none

UNDERSTANDING CYBERSECURITY THREATS IN INDUSTRIAL IOT

09-04-2019
by 
in 

Consumer-facing Internet of Things (IoT) devices, from smart refrigerators to Internet-connected lightbulbs, have proliferated rapidly in recent years. The same is true of Industrial Internet of Things (IIoT) devices designed to improve efficiency and productivity in the manufacturing sector.

While IoT devices are very visible because of the role they play in consumers’ daily lives, IIoT technologies have received less attention because they are only used within industrial settings.

With projections estimating that $6 trillion will be spent on IIoT solutions over the course of the next five years, rapid growth in IIoT devices is set to continue.

This will bring a range of new security threats that may affect, not just the critical infrastructure where they are deployed, but also the Internet users and online firms that rely on secure networks and manufacturing processes.

Industry challenges

The sheer scale of sensors and number of IoT and IIoT devices currently being deployed provides a much larger attack surface, with many more potentially vulnerable devices than ever before for attackers to target.

These risks have manifested in a series of serious security incidents. For example the “Industroyer,” or “Crash Override,” malware that was used to crash the Ukrainian electric grid in 2015, or the massive Mirai botnet of compromised IoT security cameras and routers that was used to launch several distributed denial-of-service attacks in 2016.

Not only are attacks like these larger and more damaging than many pre-IoT cyberattacks because of their scale and physical system consequences, they have also proved much harder to mitigate.

Furthermore, security standards and requirements are highly fragmented by region and country as governments have started regulating IoT technologies in very different and sometimes conflicting ways. This creates challenges for manufacturers and developers who are trying to create and deploy these services for a global market.

For instance, Japanese regulation aimed at strengthening the security of IoT devices has explicitly legalised hacking those devices to uncover vulnerabilities in the hope that this will lead to more security research being focused on these technologies. But that activity is largely forbidden in the USA, where unauthorised access to a computer is illegal.

Meanwhile, Australia has explored using an IoT security rating system to assess devices, and the UK has released a voluntary IoT security code of practice.

A further complicating factor is the fact that few - if any - of them recognise the significant differences between IIoT and IoT technology.

Key differences

Few existing regulations recognise the significant differences between IIoT and IoT technology, therefore they fail to take into account the unique challenges posed by the IIoT ecosystem.

IIoT devices are located in industrial settings rather than commercial ones and they typically facilitate structured machine-to-machine connections rather than ad-hoc people-to-people or people-to-Internet connections.

For instance, IIoT sensors are used to monitor machine performance in factories and provide predictive diagnostics that connect maintenance and production processes, therefore avoiding unplanned downtime. This increases the likelihood of malfunctions and bugs going undetected for extended periods of time.

IIoT devices have very different longevity and reliability expectations. While IoT devices are typically designed to last between two and five years, IIoT technologies are designed to last for anywhere from ten to 30 years and withstand harsh industrial environments.

Continuity of service is crucial for IIoT devices. More reliability, less downtime and more stringent availability requirements make IIoT services even more challenging to update because any kind of configuration change requires an outage which may lead to unacceptable business interruptions or loss of revenue.

IIoT systems must also be able to coexist with legacy systems and support proprietary protocols, while IoT devices are typically based on open standardised protocols.

There are also economic challenges to securing the IIoT ecosystem. The IIoT supply chain is complex, making it difficult to secure and difficult to assign clear liability to various stakeholders for vulnerabilities introduced at different stages of the supply chain.

Third party conformity assessment of IIoT device components as well as a periodic inventory of deployed IIoT technologies is important to ensure that only trusted devices are installed and operational.

Looking ahead

IIoT technologies hold tremendous promise to boost productivity and efficiency in our critical infrastructures, but that promise will only be realised if some of the challenges facing manufacturers and technology providers are addressed.

A lack of harmonised global standards for IIoT security has hindered the adoption and deployment of many of these options. Aligning IIoT system-level requirements across manufacturers is difficult because of an ever-changing set of uncoordinated cybersecurity standards, guidelines, and regulations.

Many countries are in the process of developing their own security standards for IoT devices and critical infrastructure. But in many cases, existing security standards have not been designed with the complexities of IIoT devices in mind.

It is essential that industry stakeholders work together to help add appropriate global security standards to address the existing technical and economic challenges.

It is also important for companies and academic institutions to begin forging partnerships to develop a strong pipeline of professionals in this area, as well as instigating internal training programmes to cultivate cybersecurity awareness and skills within IIoT firms. Initiatives like these will help meet the growing demand for managing IIoT systems in Australia and globally.

Michael Regelski is Chief Technology Officer at Eaton Corp. He recently addressed the IEC Cybersecurity Council in Sydney advocating for a global standard that provides consistency for manufacturers.

 

 

Related news & editorials

  1. 20.10.2020
    20.10.2020
    by      In , In
    In his Budget speech, Treasurer Josh Frydenberg announced that the federal government would introduce a new round of changes to the Research and Development Tax Incentive.
    Industry Update’s readers will know that I have long been concerned about a Morrison government bill aimed at cutting $1.8... Read More
  2. 11.09.2020
    11.09.2020
    by      In , In
    As we entered 2020, nothing could have prepared Australians that we were set to face economic turmoil not seen since the Great Depression, borne out of a global virus.
    While we don’t know the precise effects of this virus nor in turn the economic consequences, what we do know is that we are... Read More
  3. 10.09.2020
    10.09.2020
    by      In
    This article isn’t all about how to ensure your investment in automation is the best value for money today, but rather about ensuring your investment in technology is flexible enough to create viable options for your business well into the future.
    This will save costs for your company many times... Read More
  4. 09.09.2020
    09.09.2020
    by      In , In
    Manufacturing will be crucial to Australia’s recovery from the COVID-19 pandemic.
    That has been acknowledged in the Morrison Government’s interventions to ensure that there is a stockpile of personal protective equipment for healthcare workers and ventilators for ICUs.
    But the Government also needs... Read More