurity risk if you avoid the previous four pitfalls, incidents do occur, and you need a plan for dealing with them. Even big companies like Zoom have had major problems in terms of their ability to respond to both security researcher disclosures as well as malicious exploitations of their user base.
Make sure that you have a playbook for the technical, commercial, and public relations steps you will need to take if you suffer an attack. Being able to respond quickly and appropriately to these types of challenges can save you a lot of money, time, and embarrassment.
Conclusion
Adopting digital solutions such as IIoT can bring huge benefits to your business. While there are risks involved, implementing appropriate cybersecurity controls can go a long way toward addressing these challenges.
Starting by avoiding the above missteps and continuing by developing a comprehensive security program, enterprises can capitalize on advances in IIoT technology while minimizing the risks of succumbing to a data breach, ransomware attack, or other malicious activity.