Securing IIoT systems still a contractual no man’s land
The industrial internet is a continuously evolving and layered infrastructure built on connected machinery – a large proportion of which has not previously been linked to the internet. The fact that these machines can now be accessed online brings new challenges for IoT service providers as well as their clients. Furthermore, questions remain regarding responsibilities, says Pasi Vilja, Chief Information Security Officer at Konecranes.
Last year, a massive distributed denial-of-service (DDoS) attack swept through the globe and nearly disrupted the entire internet. Experts called it the largest attack of its kind in history. Afterwards, close investigation revealed that the assault had been orchestrated completely through IoT devices. A huge number of web cameras were left unprotected, and this offered an easy opportunity for hackers to mount a large-scale attack via the internet.
“This is a great example of the vulnerabilities born out of millions of unprotected devices suddenly being connected to the internet. As the number of internet connected devices continues to grow, new vulnerabilities also arise, bringing forth questions about internet safety which we haven’t faced before,” Vilja says.
The need for shared solutions to these questions is growing increasingly dire as more and more machines – many of which were designed before the advent of the IoT era – are connected into the internet, and operated in ways which couldn’t have been considered at the time they were made.
Implementing security measures in the era of IoT
According to Vilja, security in the context of the industrial internet can be implemented mainly through the same types of practices already used in securing computer networks. Keeping up a proper firewall, requiring identification, and constantly surveying and reacting to problems that arise quickly are important, as is updating software.
“The same principles work in both an ordinary IT context and an IoT environment. On the software level, there isn’t that much of a difference in how the systems can be kept safe in either setting. Still, the industrial context adds a layer of complexity to the equation,” Vilja says.
One of the greatest differences in terms of web security in an industrial context is the machinery’s long lifecycle, which brings forth new questions on service providers’ responsibility to offer their clients updates for extended periods.
“Some machinery in industrial use still run on Windows XP or even NT. For the former, support ended in 2014 – and for the latter, in 2004. How are we going to ensure that systems will be kept secure when some of the machines have lifecycles of 50 years? These are still questions to be discussed,” Vilja says.
Another issue comes up with the variety of machines being connected to the web. Industrial companies might have a combination of old, non-connected machinery which is now being connected to the web, point-to-point connected machines, and newer internet connected machines. When they open all these machines gradually to the internet, questions arise on how to make sure that no gaps are left between the different ways to connect.
Discussions about responsibilities still underway
Who has the ultimate responsibility regarding the IoT solutions in use and keeping them up to date? Is it the service providers? And if so, then how long and how actively do they have to ensure that the security is current? According to Vilja, these questions are still open for discussion, and no concrete best practices have surfaced yet.
“This is very much a discussion still to be had. Service providers must take responsibility to ensure that the services they offer are maintained to protect against new security threats. But only the clients know their full set-up and probably don’t want automatic updates from multiple providers. And how knowledgeable are the clients about the relevant security features or risks? This is still a contractual no man’s land,” Vilja says.
Another concern is that in highly specialized systems that have been tweaked or integrated by clients, the updates could cause interruptions – or even shutdowns – in their operations. On the other hand, refraining or neglecting to update their systems could also end up leaving their entire systems vulnerable.
According to Vilja, in order to form proper guidelines, open discussion and continuous surveillance are essential. Eventually, the best practices will be formed, and they are likely to follow precedents from the computer market.
Ultimately, the same rules apply to web cameras and smart refrigerators as for industrial sensors – basic security measures go a long way, and they must actually be implemented in order to ensure operational safety.
Pasi Vilja is the Chief Information Security Officer at Konecranes.