To make sure the Industrial Internet of Things (IIoT) is as secure as it can be, it needs to be secured at the endpoint level. There’s just one problem though: what is an endpoint, anyway?
A survey of more than 200 industrial executives from the SANS Institute concludes that while security of endpoints is the primary concern for IIoT, having a relatively small number of connected devices does not mean you have a manageable amount of endpoints to consider.
40% of respondents said they had fewer than 100 connected devices, but as the report explains: “A device manufacturer may consider the single, embedded sensor or actuator as the IIoT endpoint, while a system integrator may define that endpoint as a collection of such devices serving a particular function within a larger subsystem. The asset owner may consider an endpoint as a more complex system that is masked behind a gateway or edge device, such as a wind turbine or cooling tower.”
In other words, your definition of an endpoint may differ from others. But what needs to be done? With an expected growth of 10%-25% in connected devices among respondents, the pressure is on to act now. One in three IIoT devices connect directly to the internet, bypassing traditional IT security, while two in five (40%) said identifying, tracking and managing devices represented a ‘significant’ security challenge.
According to the report, organisations need to come up with a standardised definition of what the endpoint constitutes – reasonable enough – as well as explore convergence, both from a technological perspective and from marrying up IT and OT expectations. “As IT/OT operational convergence starts to overcome differences, even today, it’s not unusual for other differences in language, risk tolerance and perceptions of the threat landscape to show themselves when comparing the proverbial top floor and shop floor of many of today’s companies,” the report notes.
“The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security,” said Doug Wylie, director of the industrials and infrastructure business portfolio at SANS Institute. “Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks – and present a danger to their organisations.
“For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models,” Wylie added.
You can read the full report here (pdf).
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here