The Role of Stakeholders in IIoT Security
The Industrial Internet of Things (IIoT) continues to revolutionize industries, but with this growth comes an increased responsibility to secure these systems. During IIoT World’s ICS Cybersecurity Day, our speakers shared their perspectives on IIoT Security, ranging from stakeholder responsibility to regulatory compliance and education for C-level executives. Eric Byres, P.Eng, ISA Fellow, Senior Vice President – Software Intelligence at Exiger, and Sid Snitkin, Vice-President of Cybersecurity Services at ARC Advisory Group, answer in this blog post to some of the audience’s questions we received during the event.
Who Bears the Responsibility for IIoT Security?
Question: In your opinion(s), who is responsible for safeguarding the security protections of IIoT? Vendors, manufacturers, government regulation, end users, etc.?
Sid Snitkin:
“I find IIoT to be a very confusing term that can mean OT systems (legacy and new) and IoT devices used by industrial companies. When it comes to legacy OT systems, the owner/operators must assume overall responsibility for securing these systems, while automation vendors are responsible for ensuring their customers receive the support they need. For new OT systems and IoT devices, the OEM should be responsible for providing and maintaining the security of their products and ensuring that their suppliers follow suit.”
Eric Byres:
“I don’t think we can point to any one group that bears most of the responsibility for the security of OT/IT/IIoT/IoT systems. These systems go through a lifecycle—from design to deployment, operation, maintenance, and eventually, retirement. The responsibility for the system’s security evolves over time. Vendors must deliver a product that can be securely deployed. Then, the design engineering company and integrator ensure that what they install starts up securely. Once the system is handed over, the owner/operator monitors and maintains the system throughout its life. Finally, the asset owner is responsible for secure decommissioning.”
Managing Multiple OT Protocols: What C-Level Executives Need to Know
Question: Is there an IDS for multiple protocols in the OT world? How do C-level executives manage all these protocols and cybersecurity?
Eric Byres:
“Yes, there are IDS solutions for multiple protocols. OT is a complex landscape with varying protocols because of its long history with different suppliers and the diverse nature of OT applications—from tank-level loop control to high-speed metal cutting machines or substations on the grid. However, C-level executives don’t need to worry about these protocols. As someone who has worked both at the C-level and in technical roles, my job now is to set security goals and objectives for my team, leaving the protocol details to the specialists.”
How C-Level Executives Are Educated on Cyber Risk
Question: Where is the C-level getting educated on cyber risk?
Eric Byres:
“In my experience, most of the time, it’s from their security teams, which has some serious risks as it limits the CxO’s ability to evaluate the information they receive. However, there are also excellent cyber events specifically focused on CISOs or CEOs/CFOs. These events are ideal as executives receive guidance and feedback from their peers, alongside briefings from industry experts.”
Compliance and Global Regulations: NIS2 and Beyond
Question: Do you think ensuring compliance with regulations similar to NIS/NIS2 would work worldwide through government auditing and penalties for breaches and non-compliance? Would this ensure C-suite backing for security controls based on risk, especially for critical infrastructure?
Eric Byres:
“Yes, I do. We’ve seen that regulations, even if only regional, like those from the US or EU, can quickly influence corporate behavior. For example, the EU’s mandate on USB-C standardization impacts global manufacturing. Likewise, regulations such as NIS2 will push companies globally to align with these standards, impacting not only OEMs but also the supply chain.”
Sid Snitkin:
“I expect global companies to incorporate these guidelines into their cybersecurity programs. Ignoring them is not practical, as products may be sold in regions where these requirements apply. These regulations primarily affect OEM product design rather than adding much cost during production.”
Best Practices for Password Management
Question: How often should passwords be changed? Can frequent changes lead to weaker security practices?
Eric Byres:
“Counterproductive security policies not based on solid science have always frustrated me, and requiring periodic password changes is one of the worst. The current NIST guideline (NIST Special Publication 800-63B) explicitly advises against forcing periodic password changes. Instead, I recommend changing passwords based on events—such as breaches or known compromises—rather than on a set schedule.”
Opportunities for College Students in IIoT Security
Question: Many college students majoring in cybersecurity have been told that entry into the industry is difficult. What are your recommendations?
Sid Snitkin:
“I’m surprised to hear this. Industrial operations have a significant need for cybersecurity professionals. While OT cybersecurity requires learning about manufacturing processes and technologies, these are not barriers for college students interested in the field. As operations embrace more IT, these barriers will further diminish.”
Eric Byres:
“Like Sid, I’m surprised by this comment. The labor shortage for skilled security professionals is acute. Even our small company would hire multiple graduates annually. The most important criteria were enthusiasm and hard work, not experience. We would reach out to local universities and look for their most diligent students, interviewing them for positions in our company.”
Conclusion
The panelists’ insights highlight the complex and evolving nature of IIoT security. From understanding stakeholder responsibility to navigating compliance and regulatory frameworks, these discussions provide industry professionals valuable guidance. As companies expand their IIoT deployments, addressing these challenges with strategic, informed approaches becomes essential for securing industrial environments.
Similar resources: