At BlackHat last week, the good folks at CyberTECH invited me to participate in a panel discussion on securing the industrial internet of things, or IIoT. By now, we’ve all heard about the security concerns the manufacturing space has regarding the IIoT: millions of connected devices connecting to a corporate network every day to upload customer data could give cyber adversaries the entry point they need to compromise a network and wreak havoc.
As the panel conversation moved into the audience Q&A, it became apparent to me that most of the security experts in attendance viewed securing the IIoT as the responsibility of the OEMs building IIoT-enabled industrial equipment. This argument was usually followed by a complaint that those same OEMs don’t know anything about cybersecurity, so securing the IoT won’t be possible in the foreseeable future.
This discussion was very spirited. It was also, in my humble opinion, riddled with FUD and assumptions about securing the IIoT that are either inaccurate or simply not true. Securing the IIoT is possible, and it won’t require new gains in security technology to do so. Next-generation security solutions like the Palo Alto Next-Generation Security Platform are perfectly capable of securing the IIoT. The real challenge is getting the security industry to understand that.
Now, the IIoT will enable many devices that have been previously “dumb” to become “smart”; in other words, become equipped with sensors that gather data and connect to the internet so that data can be shared to enable new business models and opportunities. But I think it’s unreasonable to expect the engineers who design those devices to suddenly become experts in cybersecurity. It would be like me expecting my threat research team to become experts in industrial control solutions if they intend to provide threat intelligence to industrial customers.
At the end of the day, data on the IIoT is no different from data on the regular internet; it uses IP packets just like any other internet traffic. And malware delivered via the IIoT doesn’t present any new or unique threat that would require defenses beyond those used to stop malware delivered via more common means, like a spear phishing attack. If your security architecture uses a zero trust model and policy controls that enable the proper use of applications and data, it will still be able to identify malware as it moves through the various steps in the attack lifecycle and stop it.
To sum up, just because an attack on your network is coming from an IIoT-enabled HVAC system, and not a compromised laptop, that doesn’t mean your security architecture can’t stop it, provided it’s a next-generation security architecture designed to combat the methodologies used by today’s more advanced cyberattackers. So the next time the topic of IIoT cybersecurity comes up, everyone just take a deep breath and relax. With the right next-generation security platform in place, embracing the IIoT becomes a much less scary proposition.
[Palo Alto Networks Research Center]