Ten security golden rules for Industrial IoT solutions
Industrial digital transformation is driving changes to the Operational Technology (OT) landscape, making it more connected to the internet, IT systems and solutions. Operational Technology is the use of hardware and software to monitor and control physical assets and production operation. Industrial control systems (ICS), an element of OT, is a general term that encompasses several types of control systems and associated instrumentation used for industrial process control. As these environments continue to evolve, OT environments are leveraging more IT solutions to improve productivity and efficiency of production operations. This convergence of IT and OT systems is creating a mix of technologies that were designed to withstand hostile network environments and ones that were not, which creates risk management difficulties that need to be controlled. Industrial Internet of Things (IIoT) are systems that connect and integrates industrial control systems with enterprise systems and the internet, business processes and analytics and is a key enabler for Smart Manufacturing and Industry 4.0. It has significantly widened the array of technologies available for use in industrial environments. In this blog post, we discuss this OT/IT convergence which introduces new security risks and challenges that industrial customers must properly manage.
To help companies plan their industrial digital transformation safely and securely, AWS recommends a multi-layered approach to secure the ICS/OT, IIoT and cloud environments, which is captured in the following ten golden rules.
1. Conduct a cyber-security risk assessment using a common framework (such as MITRE ATT&CK) and use it to inform system design
- Before taking advantage of IT technologies in OT environments, conduct a cyber-security risk assessment so that the risks, gaps and vulnerabilities are fully understood and can be proactively managed. Create and maintain an up to date threat model.
- Segment industrial plant networks based on a pre-defined zoning model that includes establishment of an Industrial Demilitarized Zone (IDMZ) and control of traffic between zones, e.g. according to the Purdue Model.
- Follow the micro segmentation approach, i.e. build small islands of components within a single network that communicate only with each other and control the network traffic between segments.
- Use firewalls and unidirectional gateways to control information flow between network segments.
- Use protocol converters to convert insecure protocols to secure protocols.
- If possible, isolate safety critical networks from business and control networks.
- If you are unable to protect insecure assets, isolate or disconnect them from the network
- In addition, maintain secure network foundations in the cloud.
AWS provides the following services to help you create and maintain an adequate network segmentation and secure traffic control to and in the AWS Cloud:
- AWS Virtual Private Network (VPN) solutions establish secure connections between industrial plants and AWS global network.
- AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.
- AWS Transit Gateway connects VPCs and on-premises networks through a central hub.
- AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).
- AWS Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define.
2. Maintain an asset inventory of all connected assets and up to date network architecture
- A critical aspect of a good security program is having visibility into your entire OT/IIoT system and knowing which systems don’t support open networks and modern security controls.
- Create and maintain an asset inventory for all OT/IIoT assets which can act as system of record and single source of truth for connected assets on the shop floor along with their major characteristics such as make and model, location and their hardware and software configuration.
- Categorize them based on their function (safety critical, control, edge, etc.), if software updates can be applied to them (patchable vs non patchable), their network design (designed for open or closed networks) so that you are aware of their criticality and their ability to support modern security controls so compensating controls can be installed to mitigate risk if needed.
- Create and maintain an up to date network architecture showing how these assets are interconnected along with their relationships (asset hierarchies) and conduct a network security architecture review.
- Consider consolidating OT/IIoT asset information into your enterprise asset management system.
AWS provides the following assets and services to help you create and maintain a connected asset inventory:
- AWS IoT Device Management for devices connected to AWS IoT.
- AWS Systems Manager Inventory for cloud instances and on-premises computers.
3. Provision modern IIoT devices and systems with unique identities and credentials and apply authentication and access control mechanisms
- Assign unique identities to modern IIoT devices such that when a device connects to other devices or cloud services, it must establish trust by authenticating using principals such as X.509 certificates, security tokens or other credentials.
- Create mechanisms to facilitate the generation, distribution, rotation, and revocation of credentials.
- Establish Root of Trust by using hardware-protected modules such as Trusted Platform Modules (TPMs) if available on the device.
- Ensure least privilege access controls for OT/IIoT devices, edge gateways and agent software accessing local and cloud resources.
- Avoid hard coding or storing credentials & secrets locally on OT/IIoT devices.
AWS provides the following assets and services to help you provision and secure modern IIoT assets:
- Security and Identity for AWS IoT
- Amazon Cognito is a service that provides authentication, authorization, and user management for your web and mobile apps.
- AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely.
- Device authentication and authorization for AWS IoT Greengrass.
- AWS Secrets Manager is a service that can be used to securely store and manage secrets in the cloud and encrypts the secrets using AWS KMS.
- AWS Key Management Service (KMS) enables you to easily create and control the keys used for cryptographic operations in the cloud.
4. Prioritize and implement OT and IIoT specific patch management and define appropriate update mechanisms for software and firmware updates
- As the adoption and complexity of software increases, so does the number of defects, some of which will be exploitable vulnerabilities. While eliminating vulnerabilities, prioritize by criticality (CVSS score, for example) by patching the most critical assets first.
- Have a mechanism to push software and firmware to devices in the field to patch security vulnerabilities and improve device functionality.
- Verify the integrity of the software before starting to run it ensuring that it comes from a reliable source (signed by the vendor) and that it is obtained in a secure manner.
- Employ authentication and access controls on deployment artifact repositories and their distribution systems.
- Maintain an inventory of the deployed software across your OT/IIoT system, including versions and patch status.
- Monitor status of deployments throughout your OT/IIoT system and investigate any failed or stalled deployments.
- Maintain notification mechanisms to immediately alert stakeholders when your infrastructure can’t deploy security updates to your fleet.
- Create mechanisms to identify, network isolate and/or replace legacy devices and IIoT systems that are not capable of receiving updates.
- Perform deployment of patches for the OT/IIoT devices only after testing the patches in a test environment before implementing them in production.
AWS provides the following assets and services to help you organize and maintain a continuous development and deployment pipeline:
- Amazon FreeRTOS Over-the-Air (OTA) Updates
- AWS IoT Greengrass Core Software OTA Updates
- AWS IoT jobs to define a set of remote operations that you send to and execute on one or more devices connected to AWS IoT.
- AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates such as operating systems and applications.
5. Secure manufacturing data at the edge and in the cloud by encrypting data at rest and create mechanisms for secure data sharing, governance and sovereignty
- Identify and classify data collected throughout your IIoT system based on the earlier risk analysis.
- Monitor the production data at rest to identify potential unauthorized data modification.
- Apply access controls using least privilege principle and monitor/audit data access.
- Access controls should also be applied at the connectivity layer using security appliances such as firewalls or unidirectional network devices or data diodes.
- Identify and execute on opportunities to stop collecting unused data or adjusting their granularity and retention time.
- Consider privacy and transparency expectations of your customers and corresponding legal requirements in the jurisdictions where you manufacture, distribute, and operate your IoT devices and systems.
AWS provides the following assets and services to help you secure manufacturing data at the edge and cloud:
- AWS Shared Responsibility Model for security and compliance.
- AWS Data Privacy
- AWS Compliance Programs and Offerings
- AWS Compliance Solutions Guide
- AWS KMS enables you to easily create and control the keys used for cryptographic operations in the cloud.
- Data protection in AWS IoT SiteWise
- Amazon Macie to discover and protect sensitive IIoT data at scale.
6. Whenever possible, encrypt all data in transit, including sensor/device data, administration, provisioning and deployments and when using insecure industrial protocols, convert insecure protocols into standardized and secure protocols as close to the source as possible
- Protect the confidentiality and integrity of inbound and outbound network communication channels that you use for data transfers, monitoring, administration, provisioning, and deployments by selecting modern internet native cryptographic network protocols.
- If possible, limit the number of protocols implemented within a given environment and disable default network services that are unused.
- Select the newer version of industrial protocols which offer security features and configure the highest level of encryption available when using ICS protocols such as CIP Security, Modbus Secure and OPC UA.
- When using secure industrial protocols is not an option, tighten the trust boundary using a protocol converter to translate the insecure protocol to a secure protocol as close to the data source as possible. Alternatively, segregate the plant network into smaller cell/area zones by grouping ICS devices into functional areas to limit the scope and area of insecure communications. Use unidirectional gateways and data diodes for one-way data flow and specialized firewall and inspection products that understand ICS protocols to inspect traffic entering and leaving cell/area zones and can detect anomalous behavior in the control network.
- When network segmentation/segregation is not an option with insecure controllers/protocols, then network isolate or disconnect those insecure systems from the network.
- Have a mechanism to identify and disable vulnerable wireless networks on the shop floor which get installed during proof of concepts, prototypes, etc. often without the necessary security approvals.
AWS provides the following assets and services to help with secure network communications:
- AWS IoT SDKs to help you securely and quickly connect devices to AWS IoT.
- FreeRTOS Libraries for networking and security in embedded applications.
- Security best practices for AWS IoT SiteWise
7. Harden all connected resources and especially internet connected resources and establish secure connections to cloud services and secure remote access to on-premises resources
- Internet connected network resources such as IIoT devices and Edge Gateways need to be hardened per NIST guidelines.
- Use device certificates and temporary credentials instead of long term credentials to access AWS Cloud services and secure device credentials at rest using mechanisms such as a dedicated crypto element or secure flash.
- Use on-premises managed infrastructure solutions to simplify management and monitoring.
- Establish a mechanism for bidirectional communication to remote devices over a secure connection.
- Establish secure connections to cloud services and monitor these connections.
- Regularly review and identify attack surface minimization opportunities as your IIoT system evolves.
- Use physical enclosures to protect OT/IIoT assets.
AWS provides the following assets and services to help secure cloud connected network resources and securely manage on-premises computing resources:
- NIST Guide to General Server Security
- AWS IoT Greengrass hardware security
- Working with secrets at the edge.
- AWS Systems Manager provides you with a centralized and consistent way to gather operational insights and carry out routine management tasks.
- AWS Outposts is a fully managed hybrid solution that extends the AWS Cloud to the on-premises environment, bringing the same AWS infrastructure, services, APIs, management tools, support and operating model as the AWS Cloud.
- AWS Snow Family provides highly secure portable devices to collect and process data at the edge.
- Secure Tunneling for AWS IoT Device Management to access IIoT devices behind restricted firewalls at remote sites for troubleshooting, configuration updates, and other operational tasks.
- Plant network to Amazon VPC connectivity options.
- AWS IoT Greengrass connecting to AWS IoT Core using port 443 or through a network proxy as an additional security measure.
8. Deploy security auditing and monitoring mechanisms across OT and IIoT and centrally manage security alerts across OT/IIoT and cloud
- Deploy auditing and monitoring mechanisms to continuously collect and report activity metrics and logs from across your OT/IIoT system.
- Implement a monitoring solution in the OT and IIoT environments to create an industrial network traffic baseline and monitor anomalies and adherence to the baseline.
- Perform periodic reviews of network logs, access control privileges and asset configurations.
- Collect security logs and analyze them in real-time using dedicated tools, for example, security information and event management (SIEM) class solutions such as within a security operation center (SOC).
- Continuously check that your security controls and systems are intact by explicitly testing them.
AWS provides the following assets and services to help you monitor your security at varying levels:
- AWS IoT Device Defender to monitor and audit your fleet of IoT devices.
- Monitoring AWS IoT with CloudWatch Logs to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.
- Logging AWS IoT API Calls with AWS CloudTrail to provide a record of actions taken by a user, a role, or an AWS service in AWS IoT.
- Monitoring with AWS IoT Greengrass logs
- AWS Config to assess, audit, and evaluate the configurations of your AWS resources.
- Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
- AWS Security Hub to automate AWS security checks and centralize security alerts.
9. Create incident response playbooks, and build automation as your security response matures to contain events and return to a known good state
- Maintain and regularly exercise a security incident response plan to test monitoring functionality.
- Collect security logs and analyze them in real-time using automated tooling. Build playbooks of unexpected findings.
- Create an incident response playbook with clearly understood roles and responsibilities.
- Test incident response procedures on a periodic basis.
- As procedures become more stable, automate their execution but maintain human interaction. As the automated procedures are validated, automate what triggers their execution.
AWS provides the following assets and services to help you monitor and create incident response playbooks:
- AWS Security Incident Response Guide
- AWS Systems Manager provides a centralized and consistent way to gather operational insights and carry out routine management tasks.
10. Create a business continuity and recovery plan including a plan for backups and cybersecurity testing
- Focus on ensuring resilience of Industry 4.0 systems by creating a business continuity plan and disaster recovery plan. Test the plans periodically and adapt them according to lessons learnt from tests and actual security incidents.
- In business continuity and recovery plans, include third party aspects.
- Define important parameters for your company’s business continuity, such as a recovery time objective (RTO), recovery point objective (RPO), etc.
- Use resiliency features at the edge to support data resiliency and backup needs.
- Use cloud services for backup and business continuity.
- Conduct cyber security testing across OT and IIoT periodically to test devices and OT systems, Edge Gateways, networks and communication and cloud services.
AWS provides the following assets and services to help with backup, recovery and cybersecurity testing:
- AWS Well Architected Framework, IoT Lens to design, deploy, and architect IIoT workloads aligned with architectural best practices.
- Resilience in AWS IoT Greengrass to help support data resiliency and backup needs.
- Backup and Restore Use Cases with AWS
- CloudEndure Disaster Recovery for fast and reliable recovery into AWS.
- AWS Backup to centrally manage and automate backups across AWS services.
This blog post reviewed some of the best practices for keeping your IIoT infrastructure secure using AWS’s multilayered security approach and comprehensive security services and features. AWS’s industrial IoT security is built on open standards and well recognized cyber security frameworks. Industrial companies have lots of choices with AWS security services and the flexibility to choose from a network of security focused partner solutions for IIoT workloads offered by AWS Security Competency Partners. AWS provides customers with an easier, faster and more cost-effective path towards comprehensive, continuous and scalable IIoT security, compliance and governance solutions. To learn more, go to AWS Industrial Internet of Things and AWS Security Best Practices for Manufacturing OT.
About the author
Ryan Dsouza is a Global Solutions Architect for Industrial IoT (IIoT) at Amazon Web Services (AWS). Based in New York City, Ryan helps customers architect, develop and operate secure, scalable and highly innovative solutions using the breadth and depth of AWS platform capabilities to deliver measurable business outcomes. Ryan has over 25 years’ experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and IIoT security across a diverse range of industries. Prior to AWS, Ryan worked in Accenture, SIEMENS, General Electric, IBM and AECOM, serving customers with their digital transformation initiatives.