Security has been important to human society for a long, long time. But as time passed, what needed security and how it was secured has changed drastically. Within the last human lifespan, a new form of security has emerged—cybersecurity—which is changing more rapidly than traditional security ever did. Hacking has evolved from replicating dialup tones to make long-distance calls for free, to executing sophisticated nation-state-sponsored campaigns over the course of months.
Every new technology and technology trend represents a new attack surface—or a trend in change of attack surface—for malicious actors. The figurative king of current technology trends is the Internet of Things (IoT), a term used to describe the devices now being connected to the Internet in numbers so large the human brain literally cannot comprehend it. During 2020, an estimated 31 billion devices will have been installed and connected to the Internet. If each of those devices were one grain of rice long and arranged in a line, the line would wrap around the earth’s equator nearly six times. The same trend is occurring within industrial systems, termed as the Industrial Internet of Things (IIoT). That massive influx of devices certainly affects the attack surface for malicious actors, and the way we secure those systems—but how?
Experts are currently grappling with this exact question. In fact, the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) are considering expanding the ISA/IEC 62443 series of cybersecurity standards for industrial control systems with standards specifically for guiding security implementations for IIoT systems.
If that occurs, many meetings and discussions will be held to develop a consensus-driven answer to the question. In the mean time, certain truths can be agreed upon. Chief among those is that IIoT, and the enhanced connectivity it causes, blur the lines between systems—physically, geographically, and logically in the network. Securing the perimeter of a system is no longer sufficient; defense in depth must be used.
In essence, building a wall for the attacker to climb over is not the right approach—a "moat" is needed, so wide and with mud so thick that attackers cannot run through it. That approach requires a combination of foundational system design practices (such as segmenting and filtering traffic within a network), advanced security technologies (such as intrusion detection systems), cybersecurity training and awareness for everyone from the operator to the executive, and policies and processes for maintaining the systems and security programs. Ultimately, proper IIoT security is a combination of all security best practices developed to date, applied consistently and uniformly throughout the enterprise.
This article is a product of the International Society of Automation (ISA) Smart Manufacturing & IIoT Division. If you are an ISA member who is interested in joining this division, please log in to your account and visit this page.