6 minute read
Securing the IoT by design
Joe Lomako offers advice on the preventative measures that can be taken to secure processes against cyber attacks.
As devices, systems and processes become increasingly digitised and interconnected, the Internet of Things (IoT) offers opportunities for industry. However, the same technologies which enable value creation, also provide new attack surfaces for cyber criminals.
Advertisement
In the IoT age, every wireless-enabled product represents a potential threat to data security and privacy, but proactive, robust security planning enables a manufacturer to manage cybersecurity risk to mitigate attacks.
Preventative security measures should begin at the design phase, or even the concept phase, employing the principle of ‘Secure by Design’. Although, as the name suggests, this is aimed at the design stage, it is important to understand that security is a continuous process.
So, the Secure by Design principal is sensible. However, that in itself has to be defined. This process should therefore begin with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the appropriate security requirements for that product and indeed of the IoT system as a whole.
Evaluation
After risks are understood, the next step is to evaluate the hardware and software – the ‘attack surface’. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is very difficult to install as a software add-on after product development. Every aspect must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications.
Following component testing, an endto-end assessment should be performed to determine the attack resilience of the individual components and support services. It is important that this process is continuous. The questions, ‘have we found every vulnerability?’ or ‘have we introduced new vulnerabilities?’ are always in the air. Thus, implementing a process of security validation for updates during the product lifecycle is also important.
There is often a perception that because a system is complex that it is automatically secure. Unfortunately this is not always the case.
The introduction of the NIS Directive (security of network & information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cyber security. However, standards do exist, or are being developed by international organisations, aimed at providing baseline protection which would help to deliver basic security provisions for a first line in cyber defence.
The two main standards for IoT devices are NIST 8259 (US) and Draft EN 303 645 (EU). The scope of the NIST has been written with the intent to address a wide range of IoT type products, which have at least one transducer. So, it follows that it can apply to Industry 4.0 products. More importantly this standard has been mandated in California under State Bill No. 327, and it will likely pervade across the US.
However, the scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not applicable for industrial products, although the general principles therein can certainly be applied generically to afford some modicum of protection.
Taking control
There is some debate that the present cyber security standards are lacking detail and do not adequately cover the scope of typical industrial applications. So, manufacturers should consider their own programmes and a starting point would be: • Think ‘Secure by design’ and take a proactive approach to cybersecurity recognising that attacks are ‘when not if’.
• Ensure up to date compliance with all standards. • Constantly review ‘cyber resistance’ status.
Ongoing investment in cyber security is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat new forms of hacker attacks into critical IT infrastructure. For example, companies often neglect IT-security training of their staff, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal.
Following new IT investment or company acquisitions, businesses also often forget to disconnect obsolete or unused equipment. These may be running unsupported operating systems and are missing updated security patches and this opens gaps for hacker attacks.
Traditionally ‘pattern matching’ has been used to identify security risks in the IT infrastructure, but this is no longer enough as cyberattacks are increasingly implemented with the use of machine learning and artificial intelligence. So companies should focus on identification of anomalies by deploying AI in their cyber security efforts.
Cyber security is becoming a focal topic not only for IT managers, but increasingly also for C-level management. However, executives and IT experts often do not communicate effectively and adopt different perspectives on many issues. In this case, it is helpful to adopt a level of communication that is appropriate for the respective target group. Otherwise, communication problems may delay necessary IT security investment. While having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage new and evolving cyber threats. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring – from design through to obsolescence.
Joe Lomako is business development manager (IoT) at TÜV SÜD.
Industrial cybersecurity is a game without end!
The constant cyber threat is now a fact of life and everyone needs to have an understanding of data protection, argues Rainer Brehm, CEO of Factory Automation at Siemens Digital Industries.
With the rapid growth of the Internet of Things (IoT) and the convergence of OT and IT, there are many more potential targets. Taking into consideration the costs of disruption to production operations, and the threat to human safety when physical systems are compromised, cyber-criminal activities are becoming more lucrative for attackers and cyber security has become a never-ending process that is constantly evolving as the methods and capabilities of attackers become more sophisticated.
A favoured method of attack is to identify and exploit vulnerabilities in industrial control systems. For manufacturers of automation systems, such as Siemens, it is imperative to develop products securely, but also to provide comprehensive information and solutions – such as a security patch – as quickly as possible when new vulnerabilities are discovered.
Cyber mature manufacturers collaborate with security researchers who identify and report vulnerabilities in products before malicious attackers have the chance to exploit them. One such company is a Siemens partner, Claroty, which performs security research on Siemens products and solutions. Put simply, the researchers do their best to hack those products – thereby revealing potential vulnerabilities.
Just as future technologies are incorporated step-by-step in the Siemens Totally Integrated Automation (TIA) portfolio, a similar principle applies to security features: constantly adapting to the everchanging threat landscape to ensure that solutions remain secure.
Experiences with security research can also offer insights into how to approach security. In the last decade we have seen certain types of cyber-attacks occur (and frequently succeed) again and again. This tells us that perimeter-based defences alone cannot effectively keep attackers out indefinitely. It is smarter to assume that attacks will penetrate defences and to be prepared for that with, for example, multiple layers that provide ‘defence in depth’ and segmentation that restricts movement to other parts of the network.
Integrity (to protect data from unauthorised modification or deletion) and confidentiality (to prevent unauthorised access to data) are key security goals for a holistic security concept. Security features such as strong machine-to-machine and user-to-machine authentication based on custom digital certificates; and fine-grained access control will become mandatory in the future.
Given the growth in potential vulnerabilities and the improvement capabilities of the attackers, a holistic cyber security concept for the whole value chain – one that adheres to leading international standards, such as IEC 62443 – is required to ensure clarity and structure. Risk assessment becomes more effective, so decision makers can clearly see where the priorities lie and what the implications for business operations are.
