Cyber security and the IoT. By Joe Lomako
Industry 4.0 presents powerful opportunities for manufacturers to develop new competitive advantages. Across industries, increasing digitisation is delivering increased efficiencies, unmatched flexibility and innovative business models. In order to harness these opportunities successfully, they must also be aware of the new challenges and take steps to minimise the risks that potentially threaten their business.
While the Internet of Things (IoT) delivers significant opportunities, as systems and processes become digitised and interconnected cybercriminals are increasingly hacking into the critical infrastructure of connected production facilities. Ongoing investment in cyber security is therefore crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks.
Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack to hack into critical IT infrastructure. However, companies often neglect their staff’s IT-security training, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal. This is where cybercriminals use psychological manipulation to trick users into making security mistakes or to give away sensitive information.
Cyber security is becoming a focal topic not only for IT managers, but increasingly also for C-level management. However, executives and IT experts often do not communicate effectively and adopt vastly different perspectives on many issues. In this case, it is helpful to adopt a level of communication that is appropriate for the respective target group. Otherwise, communication problems may delay necessary IT security investment.
Following new IT investment or company acquisitions, businesses often forget to disconnect obsolete or unused equipment. As these are running unsupported operating systems and are missing updated security patches this opens gaps for hacker attacks. ‘Security by design’, which considers the security requirements for software and hardware right from the design and development phase, is one possible solution for avoiding security gaps. Risks can be also minimised by continuously monitoring the security of the IT infrastructure and clearing out outdated equipment and software.
Traditionally ‘pattern matching’ has been used to identify security risks in the IT infrastructure, but this is no longer enough as cyberattacks are increasingly implemented with the use of machine learning and artificial intelligence. Companies should therefore focus on identification of anomalies by deploying artificial intelligence in their cyber security efforts.
Is what you manufacture secure?
In the IoT age every wireless-enabled product that is produced represents a potential threat to data security and privacy. Proactive holistic security planning enables a manufacturer to manage cybersecurity risk while avoiding costly product recalls, design changes and heavy penalties.
Preventative security measures should be both end-to-end across the technology stack and integrated across the product life cycle and IoT ecosystem. It should cover design and manufacturing through to implementation and product obsolescence, and be continuous.
End-to-end cyber security decisions entail trade-offs between security level, system complexity, time-to-market and cost. This process begins with an assessment of the business impact and probability of risks. After risks are understood, the next step is to evaluate the technology compilation. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product.
Security is very difficult to install as a software add-on after product development. Every aspect of the product must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. Following component testing, an end-to-end assessment should be performed to determine the attack resilience of the individual components and
support services. Product manufacturers must also take into account unintended misuse by the consumer and ensure that they are made aware of potential issues.
While there are defined standards available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence, and as a first step:
- Think ‘Secure by design’ and take a proactive approach to cybersecurity recognising that attacks are “when not if’.
- Ensure up to date compliance with all standards.
- Constantly review ‘cyber resistance’ status.
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While, digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Both industrial IT security and the security of wireless products which manufacturers produce will therefore become increasingly important. Given this, the risks of misuse will have to be re-assessed and new mechanisms developed to offer improved protection against malicious attacks.
Whilst having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage new and evolving cyber threats. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring – from design through to obsolescence.
Joe Lomako is Business Development Manager (IoT) at TÜV SÜD, one of the world’s leading experts in product testing and certification, with 150,000 product certificates in circulation globally. Its Product Service division analyses over 20,000 products each year in Europe, Asia-Pacific and the Americas, using its technical expertise to help customers optimise market access.