(Part 2 of our 3 part 2024 Summer IoT Security Series)
Once a new CPS/IoT system is deployed, secured, and delivering the business value you intended it to, it’s time to focus on keeping that system operational and secured. In working with large-scale customers across multiple verticals Viakoo has seen what works (and what doesn’t) in terms of maintaining security; here are some of the key best practices that you should be aware of:
- Automation is key, because IoT/OT/ICS systems have a massive difference in scale compared to traditional IT systems. Whether it is asset discovery, threat assessment, performance monitoring, or compliance reporting, using automated methods to perform those tasks is key.
- Work with the Information Security (InfoSec) team to ensure that the internal team or service provider are following all the existing corporate governance rules around cybersecurity.
- Train employees ASAP on the ongoing security needs and issues of a new IoT, OT, or CPS deployment.
- Give critical systems the special attention on security that they deserve. Have a security policy in place specific to such systems, including regular review and auditing of system access, incidents, and vendor security alerts.
- Work with the IT team to ensure that the network is secure and is regularly tested to ensure its integrity, and that security application logins can be authenticated to the organizations identity management systems.
- Deploying a service assurance solution so that ongoing performance and operational integrity can be assessed. Beyond just is a device working or not, this security data can be analyzed to determine if it has been tampered with or replaced (by a deepfake), or otherwise impacted by a malicious hacker.
- Whether it is contracted out to a managed security service provider (MSSP) or performed by an internal team, there should be a plan to update firmware when it is made available by the manufacturer (not on a set schedule), and likewise be able to rotate passwords on demand.
- Scheduling and tracking of when passwords and certificates are due to rotated or updated is critical for maintaining the protection these measures offer. Having an automated system that triggers alerts when these actions are needed is ideal, but even a calendar and spreadsheet approach can be used to ensure these do not get out of date.
- Issue relevant reports to other parts of the organization related to CPS and IoT system security, and ask for their input on ways to improve. For example, your Procurement team knowing what devices or systems are going end-of-life can give them an advantage in negotiating with vendors and ensuring new systems are compliant out-of-the-box with your requirements.
- Share information on your IoT security journey with other companies in your industry, and ideally at conference and other public forums.
Any additional tips you’ve used to improve IoT security when maintaining and managing CPS/IoT systems or devices? Feel free to add to the comments section below. Check out the next in our Summer IoT Security Series on training needed for the security of CPS and IoT systems.