There’s one truth to operational security that many don’t want to hear: Any system can be compromised. And as a multitude of industries like utilities, manufacturing, and oil and gas are adopting industrial internet of things (IIoT) devices — a market set to boom to 100 billion devices over the next five years, according to PricewaterhouseCoopers — ensuring security in these systems is a challenge that will grow exponentially in the near future.
While many industrial companies are taking a cutting-edge approach to IIoT to transform their industry and businesses, many are still stuck in a more traditional IT cybersecurity mindset — focusing on network security defenses. If OT professionals don’t reimagine how to actually protect IoT endpoint devices, they could hamper the IIoT revolution.
Layered networks in information technology environments have traditionally allowed institutions to monitor and rapidly respond to any security threat. But when it comes to OT security, those defenses are simply not enough. Many critical infrastructure industries simply cannot tolerate downtime and risk human safety — detection and response approaches are too little too late. Cybersecurity breaches can result in millions of dollars lost, and also — and more devastatingly — the loss of life. Because of this, it is vital that industrial businesses take a proactive approach when ensuring IIoT security. Unlike IT security, OT security must ensure an attack doesn't happen in the first place — and that means protecting only the network isn’t enough anymore.
There is a solution to this problem: Critical infrastructure operators must seek out IoT and IIoT devices with security built into these systems — not bolted on. At the chip level, extensively tested and secured cryptography can prove the trustworthiness of a device, ensuring a far more secure system, from boot to application execution. It’s impossible to guarantee 100 percent security on a device, but IoT and IIoT devices that have embedded security software integrated at the chip level create a nearly impenetrable system regardless of the network or environment.
Trustworthy operations in OT security are no longer just a target concept — it’s an achievable, measurable and demonstrable endstate with built-in device security. The advantage of built-in security in the OT environment is each of these platforms has been built with a specific purpose. These aren’t general purpose chips, and thus, they can be built to combat security issues at an explicit level.
The National Institute of Standards and Technology (NIST), the International Electrotechnical Commission (IEC) and the Industrial Internet Consortium (IIC) provide excellent guidelines on cybersecurity and processes that will hopefully rise to the level of auditable and enforceable measures instead of merely guidelines. And in the meantime, silicon vendors and original equipment manufacturers (OEMs) are taking their own steps to ensure the fidelity of these devices right now. Frameworks like the Platform Security Architecture for ARM-designed processors provide silicon vendors with the guidance to protect a multitude of connected devices. By leveraging cryptographic controls built into these processors and coprocessor subsystems, the OT community has a new starting point, whereby endpoints, gateways and communications operate in a trustworthy state.
Security in OT doesn’t just mean data privacy. Security means preventing the unimaginable, and that must start at device protection. The future is uncertain, but the recent HatMan malware attack, also known as Triton or Trisis, proves that critical infrastructure will continue to be a primary target of bad actors. To address these threats, it’s imperative that silicon vendors and OEMs take a leading role in embedding security into their systems. It’s far easier, cheaper and safer than imagining security can be bolted onto a device later. Gone are the days when OT security meant guns, guards and gates, and it’s time to engineer OT systems that are tasked for these new challenges.
ARM Director of IoT and Embedded, Rhonda Dirvin was a keynote speaker at the IoT Evolution Expo this week.
About the Author: With more than 30 years of experience in information and physical security, Dean Weber leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. Additionally, he spent several years in the U.S. Navy working in physical and electronic security. Mr. Weber is a frequent speaker at information security events such as InfoWorld, ITEC, InfoSec Europe, InfraGard, Secret Service Security Roundtable, ISSA, and various focus engagements.
Edited by
Mandi Nowitz
