As a result of advancements to the Industrial Internet of Things (IIoT), companies across the globe are realizing the potential of smart manufacturing and connected business models. In fact, IoT connections are projected to more than double over the coming years: from 18 billion dollars in 2024 to 39.6 billion by 2033.
While the rapid advancement of IIoT applications is exciting, it also come with its challenges, especially from a security perspective. A recent study found that over half (57 percent) of all IoT devices are vulnerable to medium- or high-severity threats and that two in five chief information security officers (CISOs) struggle to gain visibility into — and understand — their IoT deployments. A different survey found that manufacturing, which relies heavily on IoT and operational technology, now accounts for more than half (54.5 percent) of all attacks.
What’s causing these vulnerabilities and how can business units work together to mitigate them?
How IoT Devices Are Increasing the Attack Landscape
IoT devices collect vast amounts of data that can be sensitive, proprietary, and business critical. For instance, smart sensors that monitor temperature, pressure, position, speed, vibration, flow, optical qualities, and humidity collect sensitive data that provides real-time insight into industry operations.
Generally, IoT applications are part of a larger network of connected devices, and when planning to infiltrate a system, attackers look for the weakest point in the chain. Knowing that most IoT devices are designed with functionality and cost-efficiency in mind, instead of robust security features, it is no surprise that attackers might start their armor penetration attempts there. Devices may be deployed in public or unsecured locations, making them easily accessible and therefore vulnerable. Hackers can target these devices not only to steal sensitive information for misuse, but also to manipulate their functionality for malicious purposes. In addition, using weak identification and access controls for devices, and running outdated firmware, such as communication protocols that aren’t up to date also creates vulnerabilities that can be easily exploited.
What’s most important to understand is that there are several kinds of networks. From the Internet, which is the largest and most prominent one, down to private networks that may not be connected to anything else at all. The level of security of an IoT application should match its operating network. When different networks are connected, it is especially important not to allow access to high security areas by penetrating through a low security IoT device.
Beyond exfiltrating data — an unauthorized data transfer — for ransom or public humiliation, attackers may play a long game and lurk in networks, tracking data flows over time. In industrial environments, a compromised sensor could transmit manipulated or false data, leading to incorrect maintenance actions, undetected mechanical failures, or even catastrophic breakdowns. In sectors such as oil and gas, where system integrity directly impacts safety and production, the tamper-proofing of sensors is critical.
In the medical industry, as equipment becomes smarter, it is not only possible to monitor patients, their treatment and environment, but also analyze and send data to a server for further processing. The damage that can be done by reading the communication between a medical device and a server could be catastrophic. For instance, if manipulated data is sent to the doctor to make a treatment decision for a patient based on at-home care results, the patient may be in danger.
Overall Strategies to Safeguard Assets and Mitigate Security Threats
Protecting IIoT devices and connected businesses from adversaries is a shared responsibility that starts with sensor manufacturing and extends through application design to device and network management. Companies must work closely with sensor and device manufacturers and system integrators to ensure the secure deployment, management, monitoring, and updates of devices enabling IIoT applications.
Even when an IIoT device does not store personal data, it still holds valuable information about equipment performance, process efficiency, and production schedules. Attackers engaged in industrial espionage can intercept and analyze unprotected sensor data to gain insights into proprietary operations. Potential vulnerabilities can also arise over time if manufacturers fail to implement strong encryption and security updates, leaving IoT devices vulnerable and data easy to be intercepted.
When it comes to industrial espionage, the attacker doesn’t necessarily want the competitor to go out of business. Knowledge about already proven processes is much more valuable, especially when it comes at no cost. Therefore, governments and regulatory bodies are increasing security requirements for IoT devices, particularly in critical infrastructure sectors.
As a best practice, all IIoT ecosystem participants should monitor regulatory developments and ensure IIoT devices comply with the latest updates. These devices must comply with ISO/IEC 27000: Information Security Management, and IEC/ISA 62443: Automation and Control Systems Security standards. Beginning December 11, 2027, sensor and device manufacturers must also meet the mandatory European Union Cyber Resilience Act (CRA) requirements governing product planning, design, development, and maintenance. In the EU market, IIoT products must pass third-party assessments before they can be sold.
Additionally, sensor and device manufacturers should routinely collaborate with customers and system integrators to evaluate application requirements, identify risks, and develop secure IoT deployments by design. What’s more, IoT devices should use multi-factor authentication, certificates, and hardware tokens to protect communications among devices and between devices and the network. They should also encrypt data in transit, using algorithms such as AES-256 to prevent accidental or malicious exposure.
When setting up new equipment, users should immediately reset default credentials with strong, unique passwords for all IoT devices and regularly change them. They should also use a centralized system to manage the devices, making it easier for administrators to monitor, update, and secure devices. Additionally, devices should be set up to automatically apply security patches and firmware. Companies should also maintain an audit trail of all updates to ensure that devices are up-to-date, and updates have been successfully installed.
For supply chain teams, compromising components during manufacturing or distribution is becoming more common. Therefore, it’s imperative to consider cyber security not only when setting up the company’s IT network but also developing production infrastructure to avoid compromising sensors’ key data during the manufacturing process.
Hardware Security is a Manufacturing Must
To protect encryption keys and other sensitive data at the hardware level, IoT devices should have hardware security modules with dedicated security chips. Components should also include tamper-detection mechanisms that help prevent attackers from manipulating devices. For example, sensors can use custom-designed, multi-layer laminates to protect key areas and meet FIPS 140-2 Security Requirements for Cryptographic Modules. Any attempt to physically open or penetrate the enclosure will trigger the erasure of critical security information, such as encryption keys, or render the overall system inoperable, meeting FIPS 140-2 Level 4 physical security standards.
In addition, all devices should have unique IDs that can be tracked and authenticated, to prevent spoofing. Manufacturers should conduct penetration testing on devices to ensure they are secure before shipping and regularly conduct risk assessments to ensure device security processes align with industry best practices.
It is also recommended that IoT devices use secure boot processes to guarantee that firmware hasn’t been manipulated, and they should leverage code signing and hash functions to guarantee the authenticity of the software running on the devices. All keys, including application and session keys, should be secured to prevent misuse.
Secure System Integration and AI Play a Key Role in Data Protection
When installing a system, IoT devices should be placed on separate networks isolated from business systems. In the event of an attack, segregation prevents attackers from moving laterally and causing more damage. In addition, integrators should use VLANs or firewalls to limit IoT device communication with other devices and network resources to what is strictly necessary.
System integrators should also implement strict access controls so that only authorized users or systems can access IIoT data and operations and perform pre-approved actions. IIoT applications should also use a zero-trust model, requiring every device or user to be authenticated and authorized before accessing network resources. Going a step further, it’s best that all APIs and data exchanges between devices, networks, and applications are encrypted. Attackers target APIs because they are often the weakest security link and provide access to a rich treasure trove of data.
As advancements in AI take the world by storm, system integrators can use this to their advantage. AI-powered tools, such as IoT security solutions, can create visibility into all devices connected to the network and gain risk scores to identify high and critical vulnerabilities and misconfigurations that should be prioritized for rapid remediation. Security teams can leverage AI-enabled intrusion detection systems to flag anomalous behavior for investigation. These systems assign risk scores so teams can focus on the highest-priority risks first. Effective incident response planning, including testing, is also important to be able to respond appropriately to IoT security breaches as quickly as possible.
Security Should Be Baked Into Every IIoT Deployment
Overall, IIoT can revolutionize smart manufacturing and heavy industry processes — but only if applications and data flows are secured end-to-end. Using these strategies, business units and external stakeholders can work together to enhance the security posture of all IIoT deployments to protect them from the latest threats. By doing so, security leaders can help maintain stakeholder trust in IIoT systems and performance gains, winning support for making decisions based on the data they provide and extending IIoT deployments across operational processes and sites.
This article was written by Corneliu Tobescu, VP & CTO, TE Sensors at TE Connectivity. For more information go here .
