Industrial IoT Security: Six Key Considerations

As industry 4.0 takes hold, industrial IoT (IIoT) security for devices takes center stage. PSA Certified can provide alignment to IIoT standards with a step-by-step framework to building-in the right level of security for connected devices.

Factories within the industrial sector used to be separated into two main areas: IT and OT. IT is the same Information Technology we all recognise, and typically manages Internet connected devices, without the ability to turn them on and off, nor obtain real-time data or insight into what the device was doing. OT is Operational Technology; the part responsible for running industrial machinery. Today, in the wake of digital transformation, IT and OT are merging. With the merging of IT and OT, the machines that make the products as well as the products themselves can be monitored, managed, and controlled through IoT devices connected to the cloud. Information about everything from machine performance to the state of the production line is now available. 

Industry 4.0: Everything is Connected, Data is King

The IIoT market is expected to reach a value of $922.62 billion by 2025, driven by cost optimization, factory flexibility, and increased worker productivity. This huge opportunity is a product of the merging of OT and IT, integrating new technologies into systems and connecting legacy devices. With this opportunity comes new security risks and, over recent years, these have been coupled with multiple regulations and guidelines specifically for the IIoT.

Identifying and mitigating security risks, along with aligning to multiple regulations is extremely time-consuming and costly and, at a time when innovation and time-to-market are key, standardization of security is a must.

PSA Certified provides a security framework and certification program that aligns to multiple regulations worldwide; such as ETSI 303 645 for the European market, NISTIR 8259 for the North American market, California state law and draft UK DCMS IoT requirements. The PSA Certified founders recognize that there are other key IIoT standards (including NIST CSF, ISO 27000, IEC 62443, ENISA standards, Internally Developed Security, NERC CIP and NIST CPS) so we’re starting to evaluate whether regulation mapping with those requirements is needed.

Six Key Considerations for IIoT Security

Market-specific standards and government regulations are just one part of the many things that need to be considered when developing devices, in fact, a standardized approach to security reduces development time and costs enabling teams to focus on value-add, while building in a foundation of security reduces losses from security issues that could arise at a later stage. There’s no doubt that this can feel like a confusing space, so in this blog we’re outlining six key security considerations that IIoT businesses need to consider when building devices. The suggestions are inspired by the PSA Certified Security Model which outlines 10 security goals that should be implemented into an IoT product, creating a foundation of security.

1. Secure over-the-air updates

When you’re managing millions of IoT devices, manual updates are impossible. Therefore the ability to update your devices remotely or “over-the-air” (OTA) ensures the longest possible life of the device. It also brings additional benefits including: customer convenience, quick response to changing customer requirements, rapid response to security issues (by the implementation of new patches), and the ability to add new features that can drive new revenue streams.

PSA Certified mandates that this process must be carried out securely and asks manufacturers to ensure that the integrity and authenticity of updates is checked, and only upon successful verification should the initiation of the update process begin. Implementations can choose to base the OTA management security on either secret key or PKI technology, and have the choice of using Security Layers or protected authorization token-based interaction.

2. Communication security

Without adequate security, the device or its data can be hijacked and stolen, or altered in ways that could be potentially dangerous. PSA Certified advises that you create secure communication with end-to-end encryption that ensures only those with secret decryption keys can access transmitted data. To interact with a particular device, a unique identity should be assigned to it, and this identity must be authenticated. The identity facilitates trusted interaction with the device in terms of management and the exchange of data.

In addition, data in transit between a device and the cloud is communication that must also be protected. For example, a smart sensor that sends usage data to our data acquisition service (or SCADA) must be protected from digital eavesdropping.

3. Security debug, factory level debug.

The exploitation of open ports on devices has been an on-going problem for many IoT devices. Remote debug, in particular, has had past issues due to product manufacturers’ tendency to leave it open before shipping, which potentially exposes the devices to attack.

PSA Certified evaluation reviews a component that allows for the closure of debug ports post-manufacturer, and only allows authenticated and authorized access.

4. Component authenticity

Aftermarket components may be substandard and that can lead to counterfeit devices that are unsafe and unsecure. OEMs and system integrators need to ensure the components going into their products from the supply chain are secure.

PSA Certified products offer the proof companies need to trust the supply chain is maintaining compliance to a standard. Many OEMs have a vendor qualification process that includes a component requirement and may also incorporate specific certification requirements. PSA Certified can act as a fundamental element of this qualification process. Using it as such can reduce the time to go through certification processes and minimize the opportunity for false security claims.

5. Software

When developing devices, the less custom integration required, the better. It must be as simple as possible for developers to secure devices by default. That way, they can focus on the application without being concerned about the security infrastructure.

PSA Functional API Certification includes a consistent set of security functions with a standardized interface that enables trusted communication with cloud services and allows seamless application portability across IoT devices. 

Software vendors can easily port to APIs and chips can port to multiple software platforms. These Functional APIs make baseline security accessible for every product, providing free APIs with access to complex security functions and a free test suite to verify API compliance. Together, these significantly reduce the challenges and costs of security.

6. Machine Learning

In an industrial setting, operators must protect against inference attacks. Because IoT systems collate, link and merge data from a variety of sources, the opportunity for inference is expanded. For example, when robots used for visual inspection are interfered with in a way that causes a false detection. As a result, the robot might make a costly mistake or become unsafe.

PSA Certified addresses inference attacks through a number of mechanisms, including encryption, interaction via interfaces between the device and the outside world that do not allow the system to be compromised, and isolation that prevents one trusted service from compromising another.

The Enhanced Role of IIoT Security

When OT systems weren’t connected to the outside world, the need for security was less important. As they come online, security of these systems and the system-on-chip’s that drive them increases significantly. This is particularly true when it comes to securing the critical infrastructure included in industrial control systems, the electrical grid and SCADA systems. 

PSA Certified assures IIoT that the very root of a device is secured and forms a foundation upon which all additional components can be secured as well. It goes back to the fact that, “You’re only as secure as your weakest link.” So, start with a solid foundation and build up knowing you’re also building a solid foundation for your Industrial 4.0 aspirations.