The C-suite is well aware of the incredible potential Internet of Things (IoT) technologies have to generate business value. However, none of it will be realized unless IT can solve the associated cybersecurity challenges first.
With 62% of manufacturers already deploying IoT across their operations, the industrial sector provides CISOs with a great starting point for best practices that will help identify and remediate threats to their businesses.
The IoT challenge: the end of the air gap
IoT is predicted to generate economic value of up to $11.1 trillion a year by 2025, so organizations that securely deploy the technology early have an opportunity to gain a significant competitive advantage. But with every IoT device representing a new attack vector that can be exploited, it’s a complex task.
According to Gartner, there will be around 20.4 billion IoT devices in use by 2020, all of which will collect and transmit data, much of it of a sensitive nature. Industrial organizations have been early adopters due to the operational efficiencies IoT enabled robotics and automation can provide. Yet a single cybersecurity breach can easily negate these benefits.
Researchers at security firm Trend Micro and Italy’s Politecnico Milano demonstrated this by hacking the kind of robotic arm commonly used in the industrial sector. They were able to cause it to insert faults into products, permanently damage itself, and even appear in safe mode when actually fully activated – an extremely dangerous scenario should someone get within its range of movement. Interestingly, we achieved similar results in test attacks on robots in Capgemini’s labs.
The sector used to depend on an approach called the ‘air gap’ – physically isolating systems from unsecured networks and public internet. This is no longer a viable approach for a number of reasons. A major issue is that consumer IoT products and trends like Bring Your Own Device (BYOD) mean that it’s become more difficult to prevent employees inadvertently bringing risk into an organization – a corrupted USB stick can be all it takes to compromise systems.
Another reason is the simple fact that modern businesses need to access the cloud to compete. Industrial manufacturers, for instance, increasingly use sophisticated equipment like robotics. If this specialist machinery breaks down, the organization most likely will not have the skills needed to fix it in-house. Instead, it is much more cost effective for a specialist engineer to run remote diagnostics via an internet connection than to travel to the site itself. This is not possible when using the air gap approach to security.
Assessing your exposure
CISOs need to be able to trust the integrity of their systems but in the age of connected tech it can be difficult to know where the vulnerabilities are. I’ve even heard accounts of plant managers inspecting machinery that, to their knowledge, was not supposed to be capable of sharing data and finding SIM cards built in enabling it to do so.
This is why the first step in addressing industrial IoT security is to conduct a comprehensive technical risk analysis including full mapping of equipment on-site. This will identify weaknesses and help IT create a plan that dictates where security efforts need to be focused. This may sound like common sense but a study from Deloitte found that almost a third of manufacturers had yet to conduct any sort of risk assessment of their industrial systems.
Cybersecurity needs to be based on accurate organization-specific insights for two key reasons. Firstly, to ensure it keeps threats out, and secondly because ill-targeted or excessive cybersecurity measures can actually degrade overall plant performance. Ultimately there’s a balance to be struck – extensive asset monitoring, for example, would effectively safeguard against threats, but is impractical and can negatively impact output across the production line.
The importance of collaboration
Following a risk assessment, the next task is to implement security measures specifically designed to defend identified vulnerabilities. When it comes to IoT devices, this can mean re-routing the access they have to wider systems, using gateways which can be more reliably secured. Further device authentication measures are required to secure communications between IoT devices and wider IT systems.
People are always one of the biggest cybersecurity threats to an organization so steps should also be taken to minimize workforce-related risks. Training is a must but organizations cannot always depend on employees to make the right decisions. That’s why it’s a good idea to deploy hardware that can scan devices like USB keys and laptops for malicious software.
Beyond specific measures like these, industrial organizations need to change the nature of the relationship they have with vendors – cybersecurity used to be a set of products you could buy, whereas today it needs to be more of an ongoing program of collaboration between businesses and technology providers. CISOs need to ensure there are contractual obligations in place for third party software and hardware vendors to provide ongoing cybersecurity support. This is essential to ensure equipment performs effectively and does not become a potential entry point for hackers.
Ongoing assessment and vigilance is paramount in the IoT era. Threats are always evolving and some are designed to lay dormant for long periods of time once they infiltrate a system. Moreover, with the EU’s General Data Protection Regulation (GDPR) now in effect, the added risk of non-compliance means CISOs should be looking to address this as a matter of priority.
There has sometimes been a mentality of “if it’s not broke, don’t fix it” in the past, especially in the industrial sector. But with the bottom line, and even lives at stake, CISOs can’t afford to take these kinds of risks anymore.
Didier Appell, Head of Cybersecurity for Products and Industrial systems at Sogeti High Tech, Capgemini Group