As enterprises accelerate digital transformations by deploying private wireless networks and by integrating a growing ecosystem of connected IIoT devices, including sensors, cameras, and other machines, they must also address the widening attack surface. The number of globally connected IoT devices is expected to grow from 16.7 billion in 2024 to over 29 billion by 2027. Organizations should review their security strategy to safeguard their infrastructure, data, and operations against evolving cyber threats.

Do you know all the devices you support in your operational environment? Or the data and other devices they have access to? In the evolving industrial landscape, the proliferation of heterogeneous devices introduces complex challenges and unprecedented security risks, uniquely associated with specific devices and types. These create opportunities for cybercriminals to employ ever-more sophisticated ways to attack and gain unauthorized access to critical systems and data.

 A 2024 Forrester study found that 34% of companies that experienced a breach targeting IoT devices were more likely to report cumulative breach costs between $5 million and $10 million.  These figures are higher than the cumulative breach costs seen by those who experienced cyber-attacks through non-IoT devices. The cost of attacks is rising, but so is their complexity and diversity, making defense a bigger challenge going forward.

Cyberattacks increasing in complexity

The risk of cyberattack can come from many directions:

• Supply chain attacks: These occur when bad actors exploit assets in the enterprise supply chain.  In 2022, for example, a ransomware attack on a major educational institution led to the breach of sensitive research data as attackers exploited vulnerabilities in the institution's IoT-connected heating and cooling system to infiltrate the network.

• Intra-IoT GW lateral movement: Cyber attackers gain access to one system and move laterally within the network. Attackers can often remain undetected for some time before gaining access to other systems.

• Lack of device visibility: You can’t protect what you can’t see, hidden unmanaged devices are often unpatched with out-of-date operating systems – providing great opportunities for cyber attackers.

• IIoT device infections: IoT devices can be shipped with vulnerabilities. As well as running outdated operating systems and being difficult to patch, they can also lack encryption. Malware infections can spread from device to device rapidly through the network if left unchecked.

So, how can you protect your wider operational technology (OT) environment?

By incorporating best practices, with the enterprise security checklist

The UK mandated cybersecurity standards for IoT devices in 2024, but more protection is needed for the OT environment as Industry 4.0 grows and devices are integrated across a trusted wireless network. Consequently, you must gain:

• Visibility: Full visibility of all managed, unmanaged, trusted and untrusted IIoT devices connected to and sending data over the private wireless network.

• Granularity and micro-segmentation: You must be able to define device and application access permissions to limit exposure to critical data and reduce the potential for damage through lateral movement.

• Automation capabilities: The scale of the problem means it’s critical to leverage advanced machine learning and AI to identify threats and manage responses to protect your environment.

In private mobile networks, devices connect in two primary ways

1. Directly to the network when equipped with SIM/eSIM.
2. Through cellular gateways and routers, where multiple devices share a single SIM connection.

When a device connects directly, security can be enforced at the core firewall. However, when multiple devices connect via a single SIM, enforcing security and maintaining Zero Trust principles becomes more complex, requiring advanced segmentation and policy enforcement.

Nokia: Reducing the attack surface with Palo Alto Networks PA-400R-5G series NGFW

At Nokia we have already made progress in reducing the enterprise attack surface by introducing Palo Alto Networks Next-Generation Firewall (NGFW) at the network core. The Palo Alto Networks NGFW introduced industry-leading capabilities into the operational technology (OT) environment including:

• Zero Trust Network Access of IoT devices via Device ID-based policy enforcement.

• Advanced Threat Protection (ATP) which blocks known and unknown threats such as malware, exploits, and command and control in real time.

• Advanced Wildfire (AWF), a cloud-based malware prevention engine that identifies unknown and highly evasive malware.

• Advanced Domain Name System (ADNS) Security which stops emerging DNS-based attacks.

• IoT/OT security which provides best-in-class security for the IT and OT environment.

But for those organizations connecting heterogeneous devices to their private wireless networks, as the threat landscape evolved, we realized something more was needed. We set about extending perimeter security from core to also encompass those IIoT devices which do not connect to the network directly, and that’s why we are now onboarding Palo Alto Networks ruggedized NGFW, PA-400R-5G series to help ensure that enterprise critical infrastructure benefits from robust, scalable, and future-ready security, enabling seamless protection of the OT network.

Extending the highest-level perimeter security for industrial enterprises

The PA-400R-5G series extends the best-in-class perimeter level security to protect the wider OT environment from potential threats from legacy devices and untrusted third-party devices connected to the private wireless network over a cellular router. The PA-400R-5G features a cellular modem and Palo Alto Networks AI/ML Next Generation Firewall in a single device improving efficiency, reducing complexity and lowering TCO. Organizations can now apply a zero-trust security architecture from Core to Edge.

These ruggedized next-generation firewalls deliver much-needed security to harsh industrial enterprise OT environments where a variety of IIoT devices are connected. Utility substations, power and manufacturing plants, oil and gas facilities, building management systems, and healthcare networks are among the many facilities that could leverage their capabilities. By using the PA-400R-5G series to connect all IIoT devices to the private wireless environment, enterprises can recognize many benefits including:

• Enhanced visibility of all devices, including the make, model, profile, etc.
• A reduced attack surface through:
  
  • The ability to implement granular application and device-specific security policies to create rules around device access levels and more.
  • Micro-segmentation of devices to eliminate lateral movement between legacy devices
  • Automatic quarantine of compromised devices.
• Greater compliance with relevant industry security standards and regulations such as IEC-62443.

Delivering a trusted environment across your IIoT devices

By integrating Palo Alto Networks Next-Generation Firewall our customers’ OT environments will benefit from the highest level of security as they connect more IIoT devices to their private cellular network. We are extending the security perimeter to enable Zero Trust principles and securing all IIoT devices through real-time threat detection and vulnerability identification, giving them the highest level of trust across the industrial OT environment.
Nokia portfolio of industrial applications and devices