The Internet of Things (IoT) isn’t just limited to the home or the office, connected devices are increasingly being used throughout Industrial Control Systems. The Industrial Internet of Things (IIoT), as it’s being called, is growing and is bringing a new world of connectivity to traditionally isolated ICS networks.
With such devices operatives now have control away from the traditional consoles, third-parties can see vital data from anywhere in the world and suppliers are alerted to supply requirements in real-time.
This connectivity brings with it many benefits, however it also brings a major downside: increased vulnerability. When you connect your systems to the wider world the chances of attackers intercepting data or gaining access to systems increase.
Security is a key concern when it comes to connected devices. Whether it’s children’s toys, smart coffee machines or industrial apps, security vulnerabilities continue to be found.
You only have to look at a recent study which showed that from 34 randomly selected industrial system apps researchers were able to find 147 security flaws that could be exploited to disrupt or sabotage an industrial process or network infrastructure. When you consider the real life consequences of such an exploit you start to see just how dangerous the situation is.
Insecure password practices, unencrypted data and security patches remain primary concerns, and those looking to connect devices to their networks need to be fully aware of the risks.
Thankfully, when it comes to Industrial Control Systems the threat is starting to be taken seriously and in a recent survey 44% of ICS operatives said that the ‘increasing presence of connected devices, many insecure by design, in and around ICS environments’ was their biggest overall concern.
Now you know about the security vulnerabilities would you still connect an IIoT device without testing it?
Testing device security
Testing a device before it’s connected to your system is always the best way to ensure the device is secure and that connections cannot be exploited by external attackers.
However, what if your device is already connected to your system? In this case you have a couple of options. You could test during planned downtime, or even on a mirrored system. If this is not possible you could conduct a passive test. One which uncovers all potential known vulnerabilities in the device and recommends actions to mitigate these potential exploits.
Connect or isolate
Just because a device can be connected doesn’t mean it should be. If you’ve tested a device and are confident about its scurity, go ahead and connect, just remember to add it to your network map.
In other cases ICS operatives need to weigh up the risks, balancing the perceived benefits of the device, the nature of the system it is being connected to and the potential vulnerabilities discovered from testing.
Isolating devices, and implementing additional security measures can mean you still reap the benefits of a device whilst reducing the risk. But in cases where security assurances cannot be given it’s best not to connect the device at all.
Every device will be different and decisions will need to be made on an individual, case by case basis
Improving your ICS security further
Connected devices aren’t the only issue facing ICS security and we know it can be daunting to take security action, especially when operations may be a risk. That’s why we’ve created our ICS Security Guide, to help organisations such as yours overcome the barriers and to give you seven practical steps to improve your ICS security posture.