Are SASE and Zero Trust the Key for Manufacturers Grappling with IoT?

This blog is part of “ZTNA Partners,” a series where we take a closer look at how our partnerships protect today's hybrid workforces and environments with ZTNA 2.0.

As manufacturers dash headlong into smart factory initiatives, the number of IoT devices operating in factories, warehouses and across supply chain infrastructure is exploding. Manufacturers seek to utilize IoT in a range of places, be it video camera inspection devices on the assembly line, temperature sensors on refrigeration units or maintenance telemetry sensors on factory equipment. But, as they seek to reap tremendous business gains from smart devices in industrial IoT, they also must balance that upside with the potential risks that IIoT is increasingly introducing to manufacturing environments.

New cyber challenges are arising in the face of this explosion of IoT in manufacturing. They require organizations in this sector to design modern security architecture that can meet them head on.

Smart Manufacturing and the Rise In IoT

The consensus across recent industry studies shows that manufacturers are making big bets on smart manufacturing and IoT as the linchpins to their success in the coming years.

According to Deloitte’s 2022 Manufacturing Industry Outlook, some 45% of manufacturing executives expect increases in operational efficiency from investments in IoT that connects machines and automates processes. Meanwhile, the State of Smart Manufacturing report, published earlier this spring by Plex, found that 83% of manufacturers say that smart manufacturing is a key to their organization’s future success. Smart devices and IIoT are among the most used projects to bring smart manufacturing to fruition. Some 49% of organizations have already deployed smart devices and 45% have put IIoT into production, with another 35% and 36% planning to use these technologies.

This is rapidly pushing a lot of manufacturing compute out to the edge. AT&T’s own recent analysis in partnership with IDC for the AT&T Cybersecurity Insights Report: Securing the Edge-A Focus on Manufacturing study found that the manufacturing vertical is one of the furthest along in implementing edge use cases. The report reveals that 78% of manufacturers globally are planning, have partially or have fully implemented an edge use case (that’s ahead of energy, finance and healthcare industry organizations).

This kind of progress, noted by the report, is in sync with other industry studies watching the progress of digital transformation in manufacturing. For example, a recent study by Palo Alto Networks says the demand for secure remote access in manufacturing is rapidly outstripping other industries.

Amid many cited edge use cases, such as smart warehousing, remote operations and augmented maintenance, video-based inspection was the number one edge priority cited by manufacturing respondents to the AT&T Cybersecurity Insights Report. This is a prime example of how IIoT is being leveraged to improve efficiency, quality and speed on the factory floor. This is all while helping manufacturers also overcome workforce challenges.

Unpatchable IoT Devices Raise Manufacturing Risk Profile

Video-based inspection also provides an excellent example of how IIoT devices can potentially increase cyber risk in manufacturing environments at the same time. In use cases like this one, IoT devices are increasingly connected to OT networks and devices on the manufacturing shop floor. Simultaneously, they’re also opening up access outside the manufacturing environment for employees to remotely do their work. This is the same for many augmented maintenance use cases, which was named as the number-two, most-common edge priority in manufacturing. This increased connectivity opens up a larger threat surface in manufacturing environments.

At the same time, many IoT devices are installed once and then infrequently or never patched again. Sometimes devices are so simplistic and unidirectional in data flow that it may be difficult to update their software remotely. Other times (as is frequently the case in the IoT camera world) device manufacturers simply don’t provide much support in updating vulnerable software. And in still more cases, they may have been installed together as a package deal with very sensitive industrial machinery that may have infinitesimally lower tolerances for downtime and nearly non-existent maintenance windows for conducting patches.

These are all likely big contributors to why only 29% of manufacturing respondents to the AT&T Insights Report said they planned to use patching as a security control to help protect components in their edge use cases. Without frequent patching, these devices are potentially big threat vectors for compromise.

“That becomes a problem for manufacturers,” says Theresa Lanowitz, head of evangelism for AT&T Cybersecurity. “It allows a hacker to potentially come into your system, move laterally and essentially go on a virtual shopping trip for pretty much anything they want inside of the network.”

“This is a challenge for manufacturers who, until recently, have primarily been used to devices and IT assets mostly running locally,” says Dharminder Debisarun, Industry Security Architect for Palo Alto Networks. Many manufacturing networks are not architected in a way that’s hardened for an attack chain that spreads laterally from an internal device.

“I’ve met with some customers where they spent millions on pilot programs for IoT and they realize, ‘Hmm, you know what, let's not do this yet because we actually have a very open production environment, where if our IoT devices got compromised it would literally spread across the factory floor and cause massive issues in terms of production uptime," he explains.

This is likely why the AT&T Insights Report shows that the number one cyber attack concern for manufacturers against edge use cases is attacks against the user and endpoint devices – a worry cited by 71% of respondents. In the manufacturing setting, this worry is further complicated by the fact that, unlike IT-only environments, the ‘endpoint’ includes a wide range of IoT devices and operational technology.

SASE and Zero Trust for the Win

According to Palo Alto’s Debisarun and AT&T’s Lanowitz, the only way that manufacturers are going to overcome this big challenge of IoT in their environments is through smart use of compensating controls and effective security architecture.

Across the board, manufacturers are moving to a more modernized network with unified security. Survey results show they need to deliver positive digital experiences not only to their customers, but also the employees on and off the shop floor. One of the key ways that leading manufacturers are securely meeting this demand is through the use of Secure Access Service Edge (SASE) architecture and Zero Trust methodologies. SASE and Zero Trust enable a network design that can securely enable innovative edge use cases in the factory and beyond. SASE provides manufacturers a rapid means to secure the IoT edge and maintain flexibility of connectivity between manufacturing facilities and cloud infrastructure. They also make it possible to introduce compensating controls that can help solve problems, such as those introduced by a threat surface expanded through increasing use of IoT. For example, the threat services of SASE can help compensate for the added risk of vulnerable, unpatched devices.

IoT use cases, like video-based inspections, are just some of many security use cases that SASE helps manufacturers address as they advance forward.

For more information, check out the AT&T Cybersecurity Insights Report Focus on Manufacturing.