Securing IoT‌ Devices to Protect⁢ Critical Infrastructure

Updated June 03, 2025
⁣

Cyberattacks targeting critical infrastructure⁤ are on the rise, posing ⁤a significant ⁣threat to communities. A U.S. investigation revealed ⁢that a 2015 power outage ​in Ukraine was the result of a Russian state cyberattack. Since then, attacks have continued, including a 2017 ⁢attempt⁤ to infiltrate a Kansas nuclear power plant‍ and ⁤a 2021 breach of New​ York City’s subway system.

The growing ⁣number of⁣ Internet of Things (IoT) devices, especially Industrial ‌Internet⁢ of Things (IIoT) devices, expands the potential attack surface.These devices, which manage interaction networks, power grids, and chemical plants, frequently​ enough lack‌ robust ⁣security⁢ measures. While the number of IoT devices was ⁤approximately 19⁣ billion at the‍ end of 2024, experts predict it will double by 2030. This proliferation increases the risk ⁤of​ cyberattacks motivated by political or financial gain, potentially causing widespread physical damage.

Securing these devices requires a two-pronged approach:⁤ basic cybersecurity hygiene and defense in depth.

Cybersecurity Hygiene

Cybersecurity hygiene involves several key practices:

• Avoid default passwords on admin accounts.
• Regularly apply software updates to⁣ patch vulnerabilities.
• Use ⁢cryptographic signatures to validate updates.
• Understand your software⁤ supply chain, including the origin and ‍components of your software.

The U.S.⁢ government’s⁤ software Bill of ‌Materials⁢ (SBOM) initiative helps track software supply-chain provenance,identifying vulnerable packages within a device’s⁤ software. This​ allows both IIoT device suppliers and users to quickly determine if ⁣a device is susceptible to attack and take appropriate action.

Defense in Depth

Defense in depth⁣ emphasizes a‌ layered approach to security, ​rather than relying solely on perimeter defenses.‌ the National Institute of Standards and Technology (NIST) recommends a strategy​ encompassing protection, detection, and remediation.

• Protect: Use cybersecurity engineering to⁣ prevent ‌intrusions.
• Detect: Implement mechanisms to identify unexpected intrusions.
• Remediate: take action ‌to expel intruders and prevent further ⁣damage.

Systems ⁢designed for security⁢ employ a layered approach,with each layer performing an‍ integrity check on the next before starting it. ⁣The innermost layer, known⁣ as the ​Root of Trust (RoT), must be ‌implicitly trusted. Compromising the RoT can be difficult to detect without specialized hardware.

One way to ‍protect⁢ the RoT is to store its firmware in read-only memory. Newer processor chips integrate the RoT‍ directly into the hardware,⁢ making it more resistant to attacks. Remote attestation can⁢ augment ‌this process by collecting and reporting fingerprints gathered by ‍each layer during startup. Hardware components like the ​Trusted Platform ‌Module (TPM) can collect ⁤evidence in⁣ shielded‍ locations, ensuring accurate reporting.

Once an ⁤anomaly is detected, remediation can involve power-cycling the device or ⁢refreshing its software.⁣ Authenticated watchdog‍ timers and other mechanisms can also trigger a ⁣device reset ⁢if it cannot demonstrate ⁤good health.

While these security measures have been available for some time, they are becoming more accessible due to advancements in silicon ⁤vendor technology and the ⁣evolution of reliable software stacks.System integrators must require these features from their suppliers and coordinate‍ them with external ⁢resilience and monitoring mechanisms to fully leverage improved security.

What’s next

As cyber threats evolve, continuous vigilance and proactive security measures are essential to protect critical infrastructure from attacks targeting IoT and ​IIoT devices. Prioritizing cybersecurity hygiene and defense in depth will ‌be crucial in mitigating risks and ensuring the ‍resilience⁢ of essential⁣ services.