Securing IIoT with Privileged Access Management

The recent growth of the Internet of Things (IoT) and its industrial-driven subset, the aptly-named Industrial IoT (IIoT), has been staggering. Growth projections, too, are staggering as better IT-OT connectivity, sensors, and control devices continue to generate more and more use cases for implementations across manufacturing, transportation, and many more industries.

As IIoT Grows, IIoT Devices Proliferate

As the use cases for Industrial IoT are so wide-ranging, so too must be the systems implemented in order to make use of a vast array of sensors and control systems. Connected OT (Operational Technology) enables industrial organizations to boost efficiency, optimize production, and improve processes. Offering a significant reduction in costs and increases in productivity, it’s no wonder OT-IT connections are experiencing exponential growth. An IIoT implementation in a factory, for example, might entail the use of thousands – or even tens of thousands – of connected devices, while an IIoT system designed for use in monitoring controlling a high-speed rail network will require a dense array of devices generating an equally dense amount of data.

As IIoT Devices Proliferate, Cyberthreat Exposure Grows

But as the amount of connected devices grows, so does exposure to a cyberthreat, as each device becomes a potential entryway for those bent on gaining access to data and systems, whether it be for financial gain or simply to wreak havoc. The potential for damage, if access to privileged resources is gained, is monumental in terms of not only financial costs but also the possibility that human life could be placed at risk if safety systems are compromised.

And aside from the easy-to-imagine ways in which hackers could directly inflict damage via attacking IIoT implementations, there is also the very real possibility that once hackers have penetrated a system via IIoT devices they will not only have control of the devices but also be able to move laterally within the IT network. That is, although an IIoT device might be the entry point, clever hackers might easily be able to jump from that device to other resources on the system, such as databases and servers.

As the number of connected, IoT devices grows, so too does exposure to cyberthreat.

IIoT Requires Privileged Access Management at All Levels

Thus, the cybersecurity team for any organization looking to implement an IIoT solution needs to consider not only how to directly secure the myriad devices they will be using, but also to look thoroughly at the defenses they are providing for all of the privileged resources that lie beyond the devices on the network. In both cases, what is needed is a solid understanding and application of Privileged Access Management (PAM), including the key principle of Least Privilege, married with real-time monitoring and control.

In IIoT, Devices are Users, Too

PAM employs the Least Privilege principle by helping to ensure that users can only access the minimum number of sensitive resources necessary to accomplish a legitimate task – and only under the right circumstances. That is, during limited times or with limited scope of authorized actions. What’s especially important for teams charged with IIoT security to understand is that the “users” of their system will not necessarily always be “people.” That is, particularly for IIoT systems with automated control devices, those devices themselves may have access to privileged resources – and will need to be monitored and controlled in the same way that humans are. By ensuring that system components are subject to the same PAM principles as are humans (only necessary resources, accessed in only the right circumstances) IT admins responsible for OT-IT cybersecurity will shut down the potential threat represented by all of their connected devices.

PAM Should be Used to Lock Down the Entire System

Ensuring that proper PAM controls are in place internally will help to prevent any lateral moves of a hacker inside of a system, should they eventually be able to gain access through an IIoT device. Again, it’s the application of principles of access control and Least Privilege at work: It’s unlikely that a vibration monitor on a factory floor, for example, will ever need to access a customer database – and a proper PAM solution makes all extraneous resources invisible to a user that doesn’t need to access them. PAM and Least Privilege combine to define to a granular level what privileged access is necessary and when.

Automated Session Monitoring a Must for Large-Scale Deployments

In all cases, a robust PAM solution will also perform real-time monitoring of all privileged sessions to ensure that any attempted access to critical resources is recorded, but also flagged or even terminated if the attempted actions are unauthorized. These two capabilities – the management of privileged access as well as real-time monitoring – are of vital importance in securing IIoT solutions, where security teams could not possibly hope to manage and monitor thousands of devices and all of their attendant traffic without a centralized solution to help them do so.

IIoT is still in its infancy, and will only continue to grow. But so, too, will the opportunities for exploitation on the part of bad actors. But by designing IIoT implementations in accordance with PAM principles, and by applying strong PAM solutions to IIoT implementations, the exploitation can be minimized – and the benefits of IIoT be truly realized.