Securing Industrial Control Systems and IIoT Amid a Growing Threat Landscape
It is no longer a question of whether a device or sensor is connected – it’s about who can access the operational data it generates and how to keep that device or sensor secure. This imperative underpins the converged systems that form the backbone of our critical infrastructure.
Earlier this week, I had the privilege of speaking at SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference in Atlanta, GA. The event brought together the front‑line defenders of the IIoT – operators and IT partners working with SCADA, plant control systems, PLCs, and other industrial control environments. Coinciding with National Cyber Security Awareness Month, the conference spotlighted the critical need to protect the industries that sustain our society: defense, power generation, transmission, water utilities, chemicals, oil & gas, pipelines, data centers, medical devices, and more.
Every new sensor or device that joins the network expands the attack surface to an unprecedented depth and breadth. IIoT isn’t just a handful of connected gadgets; it’s a complex ecosystem of digital sensors, controllers, machines, software, and mobile devices that drive the very fabric of modern society. Securing these connections is therefore an ever‑growing challenge.
Equally important is the third‑party ecosystem that fuels the digital industrial environment. Manufacturers, distributors, and service providers of the components that make up ICC and IIoT – including the converging ICT – are integral to the system’s life cycle. Securing this ecosystem is essential for delivering assurance to critical infrastructure.
Securing the Third‑Party Ecosystem
Control systems, devices, and sensors are highly variable and often customized for specialized data feeds and operational requirements. For instance, the energy sector’s control systems have unique operating tolerances and peak‑demand metrics that are far different from those in a connected health‑care environment. Consequently, the management and controls of these diverse systems vary widely.
According to a recent EE Times article, “Why is the IIoT so vulnerable to cyberattacks?”, a key driver of this “perfect storm” is the patchwork of OT and control systems from multiple vendors, many running proprietary and non‑updatable software. Human‑machine interfaces, remote terminal units, SCADA masters, and PLCs all coexist in a maze of configurations, raising the question: how do you manage security in such an environment?
When addressing the third‑party ecosystem, I recommend five essential steps:
- Step 1: Identify the ecosystem members, understand what they provide, and assess their potential impact on your ICs or IIoT security.
- Step 2: Evaluate how these partners embed security into the solutions that become part of your operating systems.
- Step 3: Implement an architecture that governs device communication – apply segmentation and least‑privilege access principles.
- Step 4: Verify that third‑party components operate within your defined security tolerance levels.
- Step 5: Engage with, and influence, the policies, standards, and guidance that shape ICs, IIoT, and their ecosystems, such as ANSI/ISA‑62443‑4‑1‑2018, NISTIR Draft 8228, and NERC CIP 013‑1.
Public and private sectors are launching initiatives to address these risks. The U.S. Department of Homeland Security is about to launch its ICT Supply Chain Task Force, underscoring the critical importance of securing the entire lifecycle of digital devices in our infrastructure. This collaborative effort offers a hopeful path forward, bringing together diverse industries to confront the expanding threat landscape and the growing third‑party ecosystem.
For ICs operators, IIoT users, and manufacturers, understanding who and what composes your third‑party ecosystem is more crucial than ever. Comprehensive security across this ecosystem is paramount. Engage with industry peers, stay informed, and collaborate across sectors to achieve collective success.
Additional reading on securing critical infrastructure, ICs and the IIoT:
- Securing Critical Infrastructure in the Digital Age
- Laying the Foundation to Secure Critical Infrastructure – Don’t Let the Lights Go Out on Critical Infrastructure Security
Internet of Things Technology
- DDS Foundation Unveiled: Strengthening DDS Standard and Community for the Industrial IoT
- Ensuring Continuous Health of Your IIoT Systems
- Industrial Internet Security Framework: Safeguarding IIoT Systems – Why It Matters
- A Practical Taxonomy for Industrial Internet of Things (IIoT) Systems
- Strengthening IIoT Asset Tracking: Proven Security Practices
- Securing Your IoT Ecosystem: Expert Strategies to Counter Ransomware and Cyber Threats
- Securing the IoT: Proactive Strategies to Beat Emerging Threats
- Industrial Control System Security, Medical Devices, and Hidden Cyber Threats
- ICS Security Checklist: 8 Proven Steps to Protect Industrial Control Systems
- Is Security the Biggest Threat to Industrial IoT?