Securing the IoT by design

As devices, systems and processes become increasingly digitized and interconnected, the Internet of Things (IoT) offers opportunities for industry. However, the same technologies which enable value creation, also provide new attack surfaces for cyber criminals. For example, an open port on a device enabling a hacker to infiltrate the networks of companies and the critical infrastructure of connected production facilities.

In the IoT age, every wireless-enabled product represents a potential threat to data security and privacy, but proactive, robust security planning enables a manufacturer to manage cybersecurity risk to mitigate attacks.

Preventive security measures should begin at the design phase, or even the concept phase, employing the principle of ‘Secure by Design’. Although, as the name suggests, this is aimed at the design stage, it is important to understand that security is a continuous process.

The secure by design principle is sensible. However, that in itself has to be defined. This process should therefore begin with an assessment of the business impact and probability of risks. Without clearly understanding and prioritizing risks, it is not possible to determine the appropriate security requirements for that product and indeed of the IoT system as a whole.

Cybersecurity evaluation

After risks are understood, the next step is to evaluate the hardware and software – the “attack surface.” Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is very difficult to install as a software add-on after product development. Every aspect must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications.

Following component testing, an end-to-end assessment should be performed to determine the attack resilience of the individual components and support services. It is important that this process is continuous. The questions, ‘have we found every vulnerability?’ or ‘have we introduced new vulnerabilities?’ are always in the air. Thus, implementing a process of security validation for updates during the product lifecycle is also important.

Industry cybersecurity standards

There is often a perception that because a system is complex that it is automatically secure. Unfortunately this is not always the case.

The introduction of the NIS Directive (security of network & information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cybersecurity. However, standards do exist, or are being developed by international organizations, aimed at providing baseline protection which would help to deliver basic security provisions for a first line in cyber defense.

The two main standards for IoT devices are NIST 8259 (US) and Draft EN 303 645 (EU). The scope of the NIST has been written with the intent to address a wide range of IoT type products, which have at least one transducer. So, it follows that it can apply to Industry 4.0 products. This standard has been mandated in California, and it will likely pervade across the US.

However, the scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not applicable for industrial products, although the general principles therein can certainly be applied generically to afford some modicum of protection.

Taking control of cybersecurity prevention

There is some debate that the present cybersecurity standards are lacking detail and appropriate in application, and do not adequately cover the scope of typical industrial applications. So, manufacturers should consider their own programs and a starting point would be:

• Think “secure by design” and take a proactive approach to cybersecurity recognizing that attacks are “when not if.”
• Ensure up to date compliance with all standards.
• Constantly review “cyber resistance” status.

Ongoing investment in cybersecurity is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat new forms of hacker attacks into critical IT infrastructure. For example, companies often neglect IT-security training of their staff, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal.

Following new IT investment or company acquisitions, businesses also often forget to disconnect obsolete or unused equipment. These may be running unsupported operating systems and are missing updated security patches and this opens gaps for hacker attacks.

Pattern matching has been used to identify security risks in the IT infrastructure, but this is no longer enough as cyberattacks are increasingly implemented with the use of machine learning and artificial intelligence. So companies should focus on identification of anomalies by deploying artificial intelligence in their cybersecurity efforts.

Cybersecurity is becoming a focal topic not only for IT managers, but also for C-level management. However, executives and IT experts often do not communicate effectively and adopt different perspectives on many issues. In this case, it is helpful to adopt a level of communication that is appropriate for the respective target group. Otherwise, communication problems may delay necessary IT security investment.

While having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage new and evolving cyber threats. Tackling the problems of cybersecurity risks can only be realized by comprehensive planning, periodic evaluation, updates and monitoring – from design through to obsolescence.

This article originally appread on Control Engineering Europe’s website.

Original content can be found at Control Engineering.

For more cybersecurity coverage and information check out our sister site, Industrial Cybersecurity Pulse.