Emerson Exchange 365

By the year 2020, the Internet of Things could connect 50 billion or more smart objects worldwide. Cars, cameras, phones, refrigerators, televisions, clocks, stoplights, thermometers, power transformers-approximately 6.5 devices for every person on Earth. There are high hopes that this new infrastructure will help transform raw data into wisdom, increasing operational efficiency and driving innovative business models that were never before possible.

At the same time, however, the Internet of Things has already begun to add more complexity to existing industrial networks. The move toward pervasive sensing has created a torrent of data flowing between the process and business domains, which often must travel great distances across diverse physical media. This presents a daunting list of new challenges, says Jeff Aboud and Surja Chatterjea of Cisco Systems, who discussed the Internet of Things and security today at the 2014 Emerson Global Users Exchange in Stuttgart.

"The Internet of Things creates a much broader 'attack surface.' Each of the billions of connected devices is now a potential target," explained Aboud. "The diversity of the threats also increases with the variety of objects, many of which are not in secure locations. More sensitive data flowing through more connected devices heightens the risk of an infection having a greater impact. All of this means that we will need to think very differently about security."

As an example of a novel security risk Aboud pointed to USB flash memory sticks, which many organizations use without realizing that they pose a threat at all. In the past two years, 70 percent of businesses surveyed have traced the loss of sensitive or confidential information to USB memory sticks. More than half of those incidents were likely related to infected devices that introduced malicious code into corporate networks.

"To be clear, the 'things' are not the problem," Aboud said. "It's the fact that in an IoT environment, we need to look beyond physical safety and security and begin implementing cyber security solutions to protect the network from attack. Simply air-gapping systems from the Internet is no longer enough. We need to begin thinking about the objects as a whole."

In process plants, existing network security should be supplemented with device-level anti-tampering measures to protect against low-tech attacks, Aboud continued. Physical security functions, such as badge readers, IP cameras, and video surveillance, should be integrated with virtual network security to help monitor assets, data, and employees.

The entire network should then be protected with perimeter security solutions, such as a firewall and intrusion prevention system. In some cases, using a single remote control center to monitor multiple sites can provide early awareness of potential incidents and simplify security management while lowering costs.

"A common IT security technology is network admission control, whereby devices are authenticated and profiled as they access the network," said Chatterjea. "Today this technology is used for providing secure access to devices in wired and wireless environments. As the Internet of Things becomes more popular, IoT firms will be able to translate this technology to OT environments. Networks will be able to profile and authorize OT endpoints as soon as they are connected."

"When developing a security strategy for an IoT application, we need to take a fresh approach, rather than just trying to use an old solution to fix a new challenge," Chatterjea concluded. "To counteract the increased risk, networks should consider adopting an 'attack/security continuum' as a best practice for responding to a threat before, during, and after it occurs. Since IoT is all about producing real-time intelligence, our security decisions must do the same."