Full Report
ENISA has released a new study: “Good Practices for Security of Internet of Things in the context of Smart Manufacturing. Kaspersky Lab ICS CERT experts contributed to the study.
Analysis Summary
# Best Practices: Security of IoT in Smart Manufacturing
## Overview
These practices address the security challenges arising from the convergence of Information Technology (IT) and Operational Technology (OT) within the Industrial IoT (IIoT) ecosystem. The goal is to secure the "Smart Factory" by protecting connected devices, data integrity, and industrial availability against cyber threats while maintaining manufacturing efficiency.
## Key Recommendations
### Immediate Actions
1. **Inventory & Asset Discovery:** Identify all connected IoT devices on the manufacturing floor. You cannot protect what you cannot see.
2. **Change Default Credentials:** Immediately rotate all factory-default passwords on industrial gateways, sensors, and controllers to unique, complex alternatives.
3. **Disable Unnecessary Services:** Turn off unused protocols (e.g., Telnet, FTP, or HTTP on devices that only require HTTPS/SSH) to reduce the attack surface.
4. **Network Segmentation (Initial):** Isolate the Guest Wi-Fi and Office IT networks from the Production OT network using a firewall.
### Short-term Improvements (1-3 months)
1. **Implement Patch Management:** Establish a schedule for firmware updates, prioritizing devices with known vulnerabilities (CVEs) while ensuring compatibility with industrial processes.
2. **Encrypted Communications:** Enable TLS/SSL for data in transit between IoT sensors and edge gateways.
3. **Physical Security Controls:** Disable unused physical ports (USB, Ethernet) on devices located in accessible areas of the factory floor.
4. **Access Control (IAM):** Implement Role-Based Access Control (RBAC) to ensure only authorized personnel can modify PLC (Programmable Logic Controller) configurations.
### Long-term Strategy (3+ months)
1. **Zero Trust Architecture:** Move toward a "never trust, always verify" model where every device request is authenticated regardless of internal network location.
2. **Continuous Monitoring & SIEM Fusion:** Integrate OT-specific security monitoring tools with the corporate Security Information and Event Management (SIEM) system for holistic visibility.
3. **Secure Lifecycle Management:** Incorporate "Security by Design" into the procurement process, requiring vendors to provide Software Bills of Materials (SBOM).
## Implementation Guidance
### For Small Organizations
- **Focus on Perimeter & Hygiene:** Prioritize robust firewalls and strict password policies. Use managed security service providers (MSSPs) if in-house expertise is lacking.
### For Medium Organizations
- **Focus on Visibility:** Deploy automated asset management tools and implement formal vulnerability management programs. Establish a basic Incident Response (IR) plan tailored to manufacturing downtime.
### For Large Enterprises
- **Focus on Orchestration:** Implement automated threat hunting, deep packet inspection (DPI) for industrial protocols (Modbus, Profinet), and establish a dedicated OT-Security Operations Center (SOC).
## Configuration Examples
* **Network Level:** Configure VLANs to separate "Sensing" layers from "Control" layers.
* **Device Level:** Enable "Secure Boot" and "Hardware Root of Trust" on IIoT gateways to prevent unauthorized firmware execution.
* **Firewall Level:** Implement a "Deny-All" default outbound rule for IoT devices, whitelisting only the specific IP addresses of the cloud/on-premise broker they must communicate with.
## Compliance Alignment
- **ISA/IEC 62443:** The primary international standard for the security of Industrial Automation and Control Systems (IACS).
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **ISO/IEC 27001:** Information security management systems adapted for industrial contexts.
- **ENISA Good Practices for IoT:** Technical guidelines specifically for the Smart Manufacturing environment.
## Common Pitfalls to Avoid
- **"Air-Gap" Illusion:** Assuming the factory is safe because it isn't "on the internet." Modern IIoT, 5G, and maintenance laptops bypass traditional air gaps.
- **Production Over Security:** Skipping security patches to avoid 15 minutes of downtime, leading to weeks of downtime caused by ransomware.
- **Using IT Tools in OT:** Applying aggressive IT vulnerability scanners that can inadvertently crash sensitive, older PLCs.
## Resources
- **ENISA IoT Security Search:** hxxps[://]www[.]enisa[.]europa[.]eu/topics/iot-and-smart-infrastructures
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/
- **CISA Industrial Control Systems:** hxxps[://]www[.]cisa[.]gov/ics