Cybersecurity is an ongoing concern for just about every organization, and it can be a challenge to keep up with evolving threats and best practices. Wireless sensor networks for equipment monitoring and access control can help industrial manufacturers, foodservice providers and other businesses work more efficiently and more safely, but those IoT devices must also comply with security best practices.
Here are some of the most common questions I hear about securing IIoT sensor systems and the security practices my organization recommends, in addition to basic security steps such as requiring strong, unique user passwords and putting safeguards on changes to users’ contact information.
What about hardware security?
Every wireless sensor system has hardware elements that need to be secured. The sensors themselves and the on-site gateway that receives their data should be linked securely and exclusively to prevent interference from other systems nearby and to prevent deliberate eavesdropping or network access by people without permission. Most of us are familiar with this concept from our wireless data networks at home.
The principle here is the same. For example, a set of wireless vibration sensors attached to production line equipment should only be able to communicate with the gateway to which they are digitally linked, not the gateway in the factory across the street. Also the gateway should refuse to connect to any sensors that are connected to another gateway, even if the sensors are within range.
What about data interception?
As data streams from sensors to the gateway, the gateway periodically transmits it to the cloud. This transmission could be vulnerable to attack if:
- Outside devices are able to connect with the gateway.
- The gateway operates outside a firewall.
- The data isn’t encrypted before it’s sent
A secure gateway will be configured to refuse incoming connection requests from devices outside its sensor network. The gateway should also be designed to work within the customer’s firewalled network, with the ability to reach out via a specific port to the external IP address where they’ll send their data.
To prevent eavesdropping and man-in-the-middle attacks, every transmission of sensor network data from the gateway to the cloud should be encrypted and sent over a secure connection. For example, the Advanced Encryption Standard (AES) used by government and industry is effective at protecting IIoT data transmissions that are sent via Secure Sockets Layer (SSL).
Can other devices contact the sensor data cloud?
Ideally, no. Cloud access for wireless IoT sensor data should only be granted to the client’s registered gateways. The cloud should reject connection requests from everything else. These measures can prevent other devices from communicating with the cloud and potentially extracting sensitive or proprietary data or corrupting it.
What about access via third-party apps?
A well-designed IIoT sensor system will have a secure dashboard that connects users to their data in the cloud. However, APIs are a must for clients that need to build custom applications to work with the cloud data from their sensor networks.
The network provider should have an approved API that clients can use for customization, and that API should follow the REST standard for endpoint security management. Clients using the API should also be given a unique, secure API key to use in conjunction with a valid username and password to access account data.
The security protection shouldn’t stop there: the cloud server should then send the user a time-limited authorization token to use in data requests. This can prevent ongoing access to the network’s data in the unlikely event that both the user’s credentials and the API key are later compromised.
What about access control?
Protecting access to data in the cloud has become a higher profile issue this year because so many organizations have moved to remote work and have had to greatly expand remote access for their employees. At the same time, the percentage of data breaches involving insiders (either intentional or accidental) has been rising since 2015 and now comprises about 1/3 of all breaches.
While employees need access to some of their companies’ customer, product, legal or financial data to do their jobs, few people need access to all of it. Limiting access by employee role or by information hierarchy can protect organizations against accidental and intentional data exposure.
The same principle applies to a company’s IoT sensor network data. For example, shift managers may need access to operations, efficiency and safety data from the equipment their workers use during their shift, to see how their team is performing and where they can improve. However, those managers probably don’t need access to the entire factory’s data, nor to the analytics that show how productivity and efficiency are trending across the organization.
A well-planned IoT system will let clients control data access based on roles. Typically, these roles grant different levels of access including:
- Read data and build reports
- Manage the data dashboard, lists, notifications and sensor thresholds for alert generation, plus read data and build reports
- Manage users, Wi-Fi settings and sensors on the network, plus all other roles’ privileges.
Access can also be granted by hierarchy if there are sub-accounts set up for data in different departments, subsidiaries or divisions. In that case, only users with access to multiple accounts can view the subaccounts, and then only at the level their access role allows. The client can grant, change or withdraw users’ access privileges at any time.
These aren’t the only elements that go into a secure IoT sensor system, of course. Cloud server maintenance and security updates, salting and hashing user passwords stored in the cloud, and blacklisting and deactivating gateways that are no longer in use are also critical to keeping wireless sensor networks secure.
The practices covered here are a good basic checklist for organizations that want the efficiency, productivity and safety gains that an IIoT sensor system can deliver, along with the peace of mind that comes from comprehensive security.