Lives are at stake, and it’s imperative for critical infrastructure to boost their IoT security

The Industrial Internet of Things (IIoT) trend has benefited various industries, including critical infrastructure. Yet migrating operations to IP also introduces cybersecurity risks, which can greatly impact the everyday life given the role critical infrastructure plays in the society. Strong cybersecurity measures therefore must be in place to protect end user entities as well as the public.
 
The US Department of Homeland Security divides critical infrastructure into 16 sectors, among them chemicals, dam, energy, nuclear reactors and water and waste water systems. As you can see, these sectors deal with matters that affect people’s daily life. Water dams, for example, ensure that people get enough water supplies. Power grids, meanwhile, provide electricity that’s vital for the society to function.
 
To optimize management and operational efficiency, critical infrastructure is increasingly migrating to IIoT, which is all about connected sensors and the data they generate. Temperature sensors at power plant sites transmit data to the supervisory control and data acquisition (SCADA) system for remote monitoring. Sensors attached to machines and equipment can detect abnormalities and allow for predictive maintenance.
 
While these bring certain benefits, they give rise to cybersecurity issues as well. Hackers can exploit vulnerabilities found in industrial control systems, SCADA systems and other IoT devices, for example, to launch attacks. And results could be devastating.
 
Just in February, a hacker breached the systems of Oldsmar water plant in Florida, trying to increase the sodium hydroxide level in water 100-fold, which had the potential to poison the entire community. Then, the 2015 Ukraine power grid cyberattack, which began with a malware that gained access to the system via phishing e-mails, left 30 substations switched off and about 230,000 people without electricity for a period from 1 to 6 hours.
 
The above examples, and numerous others, demonstrate if not well protected, critical infrastructure facilities are as vulnerable to cyberattacks as any other end user entity, except a critical infrastructure breach can be life-threatening. That said, IoT security best practices must be implemented to protect both the facility itself as well as the community it serves. Below are some of the best practices to follow.
 

Use strong passwords

 
Protection begins at the simplest level of changing default passwords, using strong ones and not sharing them. “One item for consideration is the default account and passwords that are supplied with IoT and networking devices. Once installed, users should change the default setting to a higher level of security,” said a blogpost by US Center for Internet Security (CIS), using the water dam sector as an example. “Don’t utilize the same password across your personal and business accounts. If you do, and the password is compromised by a public portal, it can be used to access a private business portal. The attacker could gain access to more than just your email account. Based on your role within the organization, the hacker could have compromised the methods to affect the dam, its controls, and the safeguards of those who could be at potential risk.”
 

Segregate networks and apply firewalls

 
Restricting data access based on roles is extremely important. Measures need to be taken to ensure data is not accessed by those who are not authorized. “Classify IT assets, data, and personnel into specific groups, and restrict access to these groups,” according to the Water Sector Cybersecurity Brief by the US Environmental Protection Agency. “Role-based controls will grant or deny access to network resources based on job functions.”
 

Monitor for and apply IT system patches and updates

 
Whenever an IoT device vulnerability is detected, the vendor will send a patch to correct it. It’s then important for the user to stay aware and install patches when necessary. “Keep your machine ‘clean’ with current patches and updated anti-malware software. Making your machine secure helps make sure nefarious programs are not utilizing this resource to exhaustion,” CIS said.
 

Encrypt data

 
Data encryption is needed to render data at rest or in-motion undecipherable if intercepted. “Apply encryption software to your hard drive as a security precaution. This will maintain the confidentiality of your data. It will also preserve its integrity so it won’t be altered or accessed if it is out of your possession,” CIS said.
 

Develop a response plan

 
Should an attack happen, a response plan should be in place to help contain the attack and minimize damage. “Create a formal guide that is trained and tested, or develop red team exercises that issue alerts. Some response activities may be automatically enabled when certain conditions or thresholds are reached,” CIS said. “Whether for a business, a supply chain, or as an individual, having a step-by-step assessment guide to walk through actions is key. It can help reduce the impact of an incident and minimize its overall detrimental effect on ‘normal’ operations.”
 

Stay alert constantly

 
A disaster could be prevented by as simple a method as not opening a suspicious-looking e-mail. It’s also a good idea for employees to get some basic knowledge on cybersecurity. “Opening an email that looks enticing can have detrimental consequences. Vigilance is required from all who utilize internet connected technologies,” CST said.