Oryx Fairbanks profile picture

Oryx Fairbanks

Marketing Manager

Friday, November 22, 2019

The Ins and Outs of IIoT Compliance

 

Cybersecurity compliance standards are designed to protect people, their data, and the smart devices that transmit that data from the many threats made possible by the internet. These standards are essential to maintaining data confidentiality, and have traditionally regulated computers, network devices such as routers, and network-connected devices such as scanners.

But as more and more traditionally “dumb” devices are connected to the internet with the growth of the industrial internet of things (IIoT), meeting compliance standards is becoming even more important — and complicated. This article will serve as an introduction to compliance in the age of the IIoT and how to reduce cyber risk.

 

What Is the IIoT?

The industrial internet of things encompasses all the industrial devices — ranging from objects and machines to vehicles and entire buildings — that contain sensors and collect and share data via wireless network connections. The IIoT offers many benefits across all industries, including:

  • Monitoring and metrics: IIoT devices monitor, collect, and present data that people can then analyze and use to reduce waste, improve efficiency, and make intelligent business decisions.
  • Interconnectivity and automation: IIoT devices are interconnected, communicating with one another and working together as a system. This interconnectivity opens the door for automation of business processes, reducing and potentially even eliminating the need for human input.
  • Remote control: When human input is necessary, it can often be provided virtually, as the the IIoT enables remote access. Remote access allows people to work on the go, respond to issues in real time, and avoid having to physically work in hazardous or uncomfortable environments.
  • Ease of use: IIoT devices are designed to facilitate workflows and make tasks easier. To that end, they tend to have simple and intuitive interfaces that are usable for IT experts and non-experts alike.
 

How the IIoT Complicates Cybersecurity

While creating a system of interconnected smart devices offers many benefits, it also makes cybersecurity increasingly complicated. Increasing the number of connected devices also increases the points of vulnerability and the opportunities for the following issues

  • Hacking: Hacking occurs when remote control falls into the wrong hands. If the appropriate security measures are not in place, unauthorized users may be able to take over your devices. 

  • Surveillance: The monitoring and data collection that IIoT devices perform can quickly turn from helpful to harmful when the information goes to an unauthorized third party.

  • Faster and cascading issues: An interconnected system like the IIoT is a series of dependencies. When an issue occurs in such a system, it affects the neighboring stages of automation, compounding the error each time it expands and potentially rendering the entire system vulnerable. Cascading issues are difficult to prevent because they escalate so quickly.

The cybersecurity risks associated with the IIoT, then, are great. When put in the real-world context of business operations, they could result in:

  • Data breaches: Any device in your network that is not secured is a gateway for unauthorized third parties to achieve further access. A data breach occurs when confidential, sensitive, or similarly protected information — such as personally identifiable information (PII), personal health information (PHI), intellectual property, or trade secrets — is disclosed or accessed without authorization.

  • Unauthorized data mining: Unauthorized third parties can also utilize vulnerable devices to access your network, collect the data gathered by your IIoT devices, and either use it for their own gain or sell it. 

  • Physical damage: Devices that are capable of changing the physical environment (such as a furnace, HVAC unit, pressure gauge, or security door) present an even greater risk when they’re connected to the internet: If able to access them, hackers can alter their settings to the extent that they cause physical damage.

Access to every single IIoT device must be restricted appropriately to prevent the above scenarios, all of which can have costly and potentially even hazardous consequences. This is where IIoT compliance standards come in, to regulate or incentivize the ways in which organizations protect themselves from cyber attacks.

 

IT Security Standards

 

Retail

All companies that accept, process, store, or transmit credit card information are subject to the Payment Card Industry Data Security Standard (PCI DSS). This set of security standards requires retailers to maintain a secure environment by protecting cardholder data, encrypting data during transmission, and restricting both digital and physical access to data.

The PCI DSS has been in effect since 2006, and noncompliance penalties can be high (between $5,000 and $100,000). Although these fines are originally assigned to the acquiring bank, they are generally passed along to the merchant itself eventually.

Despite these deterrents, and the fact that companies’ reputations and customer trust are on the line, data breaches still occur. Target’s 2014 cyber attack is just one example: The company’s point-of-sale terminals were infected with malware, leading to the theft of 40 million credit and debit card accounts and the information (such as names, phone numbers, email addresses, and physical addresses) of an additional 70 million people.

> Read about how Tempered Networks facilitates PCI DSS compliance.

 

Energy & Utilities

The North American Electric Reliability Corporation (NERC) developed its Critical Infrastructure Protection (CIP) Standards to require utilities to maintain a minimum level of security. This mandatory plan covers the protection of critical cyber assets and the security of all electronic perimeters with the following nine standards:

  1. Sabotage Reporting

  2. Critical Cyber-Asset Identification

  3. Security Management Controls

  4. Personnel and Training

  5. Electronic Security Perimeter

  6. Physical Security of Critical Cyber-Assets

  7. Systems Security and Management

  8. Incident Reporting and Response Planning

  9. Recovery Plans for Critical Cyber-Assets

Data breaches are always costly to address, but are especially so for energy and utility providers: In 2016, utilities worldwide paid an average of $3.5 million for each data breach. That number increases to $7.4 million for U.S.-based companies.

> Read about how Tempered Networks facilitates NERC CIP compliance.

 

Health Care

The Health Insurance Portability and Accountability Act (HIPAA) requires all health care businesses to ensure the security of all connected medical devices and the privacy of all user data. Noncompliance can result in regulatory fines of up to $1.5 million, as well as civil and criminal prosecution.

But with health care’s increasing adoption of technology, complying with HIPAA is a complicated endeavor. Nearly 32 million patient records were compromised in the first half of 2019 alone, which is more than twice the amount that were breached in all of 2018.

A 2017 study found that 53% of protected health information breaches originated inside the organization, suggesting that the industry has a long way to go toward ensuring compliance and security.

[Related: Protecting Hospitals From a Nightmare Cyberattack]

 

Finance

The U.S. Securities and Exchange Commission (SEC) offers cybersecurity guidance to aid market participants (such as investment companies and advisers, broker-dealers, and exchanges) in protecting their customers from cyber threats. Because the SEC has civil law authority, it’s also able to watch over market participants and issue cyber enforcement actions against any wrongdoers, thus protecting investors and incentivizing fair practices.

Nevertheless, businesses in the financial industry are 300 times more likely to experience a cybersecurity breach than those in other industries. Cybersecurity breaches are also the most expensive for the financial industry, at an average of $18.28 million per breach in 2017. As more and more IIoT devices are introduced into the financial sector, these numbers are likely to keep rising if businesses don’t take more serious measures to secure their networks.

 

Manufacturing and Other Sectors

President Obama issued Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) in 2013 to help ensure the reliability of critical infrastructure in the U.S. This order instructed the National Institute of Standards and Technology (NIST) to develop a voluntary framework that organizations can follow to reduce cyber risks to their critical infrastructure.

Although the Cybersecurity Framework that NIST created applies to all sectors, it also includes a Manufacturing Profile that outlines innovative ways to reduce risk that align with manufacturing-specific goals and best practices. 

The Manufacturing Profile doesn’t hold anyone accountable for noncompliance, but suppliers have good reason to comply: The high use of robotics and other IIoT devices in the manufacturing industry make it especially vulnerable to attacks. In fact, manufacturing-related data breaches made up more than one-third of all reported data breaches in the United States in 2017 (620 out of a total of 1,579 reported breaches). 

Every breach could mean the loss of multiple contracts, business relationships, and future prospects.

> Read about how Tempered Networks facilitates NIST compliance. 

 

Why Traditional IT Methods Aren’t Enough

While many are quick to point fingers at the businesses themselves for failing to secure their networks, it’s also true that traditional security methods aren’t enough to address the complexity of IIoT cybersecurity. The IIoT has grown rapidly and will continue to expand, and businesses can’t expect traditional IT methods to continue to suffice.

First of all, traditional measures such as firewalls and VPNs become too complex, inconvenient, and expensive for the industrial internet of things, which encompasses billions of connected devices and thus many easy entryways into each network. 

And second, these solutions simply don’t work anymore: Whereas firewalls and VPNs were somewhat effective security solutions before the eruption of the IIoT, the growing number of endpoints that are being connected has created mobility and security issues that these traditional solutions weren’t designed to address. Solutions designed for earlier generations of malware won’t stand up to the much larger and ever growing IIoT threat environment.

How to Ensure IIoT Compliance & Reduce Cyber Risk

 

Implement Software-Defined Networking

The industrial internet of things requires security measures that were designed specifically for IIoT threats, and businesses in a variety of industries are finding such a solution in the Airwall™ from Tempered Networks.

The Airwall employs software-defined networking and a zero-trust data layer to separate identity and location and protect and cloak any connected endpoint — any IIoT endpoint, virtual machine, server, client, or cloud instance on any private, public, cloud, or mobile-based network.

The purpose-built IIoT solution does this by moving the network boundary and security perimeter from the edge of the network to the edges of the individual machines, preventing both east-west and north-south attacks. Because the Airwall abstracts the IP addresses and uses cryptographic identities to encrypt and secure all traffic, unauthenticated systems are unable to break the perimeter.

Essentially, the Airwall acts as a cloaking device that makes your network segment invisible to unauthorized third parties.

These effective cybersecurity risk management practices protect the availability, confidentiality, and integrity of your business’s (and customers’) data and make it simple to meet IIoT compliance requirements. Even compliance and security audits are quick and easy, as Tempered Networks’ Visual Trust Map gives you greater control and visibility of your network, enabling you to validate communication policy between protected machines instantly.

 

Create a Contingency Plan

Meeting IIoT compliance standards with strong security measures should protect you from threats, but prepared businesses will have a contingency plan in place just in case. Two important elements of a cybersecurity contingency plan include cloud-based disaster recovery and a business continuity platform (BCP). 

Cloud-based disaster recovery (or cloud DR) is a strategy that involves maintaining backups of electronic records in a secure cloud environment. In the event of a data breach or other failure, the business can recover the lost data quickly and cost-effectively. 

Business continuity platforms allow businesses to seamlessly switch to backup servers if their main site is attacked or fails, ensuring that the user experience is not interrupted. A seamless transition helps minimize damage to a business’s image if an issue with the main interface arises.

Additional components of a cybersecurity contingency plan include practices such as developing a chain of command, isolating the infected devices or the entire network to prevent malware from spreading, and reporting the incident to the appropriate parties.

 

Stay Up-to-Date and Agile

The industrial internet of things is nowhere near done evolving, and as it continues to grow more expansive and complex, IIoT compliance standards will follow suit. 

Stay on top of the compliance standards related to your industry and be ready to hit the ground running when changes are implemented. As technology begins to progress more and more rapidly, you’ll have more advances to adapt to and less time to adapt to each of them. 

While a software-defined networking solution should prevent you from having to use your contingency plan, both components are crucial to minimize cyber risk. Covering all your bases will allow you to make the most of the many benefits of the IIoT, without having to deal with the potentially catastrophic consequences of inadequate cybersecurity.

Featured image via Pixabay