Tackling risks arising from IoT connected equipment requires an active and holistic approach from initial design onwards, says Joe Lomako, business development manager (IoT) at TÜV SÜD
To harness the opportunities afforded by the internet of things, businesses are increasingly investing in connected production facilities. However, in the IoT age, every wireless-enabled product represents a serious potential threat to data security and privacy as cybercriminals rapidly develop new forms of attack to hack into critical IT infrastructure.
There is a perception that because a system is complex, it is automatically secure. That is unfortunately not always the case. Businesses must therefore take steps to minimise the risks that potentially threaten them.
Manufacturers can manage cybersecurity risk and reduce
the severity of attacks by taking an active and holistic security
planning approach. This requires continuing investment to keep up both with technological developments for competitive advantage and effective measures to combat hacker attacks.
Preventive security measures should begin at the design phase by employing the principle “secure by design”. To determine the appropriate security requirements, this process should begin with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to decide what are the appropriate security requirements for that product and indeed for the IoT system as a whole. Risks can also be minimised by continuously monitoring the security of the IT infrastructure.
The next step is to evaluate the hardware and software, which
is the “attack surface”. Every aspect must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors, actuators, and so on), wireless communication modules and protocols, device firmware (operating system and embedded applications), cloud platforms and applications.
Following component testing, an end-to-end assessment should be performed to determine the resilience to attack of the individual components and support services. It is important to reiterate that this process should be continuous.
Industry standards
The introduction of the NIS Directive (the EU Directive on security of network and information systems) in Europe is intended to improve the situation, but uptake is slow, as is the introduction of the standards required to assist in improving cybersecurity. However, standards exist or are being developed by international organisations, aimed at providing baseline protection or basic security provisions for a first line in cyber defence.
The two main standards for IoT devices are NIST.IR 8259 (US) and EN 303 645 (EU).
The scope of the NIST has been written to address a wide
range of IoT products which have at least one transducer. So
it follows that it can apply to Industry 4.0 industrial products.
However, the scope of the EN 303 645 standard is aimed only
at consumer IoT devices, so is not applicable for industrial
products, although its general principles can certainly be applied
generically to afford some modicum of protection.
Best practice
Although these standards assist in defining and verifying a product as having a first line of defence, manufacturers should also consider their own cybersecurity programmes. For example, a starting point would be:
• Think “secure by design” and take an active approach to cybersecurity, recognising that attacks are “when, not if”
• Ensure up to date compliance with all standards
• Constantly review cyber-resistance status.
Traditionally, pattern matching has been used to identify security risks in the IT infrastructure, but this is no longer enough, because cyberattacks are increasingly implemented with the use of machine learning and artificial intelligence. Companies should therefore focus on identification of anomalies by using artificial intelligence in their cybersecurity efforts.
Cybersecurity is becoming a focal topic not only for IT managers, but increasingly also for top level management. Though they may have some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider experience of assessing various types of product or infrastructure and will be better equipped to help manage new and evolving cyber-threats.
Tackling cybersecurity risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring – from design through to obsolescence.
www.tuvsud.com/uk
+44 (0)1489 558100 | info@tuv-sud.co.uk