Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
The Christmas season is upon us and retailers are excitedly stocking their shelves. Once again, Internet-connected consumer gadgets, or Internet of Things (IoT) devices, are expected to be among the best-sellers this year.
In all the hubbub, it is easy to overlook how consumer IoT is set to be dwarfed by its impact on industry.
According to McKinsey Global Institute, it will be Industrial Internet of Things (IIoT) where the impact of IoT will be felt the most. The market for IIoT in factories alone is expected to be worth up to $3.7 trillion per year by 2025.
The ultimate aim of IIoT, or smart manufacturing, is to create robust ecosystems where many thousands of individual remote smart devices work together securely as a team.
Virtual Private Network (VPN) technology has an important part to play in these environments by ensuring data traffic is secured at device-level and encrypted at all times.
Smart manufacturing promises to deliver a treasure trove of new information that will be mined and analyzed through the continuous monitoring of real-time data.
Armed with this information, companies hope to reap a host of industrial benefits from production process improvements and waste reduction to less downtime and proactive maintenance.
In a 2013 Aberdeen Group report, 53% of U.S. manufacturers with IIoT or smart manufacturing had improved their business, increased their competitive edge and reduced overall costs.
At the same time, 40% of U.S. manufacturers admitted the biggest risk factor is the failure of critical assets.
One of the top challenges of IIoT is keeping valuable business data secure.
Maintaining robust security across the complex web of smart devices that make up the IIoT is no trivial matter.
IIoT development is still in its relative infancy. Nevertheless, the media has been quick to pick up on examples of IIoT-related risk whenever incidents occur.
For example, the United Nations' (UN) Nuclear agency admitted in October that a cyber-attack ‘disrupted' a nuclear power plant several years ago.
US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, (ICS-CERT) has also voiced concerns over an increasing number of cyber attacks targeting industrial control networks.
Arguably, the most notorious case to date occurred in December 2015 when a cyber-attack on a Ukrainian power station caused a power outage that affected 225,000 customers.
There is still much debate around IoT standards development. Senior figures from the IT industry have been calling on the U.S. Congress to act and enforce IoT standards development particularly with regard to security.
The U.S. National Institute of Standards and Technology has released updated guidance on securing IoT, but industry insiders say it falls well short of what’s necessary.
Meanwhile, there are three main standards development organizations (SDOs) working on IIoT. The Industrial Internet Consortium (IIC) is collaborating with the ISO/IEC and IEEE to position and adapt existing standards into a common context for IIoT which it calls an Industrial Internet Reference Architecture.
These efforts are currently some way off being unified into international IIoT standards that can be applied across a broad range of suppliers and industries.
In the meantime, individual suppliers and industries are ploughing ahead with their own solutions.
Device manufacturers might want to consider a few basic ground rules during the development process to better secure IoT devices.
First, it is safest if devices do not come with remote upgrade capabilities. Of course, the ability to upgrade software remotely can save costs. If this is required, then devices should at least be equipped with a secure VPN.
Second, build in device authentication capabilities to help verify devices for upgrade purposes.
Third, devices should be provisioned with logging and alerting capabilities that record all access attempts and tampering whether by privileged users or by unknown third parties. Such functions should operate securely and have time-stamp log entries.
Finally, centrally managed VPN connections can begin the process of introducing robust security even in an Industrial IoT environment.
In conclusion, IIoT promises to bring invaluable benefits to manufacturing and heavy industry in terms of process efficiencies and cost savings. However, while the technology is still relatively immature and standards some distance away, security remains a major risk. One of the most reliable ways to make IIoT environments more robust in a security context is through the deployment of VPNs. With VPNs, device patching, updating, authentication and connectivity, adjustments can be managed remotely, completely hidden from any would-be attackers.