At CISO Platform Annual Summit 2017, we had a panel discussion on the topic of Top Threats & Controls for IIoT Security, including industry stalwart like Bithal Bhardwaj (CISO, GE), Jayant Gupta (DGM IS, Hindustan Petroleum Corporation Limited), Durga Prasad Dube (Senior Vice President, Reliance Industries Ltd), Santhosh Srinivasan(Director - IT Services, Flextronics), and Arnab Chattopadhayay (Senior Director, Capgemini).
Key Learning - Top Threats & Controls for IIoT Security
Difference between Industrial IoT (IIoT) vs. (IoT) Internet of Things
One perspective is to think of the Industrial Internet of Things (IIoT) as connecting machines and devices in industries such as oil and gas, power generation, and healthcare, where there is more at stake or where system failures and unplanned downtime can result in life-threatening or high-risk situations.
On the other hand, the Internet of Things (IoT) tend to include consumer-level devices such as heart monitoring fitness bands or smart home appliances. They are functional and can provide conveniences but do not typically create emergency situations if downtime were to occur.
From the discussion, panel has concluded some of the Top Threats & Controls for IIoT Security as following:
Risks and security imperatives in Industrial IoT
- Operational Technology (OT) control systems are increasingly being connected to the internet and outside world, exposing them to the risk they were never designed to protect against.
- Physical security on the periphery of industrial assets alone does not reduce the risks any longer and the industry that uses OT control systems should have layered cyber controls.
- Securing OT is about protecting control over the cyber physical consequences. The goal is to protect people, production, and assets.
- IT in all companies have been connected to wild world of internet for a while now and our enterprise security controls have matured over time. Typical cybersecurity posture in IT or enterprise space is focused on data protection (CIA). However, same is not true for OT (Operational technology) that runs factories and plants. OT has not gone through learning cycles like IT. In factories, you will find lot of aged infrastructure … systems that were not meant to be connected to the outside world.
- OT is all about very Safe, very Efficient, Productive systems & processes with long lived missions. So downtimes or regular patching unlike IT are rare. Vulnerabilities here can stay for a very long time.
- In OT world, while attack vectors might be same but consequences are different…. so industrial cybersecurity needs very specialized approach to protect it.