Find out how to create an Internet of Things cybersecurity strategy that helps protect your network, increase efficiency and meet future infrastructure needs.  

Industrial applications across the globe are being transformed by connecting a greater number and wider range of “things” that create tremendous opportunities to innovate and drive out inefficiency. However, as your organisation creates an Internet of Things (IoT) strategy, you should answer these important security questions:

1. How do I determine whether a device is a candidate for IoT?
As more devices are embedded with smart sensors and gain the ability to communicate, these things then become the tools we use for better understanding complex processes. They can help create smarter machines that can then be better controlled, thereby increasing efficiency. All these devices are linked through wired and wireless networks using the same network technology as the Internet, so securing the architecture from attacks, data authentication and access control become increasingly more important.

To determine if your device should be connected to the IoT, simply ask, “What is the value of having it on the network?” Just because you can connect something, doesn’t mean you should. If the value of connecting is greater than the risk, then it is a likely candidate. If you do decide to put it on the network, make sure it uses standard EtherNet/IP™ technology and conforms to IP standards and best practices. This helps deliver data in a consistent manner and allows various levels of security technologies to be used.

2. What can I do to protect the control systems from a potential flood of IoT communications and threats?
We all have seen or been in nasty traffic jams caused by roads that weren’t changed to accommodate the rising population in that area. That’s what your network can look like without careful planning. By 2020, it is estimated that 20 billion devices will be IoT-connected. Do your homework and put a proper plan in place that not only addresses your needs today, but also looks ahead to the future.

No one product, technology or methodology can fully secure industrial applications. It takes a Defense in Depth (DiD) approach to address both internal and external threats. This approach uses multiple layers of security including physical, policy and technology.

As an example, verify that all unused ports are locked either programmatically or physically using lock-out connectors; put your controller into “run mode;” and use passwords. These are things that can be done today.

In addition, you can put policies in place to control human interaction with your systems whether they are internal or external, on-site or in remote operations. Authenticate who is on your network, authorise what they can do, and then account for what they are doing on your network. Use best practices for segmenting your networks: Establish domains of trust, and use network infrastructure technologies such as VLANs, VPNs, firewalls, ACLs, and passwords to limit who and what has access on your network.

Segmenting your network into smaller VLANs also can help maintain them and provide a level of isolation. For example, this segmentation helps avoid taking your entire network out due to a problem on one machine line. With the IoT comes great opportunity, but it’s not without its challenges. However, you don’t have to do it alone. Help is available for you, such as the Industrial IP Advantage (www.industrial-ip.org), an online community that can provide the information you need to successfully deploy your industrial information architectures.

3. How is cyber security for IoT and industrial control systems security different?
There is no major difference. A good cybersecurity plan includes prevention: setting policies and procedures to reduce risks, and resolution — what to do if there’s a security breach. This is fundamentally the same for industrial control systems (ICSs), and in fact might be even more important, because downtime of operations can be very costly to the company.

4. How should IoT and ICS cyber security be managed?
To truly gain the advantages and opportunity the IoT promises, you need to accept the convergence of IT and OT network infrastructures. This allows you to manage the entire network using the same technologies and personnel, helping to reduce assets and training — one staff instead of two, with one common objective instead of two disparate ones.

However, this isn’t a simple journey; better collaboration between departments, facilities and suppliers will need to happen. Many plant networks never were designed to connect with the enterprise, so a comprehensive assessment is a good start to developing your strategy and execution plan.

5. Who should be responsible for providing IoT cyber security?
Just as there’s no one product, technology or methodology to fully secure your control system, there’s no one provider either. Each needs to keep security in mind when providing products or solutions for your business. This should include your entire supply chain. Network owners need to design their networks using validated designs and best practices and plan for who, what and when information will be available on the network.

ICS providers should offer control systems that follow global standards and regulatory security requirements and have common, secure design requirements in their product developments.

OEMs or equipment builders should follow best practice designs in their machine networks as well. Their machines should integrate easily into their customers’ operations, meeting IT security policies and OT performance objectives. This integration also allows the machine builder to drive even more value to their customers. For example, with the ability to establish secure remote access from anywhere in the world, customer machine downtime and travel expenses are minimised.

6. What is the role standards play in managing IoT cyber security?
Standards are critical to realising the promise of the IoT. Without them, these “things” aren’t going to connect in a consistent fashion, meaning more work for everyone.

The standards help validate that technologies and methodologies are proven and provide greater interoperability. They can also help users put these “things” on the network so the data gets to where it needs to be at the right time, and gets there securely.

Solution providers can help you better secure your network with existing products and solutions built on these standards. Following these standards will allow better evolution of your infrastructure. With a properly designed network that can accommodate evolving standards and technologies, you can avoid those future traffic jams.