Charlotte Stonestreet
Managing Editor |
Home> | IIot & Smart Technology | >Cyber Security | >Securing the IoT |
Editor's Pick
Securing the IoT
03 September 2020
While the IoT introduces significant benefits, these same technologies may also be open to cyberattack, as cybercriminals seek out opportunities to hack into the critical infrastructure of connected production facilities. Indeed, in the IoT age every wireless-enabled product that is manufactured may also represent a potential threat to data security and privacy reports Joe Lomako
ACCORDING TO the UK Government Department for Digital, Culture, Media and Sport’s (DCMS) Cyber Security Breaches Survey 2020, in the UK 46% of businesses report having cyber security breaches or attacks in the last 12 months, with more experiencing these issues at least once a week in (32% in 2020 vs. 22% in 2017). Among the businesses that identified breaches or attacks, one in five (19%) have experienced a material outcome, losing money or data. Two in five (39 per cent) were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption.
In order to harness successfully the opportunities afforded by the IoT, companies are increasingly investing in connected production facilities. However, as cybercriminals are rapidly developing and adopting new forms of attack to hack into the networks of companies and critical infrastructure, businesses must remain vigilant of the new challenges and take steps to minimise the risks that potentially threaten them.
This requires ongoing investment in cyber security to keep up with both technological developments for competitive advantage and effective measures to combat hacker attacks, as cybercriminals rapidly develop new forms of attack to hack into critical IT infrastructure. For example, IoT botnets have been used in some of the most prominent Distributed Denial of Service (DDoS) attacks, which overloads a network with traffic, disrupting its function. Hackers create botnets from IoT products ranging from connected cameras to baby monitors by scanning the internet for devices with easily compromised passwords. DDoS has become so pervasive that software can be rented hourly on the dark web to carry out attacks using IoT botnets.
Manage & mitigate
Manufacturers can manage cybersecurity risk and mitigate attacks by taking a proactive and holistic security planning approach. This will help them to avoid costly product recalls, design changes and possibly heavy penalties due to any data security breaches. Such preventative security measures should begin at the design phase by employing the principle of ‘Secure by Design’. This process should begin with an assessment of the business impact and probability of risks, as without clearly understanding and prioritising risks, it is difficult to determine the appropriate security requirements for the product being manufactured or the manufacturer’s IoT systems.
Risks can be also minimised by continuously monitoring the security of the IT infrastructure. For example, it is all too common for companies not to disconnect equipment that is no longer being used. Running on unsupported operating systems and missing security patches, this old “shadow IT” creates potential cyberattack gaps. The risks can be minimised by monitoring the security of the IT infrastructure and decommissioning equipment and software that is no longer required.
After the risks are understood via a robust risk assessment, the next step is to evaluate the hardware and software, which is effectively the cyberattack “surface”. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is exceedingly difficult to install as a software add-on after product development. Every aspect of the product must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. An end-to-end and continuous validation process should also be performed to determine the attack resilience of the individual components and support services. However, it is also important to go beyond embedding security into products, and end-user behaviour should be considered. Such an approach includes unintended misuse by the end-user and ensures that they are made aware of potential issues.
Industry standards
From a regulatory perspective, while there are defined standards available globally, they are not complete and ratified, neither are they mandatory. The two main standards for IoT devices are NIST 8259 (US) and Draft EN 303 645 (EU). The scope of the NIST has been written with the intent to address a wide range of IoT type products, which have at least one transducer or sensor. So, it follows that it can be applied to I4.0 industrial products. More importantly is that this standard has been mandated in California under State Bill No. 327, and it will likely pervade across the United States.
However, the scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not really applicable for industrial or business-ot-business products, although the general principles therein can certainly be applied generically to afford some modicum of protection.
There are several groups of published standards which are aimed at improving security from network infrastructure to devices. For example, it is possible that an IoT device could be certified under the IEC 62443 series of standards, which aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity. This would probably be more familiar to operators and integrators of control and automation systems. While this standards series has a mix of process and technical requirements, it covers what we would typically call a “product”. Therefore, in addition to this process requirements can be found in IEC 62443-4-1, and technical requirements in IEC 62443-4-2.
There is some debate that the present cyber security standards are lacking some detail and appropriate in application, and do not adequately cover the scope of typical industrial applications. Although it may seem that the standards do not cover everything, and they don‘t, they do at least offer that first line of defence as until fairly recently nothing with a focussed scope previously existed.
Best practice
Although these standards assist in defining and verifying a product as having a first line of defence, manufacturers should also consider their own cybersecurity programmes. For example, a starting point would be:
- Think “Secure by design” and take a proactive approach to cybersecurity recognising that attacks are “when not if”.
- Ensure up to date compliance with all standards.
- Constantly review ‘cyber resistance’ status
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Both industrial IT security and the security of wireless products which manufacturers produce will therefore become increasingly important.
Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack to hack into critical IT infrastructure. Tackling the problems of cyber security risks can therefore only be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence. Remember, that cyberattacks in the IoT are a case of ‘when, not if’, so manufacturers should ensure that they are fully up to date with compliance requirements and constantly review the ‘cyber resistance’ status of their systems.
Key Points
- Manufacturers can manage cybersecurity risk and mitigate attacks by taking a proactive and holistic security planning approach
- Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product
- There are several groups of published standards which are aimed at improving security from network infrastructure to devices
Joe Lomako is business development manager (IoT) at global product testing and certification organisation, TÜV SÜD
- New UK divisional director
- Faster access to Russian, Belarus & Kazakhstan markets
- EMC Centre Of Excellence
- TÜV SÜD UK launches UKCA compliance service
- Certification mark service
- TÜV SÜD UK Appoints Mary Grigsby as Head of Product Service
- TÜV SÜD launches machinery SIL certification service
- Wireless module warning
- Getting the PUWER factor right
- TÜV SÜD BABT appointed as Machinery Notified Body
- Protect your ICS from cyber-attacks
- Secure data handling
- Cyber security wake-up call
- Serial-to-Ethernet server
- How secure is your ERP system?
- Malware targets industrial safety systems
- Protects controllers from manipulation
- Cyber inventory solution
- Network rental scheme
- Security flaws found in power grid systems