In the era of Industry 4.0, where industrial control systems are becoming increasingly interconnected, the use of mobile devices, particularly Apple's iPads and iPhones, has become commonplace for managing and monitoring industrial networks. While the convenience of mobile technology is undeniable, it brings along a set of security risks that must be addressed to safeguard sensitive industrial operations.
While enjoying my morning coffee and reading through a few LinkedIn articles I came across a post from Sam Amrani which detailed his experience in getting his devices stolen in London (read here), this got me thinking about the wider issues when used for industrial purposes. When a phone is stolen in the capital every 6 minutes, when will you be losing your device?
While there are different mobile platforms, we will explore some of the potential risks associated with using Apple devices in industrial environments and looks at some of the security settings and measures to protect against unauthorised access, data theft, and device loss.
Risks of Using Mobile Devices in Industrial Networks
Unauthorised Access and Control: One of the primary risks of using mobile devices for industrial networks is the potential for unauthorised access and control. If a device falls into the wrong hands, an intruder might gain access to critical systems, leading to disruptions, data breaches, or even sabotage. Industrial facilities often rely on remote access for maintenance and monitoring, making them susceptible to cyber threats.
Data Theft and Loss: Mobile devices store a wealth of sensitive information, including login credentials, proprietary software, and operational data. If a device is stolen, the risk of data theft is substantial. This may not only compromise the security of the industrial network but also lead to unauthorised access to other services associated with the device, posing additional threats to the organisation.
Lack of Stolen Device Protection: Apple devices come with a number of built-in security features, but users often neglect to activate or configure them properly. Stolen device protection, such as Find My iPhone or Find My iPad, can be crucial in locating and remotely locking a device in the event of theft. Failure to enable these features increases the risk of data exposure and unauthorised access to industrial networks.
Content Privacy Concerns: Mobile devices may contain confidential documents, schematics, or communication logs. Without adequate content privacy restrictions, unauthorised users could easily access and exploit this information, jeopardising the integrity and confidentiality of the industrial processes.
Protecting Devices for Industrial Use
Utilise Mobile Device Management (MDM) Solutions: Mobile Device Management solutions offer centralised control over device security settings. For industrial environments, employing MDM solutions can help enforce security policies, monitor device health, and remotely manage configurations. This ensures that all devices adhere to the organisation's security standards, reducing the risk of vulnerabilities.
While third-party MDM solutions offer comprehensive device management capabilities, it is possible to still achieve a high level of security without relying on them. By leveraging the built-in security settings, utilising tools like Apple Configurator, and implementing network segmentation, organisations can strike a balance between security and simplicity.
Enable Stolen Device Protection Features: To mitigate the risk of data theft and unauthorised access, users must enable and configure stolen device protection features. For devices in the Apple ecosystem, this involves activating Find My iPhone or Find My iPad. These services allow users to locate, remotely lock, and wipe their devices, ensuring that even if a device is stolen, sensitive data remains secure.
Stolen Device Protection: When Stolen Device Protection is enabled, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.
- Face ID or Touch ID biometric authentication: Some actions such as accessing stored passwords and credit cards require a single biometric authentication with Face ID or Touch ID, with no passcode alternative or fallback so that only you can access these features.
- Security Delay: Some security actions such as changing your Apple ID password also require you to wait an hour and then perform a second Face ID or Touch ID authentication.
In the event that your device is stolen, the security delay is designed to prevent a thief from performing critical operations so that you can mark your device as lost and make sure your Apple account is secure. Stolen Device Protection is available with iOS 17.3 and must be turned on before the device is lost or stolen. You can read more about this here.
Implement Strong Authentication Measures: Strengthening authentication measures is crucial for securing industrial networks accessed through mobile devices. Enforce the use of complex passwords, Touch ID, or Face ID to add an extra layer of protection. Additionally, consider implementing two-factor authentication (2FA) wherever possible to enhance the security of access credentials or consider 3rd party tools that address this niche issue for industrial control.
Regularly Update Operating Systems and Applications: Outdated software is a common entry point for cyber threats. Regularly updating both the device's operating system and industrial applications is essential for patching security vulnerabilities. Automated updates can be configured to ensure that devices are always running the latest, most secure software versions.
Implement Content Privacy Restrictions: To protect sensitive industrial data, configure content privacy restrictions on devices. Utilise features such as app restrictions, limiting access to only essential applications. Additionally, employ data protection settings to encrypt sensitive files and ensure that only authorised users can access critical information.
One such feature is hidden away in the Screen Time > Content & Privacy Restrictions, here we can protect our accounts and passwords from being changed unless you have a PIN code. If you set this to a different PIN to the device, you can stop anyone from changing your security ID or account settings on the device. You can read more about this here.
Educate Users on Security Best Practices: Human error remains a significant factor in security breaches. Educating users on security best practices, such as avoiding public Wi-Fi networks without using a VPN, forgetting wireless networks once these have been used, especially if this is an open access network such as a hotel chain or coffee shop, recognising phishing attempts, and reporting lost or stolen devices promptly, can significantly reduce the likelihood of security incidents.
Implementing Network Segmentation: Segregate industrial networks from general purpose networks to minimise the potential impact of a security breach. By creating isolated zones within the industrial network, organisations can limit the lateral movement of attackers and contain potential threats.
Balancing Security and Simplicity Without Third Party MDM
While the integration of mobile devices in industrial networks offers unprecedented flexibility and efficiency, it also introduces new security challenges. Understanding the risks associated with unauthorised access, data theft, and device loss is crucial for organisations relying on these devices for critical operations.
By implementing robust security settings and measures, including stolen device protection, content privacy restrictions, and regular updates, industrial facilities can significantly enhance the security posture of their mobile devices and safeguard their interconnected networks.
Hardening these devices sufficiently requires a combination of technological solutions, user education, and proactive security measures to ensure the resilience of industrial control systems in the face of evolving cyber threats.
Reducing Risk with Third Party MDM
I won’t sugarcoat this, the best way to protect mobile devices is by the use of a dedicated application stack that restricts and controls access, authentication and much more. In an ideal world, we would suggest the use of a product such as Blackberry Unified Endpoint Management, and other tools in their stack which provide situational awareness and ongoing protection, however we don’t always operate in a perfect world.
If you are one like many where MDM has not yet reached the plant floor, I hope some of these settings allow you to provide a level of protection on your asset until the business see these devices as an enterprise risk and not just operation risk.
Trusted Partner
At SolutionsPT we closely follow security trends, attending national events and share our experience with peers. We monitor industry challenges and review innovations within the IT market, selecting best in class solutions which are suitable for OT environments.
Our solutions are tested to ensure they are compatible with all the core products we offer so you can be assured they can successfully co-exist, saving you time and effort. But before you buy solutions, can you address the security gap with technology you already have in place? Is your need just training and guidance?
Why not reach out and speak to one of our security professionals to have a frank and open discussion on where you are on your journey and where you should be focusing your efforts.
