InfoSec Insider

Plugging the Data Leak in Manufacturing

IIoT-generated data – calibrations, measurements and other parameters – still need to be stored, managed and shared securely.

More often than not, when then the internet of things (IoT) is brought up these days, it conjures images of Alexa, Siri and Cortana. These personal assistants can help users turn on a smart light bulb, flick on the oven and get you the day’s news, all in one fell swoop. However, IoT has evolved far beyond consumer-fronted devices in 2019.

Increasingly, manufacturers are deploying IoT technology to better facilitate automation and help increase productivity. Car manufacturers, railways and even companies in the food and beverage space are using families of networked sensors, actuators and other devices to collect production data and feed it to the cloud to gather further insight into their system’s efficiency.

For factories, Industrial IoT (IIoT) is becoming more and more embedded in ecosystems, thanks to advances in automation, big data analytics and a decrease in the cost of hardware.

According to a recent market study by IoT Analytics, global spending on IIoT platforms for the manufacturing industry is predicted to grow from $1.67 billion in 2018 to $12.44 billion in 2024, with 43 percent of businesses using the technology for general process-optimization, and 41 percent for visualization.

Companies like Emerson, which specializes in automation solutions, have already helped companies deploy IIoT solutions to boost their efficiency. In one scenario, it recently set up an IIoT edge computing gateway at a manufacturer. The gateway uses sensor data to judge how fast shock absorbers in pneumatic cylinders deteriorate. Instead of replacing them at a set interval, sensor sends an alert when a value is hit, then it’s replaced. Companies like Rolls Royce meanwhile are famously using the technology to parse through trillions of data points provided by sensors to fine-tune their engine development.

IIoT helps bring visibility to managers, allowing them to see whether machines are on, if they’re running efficiently and if there are any issues to address. In the event an issue arises, because of the data that IIoT provides, the technology can also allow manufacturers to trace back parts to where they were made and assess whether there’s been a problem with the machine, the part or something else entirely.

As IIoT systems depend on these sensors to collect and parse through vast amounts of data, it’s vital to ensure that there are controls in place to safeguard that data and ensure its integrity. However, it can be easy to overlook the fact that this data needs to be protected in the first place. After all, it’s unlikely these systems are handling sensitive data that’s subject to regulatory compliance like protected health information (PHI) or personally identifiable information (PII).

However, IIoT-generated data – calibrations, measurements and other parameters – still need to be stored, managed and shared securely to provide a company with maximum impact. Failing to do so could have a drastic outcome and result in service disruptions, the loss of intellectual property and data leaks. Without instituting proper data protection measures, IIoT systems could be at a higher risk of an industrial attack, like Triton/Trisis, which could lead to human harm, as well.

As these types of systems continue to proliferate and interact with enterprise systems and business processes, it’s important to have some sort of baseline for securing them. That’s where one group, the Industrial Internet Consortium, has stepped in. The nonprofit, which counts GE, Microsoft and Dell EMC among its founding members, released a guide this summer around applying data protection best practices to IIoT systems.

As the IIC points out, cryptography, encryption, auditing, monitoring and protecting data – at rest, in motion, and in use – are some of the only ways to guarantee data integrity. Familiarizing oneself with best practices like data security, data privacy and data residency while ensuring they’re mapped to IIoT data can improve the trustworthiness of the system as well, according to the consortium.

The IIC’s guidance complements other frameworks already on the books that are required reading for admins in charge of, or considering implementing an IIoT system.

While not exclusive to industrial environments, the IoT Security Maturity Model, also released by the IIC and co-authored by Microsoft, can help organizations assess their security maturity when it comes to IoT systems. The guide walks readers through tips on establishing governance practices, implementing security controls, and hardening practices, like software patching, performing security audits, and proper incident response, for IIoT setups.

Other frameworks around developing interoperable IIoT systems include the Industrial Internet Reference Architecture (IIRA) and the Industrial Internet Security Framework (IISF). The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), has also published guidance in the form of its Securing the Industrial Internet of Things report, released in August.

While all of these frameworks should provide valuable insight to organizations looking to secure industrial systems, organizations should also treat IIoT like what it is: a complex supply chain. Organizations would be doing themselves a disservice by not having a way to track data and ensure its integrity, from factories to engines to cylinders to sensors, throughout an environment.

Tim Bandos is vice president of cybersecurity at Digital Guardian.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles