Mitigating IIoT and building management risks: where your physical security meets cybersecurity

In the current threat landscape, maintaining a resilient cybersecurity posture and mitigating risks remains a leading priority for business, IT, and physical security leaders.

For many businesses, the threat of cybercrime is compounded by the risks associated with Industrial Internet of Things (IIoT) devices and networks, which create a lucrative target for financially motivated hackers.  From HVAC and lighting controls to worker access terminals and other sensors and systems, a growing network border and footprint require modern security methods to protect them.

The typical physical security infrastructure used by most enterprises foreshadowed the rise of the Internet of Things. Many physical security systems operate a collection of remote sensors, cameras, and monitoring services that are all interconnected, working together to provide critical information back to the organization. The IoT is a modernized, results-focused, extension of business security. With these two systems merging, there are fresh risks that leaders must address to secure their operations. 

Business risks continue to grow with every step toward network extension and service automation. The list of US firms experiencing a major breach continues to rise, making now the best time to assess and enhance your defense strategies.

Security meets the IIoT

The Industrial Internet of Things (IIoT) is the hardened, enterprise-grade edition of the IoT. Deploying the latest hardware and technologies, IIoT systems support production and maintenance, as well as asset and people management. 

These systems are largely automated to handle industrial scale and are powered by robotic systems, automated supply chains, big data analytics, and machine learning. One example of this is Volkswagen’s Wolfsburg Car Factory, which is typically considered a world leader in process and production automation. Industrial IoT systems can consist of connected:

• Safety sensors for pressure, temperature, and humidity
• Quality sensors for air, water, and environmental information
• QR code scanners, bar code readers, and GPS trackers
• Smart meters and thermostats, energy monitoring systems, and HVAC control modules
• Cameras (IR and other types) and motion sensors for motion and activity detection
• Visitor management systems and biometric access control solutions
• Lighting control systems and ambient light level sensors for adaptive illumination

As part of physical security, existing facilities are connected to the IIoT infrastructure and networks. They are upgraded or replaced with cutting-edge systems to improve the efficiency, overall safety, and economics of operations. 

The vulnerabilities and risks of IIoT for security

To protect businesses from potential threats, all IIoT networks and connected systems and services should be heavily secured by physical and IT measures. As with any network and security system, these threats can come from unauthorized access, abuse tampering, or other efforts to compromise the data traveling between them. 

These risks are ever-present as external actors, internal threats, and random attackers are all capable of attempting to penetrate systems and networks. Malicious actors may try to compromise the safety and reliability of the industrial systems they control; hackers may try to hold the systems for ransom; and workers who have been negatively impacted by IIoT changes might try to compromise the system to prove a point. 

For security teams, the same risks apply. From attempts to digitally disguise people, vehicles, or workloads and their movements within the system, to efforts to steal or misuse security data, or use connected security devices as a method to hack deeper into the networks. 

The security implications of IIoT cyber threats

As with IT security, there are major implications for operators of physical security systems connected to an IIoT. Primarily, the risk of a hack or data theft exposes the business to reputational damage, and liability under various legislation (with GDPR fines of up to 4% of global turnover, or €20 million).

Perhaps the most significant impact for a business is the loss in productivity while an IIoT facility is recovered and sanitized after a hack. Alongside this is the cost of rebuilding or replacing networks, systems, and data after a breach. These costs are typically in the millions of dollars, with IBM’s Cost of a Data Breach Report 2023 highlighting an average bill of $4.45 million per hack.

To counter this, alongside the now mandatory cyber insurance, security teams must fully understand the networks they are using, and ensure full protection across every device, network, and application. You should regularly: 

• Run penetration testing using external white hat hacker teams
• Use AI tools to scan for unusual activity among your big data pools 
• Build protective measures into any self-developed application
• Use layered defenses to protect the network from all sides
• Identify and address vulnerabilities
• Update your disaster recovery plan
• Run planning sessions with your security workers to identify risks and how to respond

The security playbook and best practices

The process for securing your physical security data and systems across an IIoT begins with a complete cataloguing of all existing (and planned) systems, including where their data is stored, and what applications they communicate with. Identifying any legacy or known insecure equipment, replacing it, and checking for compatibility with IIoT systems is essential. Building an inventory of the security devices and networks in use can also enable security teams to:

• Check that data encryption and security features are enabled, with appropriate access privileges
• Ensure the latest drivers and firmware are installed on physical devices
• Check that each one is firewalled and uses secure communication protocols
• Identify who is responsible for each service and data store
• Establish how each element connects to the IIoT, and where there are any crossover use cases 

With the network and security tools in place, IT and security teams can then test it beyond reasonable doubt using external penetration testing services. Then, ensure that each of the above steps is rerun whenever there is a change in your hardware or software, and when new threats are noted. 

Beyond the physical network, the more data there is, the greater the risk. Siloed security data can also create inefficiencies and vulnerabilities. Having a unified physical security application to monitor video footage, building access, and other elements all in one place is key to maintaining control over that data. Using a physical security system and unified data service will improve operations, make for a smoother customer experience, and make it easier to react to any issues or crises, all while protecting businesses in an increasingly automated environment.