What are you looking for?
28-01-2020
6 min. read
Sjors de Kleijn

How To Prevent Enterprise IoT Security Issues? The Ultimate Checklist

Reduce risks and protect your industrial equipment, customers and plants

Industrial enterprises (e.g. factories and plants) need to be aware of the different IoT security threats and implement a multi-layered cybersecurity strategy to protect their business and operations. This article will detail the risks of connected devices and describes the main solutions that will solve your IoT security challenges – today and in the future. 

[[Get your IoT security checklist]]

 

What is IoT security?

IoT security concerns the safety of connected devices and their networks in the Internet of Things (IoT), and protecting them from any potential security threats. Industrial IoT involves adding internet connectivity to systems, computing devices, and mechanical and digital machines. New hacks and security vulnerabilities are discovered every single day, which makes ensuring the security of your devices a continuous process. That means your chosen IoT security solution has to be robust and must include features that keep connected systems continuously secure.

The risks of connected Industrial IoT devices

Not having a security and privacy program for IoT products can have a major impact. A lack of sufficient monitoring of IoT devices/systems to detect security vulnerabilities creates an easier target for hackers. The risk is that critical software that once ran in its own secure environment is now linked to a broader network. An IIoT network was previously a separate network for operational technology, but now a device connects this private network to the rest of the company’s IT network – which can cause serious harm as confidential, business critical data is within reach.

Hackers have already deployed malware to industrial networks by exploiting internet-connected sensors and gaining access to physical networks. So potential IIoT cyberattacks should be top of mind when you start connecting IoT devices to the internet. 

We created this checklist to make sure you think about all aspects of IoT security and have everything in place to prevent these kinds of issues.

Industrial IoT Security Industrial IoT Security

An Industrial IoT security checklist to prevent issues and breaches

Machine engineers and their customers should discuss the risks of IoT together to prevent potential attacks and take action to ensure the continued safety of their systems. This checklist lists the various security areas you should cover, helps minimise security threats to IoT, and provides possible solutions and actions to maintain a secure plant or operation.

Firewalls – Limit your surface area

Most of what cybersecurity specialists do is minimise the risk of something bad happening to the system. The easiest way to do this is to limit the number of things and locations that a hacker can potentially exploit. Think of your IoT environment as if it were a bank vault, where you store your most precious currency – in this case, intellectual property, machine and customer data, etc. It is much easier to secure and monitor your vault if it only has a single guarded entrance. 

This is where firewalls come in. Firewalls are straightforward applications that filter internet traffic based on source IP (where is it coming from?), destination port (where is it going to?) or packet content (what is being sent?). Spending a bit of extra time configuring this can save you a lot of trouble further down the line. Ideally, you want to expose only the essential applications (i.e. ports) to only those sources that are to be expected, with traffic that is to be expected. 

So question yourself what ports should be opened up to the big bad Internet, and who should be able to reach them. A port that runs SSH may only be accessible from your company HQ, or a port that runs a database may only be accessed from the server itself (i.e “localhost”). 

Read more about why you should care about incoming connections to your factory.

Encryption – ƐnℂrŶpŤ

Encryption is the mathematical process of turning a readable message into (seemingly) random gibberish using a pair of really long numbers. Its purpose is to mask any information from prying eyes and it’s used to guard against so-called man-in-the-middle attacks using TLS. Once encrypted, you can be sure that your confidential message can only be read by you and the intended recipient. 

However, not all encryption is created equal. There are many ways (also known as algorithms) to encrypt a message, and some of them have known vulnerabilities and, as a result, are insecure. Always check reputable sources like SSL Labs or Mozilla wiki to determine the latest industry-standard when it comes to TLS configuration. 

Data loss – Backups

Firstly, you need backups! 

Not having backups just ensures that you are screwed in the event anything goes wrong. 

But just having backups is not enough. You need to have ‘proper’ backups. Proper is a subjective term, meaning different people will have different definitions of the word. So what constitutes a ‘proper’ backup? In any case, you need to ask yourself the following questions, and be satisfied with the answer:

  • What data do I need to store to recreate our entire IoT environment?
  • How often do I need to create a back-up? (i.e. how long of a gap in data do I find acceptable?)
  • How long do I keep backups before discarding them?
  • How do I test that the data in the backups is correct?
  • How do I keep my backups secure?

Regularly review these questions and reflect if you’re still satisfied with the answers, and if not, make the necessary changes. 

Read more about data loss prevention.

Software vulnerabilities – Update, update, update

Most of the time vulnerabilities to operating systems (OS) and software applications are known to its developers before they are known to the general public, and, since their PR is on the line, they will send out patches as soon as possible. Spending just an hour a month looking over the updates of all the software you use is time well spent, as it allows you to always run the latest security patches. Similarly, most major OS have mechanisms to ensure that security-related updates are installed automatically as soon as they become available.

People – Educate them

As most studies and surveys find, people (i.e. employees, co-workers) are often still the weak link in the cybersecurity chain. Maintaining security is a group effort and any person not pulling their weight can result in the whole thing crashing down. Therefore it is crucial that every person in your organization knows

  • what a ‘strong’ password looks like,
  • how to identify a phishing email,
  • why two-factor authentication is better
  • etc.

In this process, it’s easy to overlook the IT-savvy people because you assume “they know better”. But a mistake is easy to make and you never know what a person doesn’t know.

Specifically for IT, make sure they employ the principle of least privileges (to reduce your ‘surface area’), without risking a single point of failure. The cybergods enjoy karma and always ensure that things break just as the one person responsible is unavailable.

Read more about the power of strong passwords & cybersecurity.

The principle of least privilege means giving users limited access to only those rights that they must have in order to do their job

Dylan Eikelenboom
Security officer at IXON

Monitoring – Big brother is watching

Being in the Cloud means everything is always on and available to everyone. This is obviously the worst-case scenario from a cybersecurity perspective. The only way to counteract this is to make sure you know as much as possible of what is happening in and on your servers. This means monitoring processes, network traffic, commands being executed, and more. 

The pitfall here is that monitoring things without a founded basis (i.e a good reason) just leads to data being dumped on the metaphorical data mountain. You must make sure that everything you are monitoring plays a role in determining how healthy your systems are. 

Vulnerability testing – Know your weaknesses

Maintaining cybersecurity is an active verb, meaning it requires a continuous commitment. You cannot set up a technically sound system and just ignore it for a few years and assume it will stay safe. Therefore it is critical to know when, where and how your systems are vulnerable to exploitation. 

Most commonly penetration testing is advised, where a group of white-hat hackers are given the freedom to try to exploit your system (ethically) and report the findings. This is perfect to not only discover your flaws but also to assess how ‘mature’ your system is from a cybersecurity perspective. However, the big downside is that this can be quite expensive. 

Luckily, for those of you who cannot afford to spend several thousand {insert currency} on a full-fledged pentest, there are alternatives which offer some of the benefits at a fraction of the cost. Automated internal and external vulnerability testing is available from a variety of parties, with prices ranging from free to a couple of dollars per server per month. These services run a whole suite of tests to see if a server is susceptible to common vulnerabilities and gather everything in an easy-to-read report. You can even repeat the tests after fixing the vulnerabilities, or after deploying a major architecture change, to see if your system is still safe. 

Read more about Securing your IoT devices.

Access rights – Choose wisely

Just as Karen in accounting can bring the whole thing down by clicking on that sketchy email attachment, you also need to be vigilant to whom you give your data. Hosting a modern IoT platform means requesting services from a lot of different vendors; hosting providers, email servers, monitoring tools, programming libraries, etc. 

You can have the best cybersecurity suite known to man, with perfect real-time monitoring, ironclad firewalls and employees that can quote all of Bruce Schneier’s (renowned security technologist) books in their sleep – but a cybersecurity flaw in THEIR system ultimately comes back to haunt you. You should always demand adequate cybersecurity practices for each service provider you employ. 

Redundancy – Ensuring availability

Note: most of the above suggestions are primarily concerned with the confidentiality and integrity of the data in your systems. If availability (or ‘uptime’ of the IoT environment) is especially important, also consider making your systems redundant with high-availability or automatic failover. 

Get your free IoT security checklist

To help you secure your enterprise and IoT applications, we listed all topics in this checklist. Download it here!

[[Download IoT security checklist]]

IoT security checklist

Additional resources