After Shadow IT, now the danger of Shadow OT is lurking

By Eric ten Bos, co-founder & technical lead of the Thales Cyber OT Convergence Center (OTCC)

The industrial internet of things (IIoT) supports businesses in optimising processes, reducing costs, and improving efficiency. Though IIoT applications have many advantages, they also entail security risks. A security incident results in production downtime, loss of data, or even physical damage. This is why it is crucial for companies to focus on the security of IIoT systems.

IIoT makes it possible to monitor and manage machines, systems, and processes in an unprecedented manner. This enables companies to optimise their production processes and respond faster to changes in the market. An important catalyst for IIoT is the rise of 5G. With 5G, you can collect and process large volumes of data in real time. As a result, organisations can deploy IIoT solutions on a large scale, and the integration of IIoT into existing business processes becomes easier. Machine-to-machine communication is less impeded by limited bandwidth, for example. Organisations are also able to develop mobile IIoT solutions, such as drones or autonomous vehicles. Think of trolleys (automated guided vehicles, AGVs) in the big logistics distribution centres. IIoT is a striking example of the digital dilemma: business innovation versus cyber threats. The challenge is now to use the new EU NIS2 Directive as a framework for the safe implementation of business innovations.

Shadow OT
You can imagine that technological infrastructure becomes vulnerable as ever more devices, machines, and e.g. vehicles are connected (wirelessly) to each other. All these devices have to be managed and controlled, to ensure that no vulnerabilities will arise that can be exploited by cyber attackers. Operating systems have to be up to date, firmware has to be state of the art, and access control has to be in place. Practice shows that the number of unmanaged devices, mainly IIoT, is growing at many companies. Sometimes, we see devices that have been installed by employees themselves. These are often cheap technology with a questionable security level. Because most of the time this has not been coordinated with IT, you can call it Shadow OT. In the past, we were - and sometimes we still are - confronted with Shadow IT when employees deployed cloud solutions for sharing information. Now, we see the same thing happening with operational technology in the IIoT environment.

By doing this, organisations are in violation of the provisions of the NIS2 Directive. Though the NIS2 directive is not specifically aimed at IIoT security, the provisions of the Directive are relevant for organisations that use IIoT systems. Companies that are active in critical sectors and use IIoT systems, are obliged to comply with the NIS2 Directive and take adequate measures to protect their systems.

Better protection of IIoT
Companies that are dealing with various machines and devices that are not managed properly have to take measures to protect their IIoT systems better. Consider the following steps:

• Identify and list the IIoT devices and machines.
  Make sure that, as an organisation, you have a complete overview of all IIoT devices and machines that are connected to the network. This includes identifying the device type, the operating system, the software version, the firmware, and other relevant information. With this information you can identify potential vulnerabilities and find solutions to remedy them.
• Limit access to IIoT systems
  Organisations have to limit access to IIoT systems to authorised users only. This can be done by setting up strong authentication and authorisation mechanisms, such as passwords, certificates, or biometric verification. Multi-factor authentication is an essential part of this.
• Install updates and patches on a regular basis.
  It seems self-evident, but this often a source of trouble: make sure that updates and patches are installed on a regular basis for all IIoT devices and machines. Implement, for example, an automated patch management process, to ensure that all IIoT devices are updated as soon as an update or patch becomes available.
• Secure the communication between IIoT devices and machines.
  See to it that the communication between IIoT devices and machines is secure and cannot be intercepted. This can be achieved by end-to-end encryption, through which data are encrypted before sending and decoded after receipt.
• Implement security monitoring and examine new IIoT applications for cyber threats.
  A security operations centre will help you implement security monitoring to detect and respond to possible security incidents, 24/7. This includes monitoring IIoT devices and machines to look for unusual activity and suspicious patterns on the network. This also includes a response plan for security incidents, so that action can be taken quickly in the case of an incident. And especially because you have to prevent production coming to a standstill, it is advisable to have a computer emergency response team (CERT) to fall back on.

As an organisation, it is not difficult to include a chapter on cyber measures in every new project plan in which IIoT is implemented. This way, you embed the measures as described above in everyday practice and safeguard the continuity of digital resilience.

You can assume that every larger production environment or industrial player will fall under NIS2, even if they did not fall under NIS1. Organisations that already make significant use of IIoT solutions are well advised to conduct an assessment of the status of their security. Parties that are on the brink of this step, on the other hand, can benefit from the fact that they can embed the principles of NIS2 into their architecture. This makes them secure by design, which is a good starting point for digital resilience. This is how you prevent Shadow OT.