As digital transformation continues across industry, how can we tackle the growing security vulnerabilities we may find ourselves exposed to because of our interconnectedness?
As the world moves ever closer to automation and interconnectedness, businesses in the manufacturing industry have found themselves at the forefront of the digital revolution as the Industrial Internet of Things has given rise to industry 4.0 - the so-called fourth revolution.
Following on from this, Industry X.0 seeks to define a framework in which this digital transformation occurs. Combine these with the broader Internet of Things (IoT) phenomenon that we have been witnessing over the past decade and it’s clear to see that our ecosystem is experiencing a massive shift and taking us along with it.
But what does this mean for businesses? With such a significant shift in process taking place, there are bound to be gaps that form. And when it comes to technology, gaps mean security vulnerabilities.
In many ways the security risks of industry 4.0 and X.0 are obvious. One of the key risks is the very thing that gives industry 4.0 its purpose: its interconnectedness. No matter how secure your systems, infrastructure and connection points maybe, if those with whom you’re doing business with aren’t following the same security hygiene, your exposure is as great as theirs.
“You end up with a company who, having implemented industry 4.0 with pretty good security, as they connect their systems to partners, suppliers, customers - firms with older systems - hackers are able to spread from the older system to the new system,” James Stanger, chief technology evangelist at industry association CompTIA, points out.
The edge of the network is also particularly vulnerable, according to Mike Maddox, president and CEO of managed services provider ASK. He says every business needs a comprehensive, proactive cybersecurity monitoring solution in place that “monitors the entire environment holistically from the outside in”.
“That's very different to most of the tools that are out there,” he points out. “Most of them are reactive and depend on the endpoints. We put antivirus on our endpoints, we put advanced cybersecurity tools on our endpoints and we wait for the endpoint to get infected, and then we add stuff to catch it. That's not good enough. You need to take a more holistic and proactive approach by putting in a solution that protects the entire network.”
IoT devices that may be utilised as part of an industry 4.0 ecosystem are also a cause for concern when it comes to security. Stanger notes that many IoT devices are being “rushed to market” without much thought at all for security. While business operations have evolved into an industry 4.0 landscape, security protocols have not moved forward at the same speed, he adds, which means IoT devices incorporating inadequate firmware, coupled with a lack of experience and “wisdom” from users when it comes to securely implementing such devices.
James Hampshire, director of cybersecurity at PwC UK, agrees, noting that while major IT vendors are looking to build in security when they develop new IT products and applications, the same cannot be said for the world of IoT.
And even for those IoT products that may have built-in security, in manufacturing especially, they are often being hooked up to dated, legacy systems that may be difficult to patch and update because they have to be taken offline to do so.
“Often these things are running continuously so there isn’t that culture or ecosystem of continuous updates that we have in the IT world,” Hampshire notes.
Further, such systems give rise to concerns that are “dramatically different” to IT, Bruce Snell, VP of security strategy and transformation at solution provider NTT Security, says. He notes that traditional manufacturing concerns are safety, followed by reliability and availability, and not cybersecurity.
“On the IT side, if you've got a system that has a vulnerability, you can just schedule the maintenance window, install a patch, reboot the system and you're good to go, but I have customers that have machines that are smart-enabled - and so technically industry 4.0 - that have been running nonstop for the past 25 years, meaning you don't have a maintenance window to go in and fix things. This means a lot of vulnerabilities and security concerns that really can't be fixed by traditional methods.”
When it comes to manufacturing specifically, ASK’s Maddox notes that onsite equipment has often passed end-of-life with Microsoft because upgrade costs are high. Onsite computers may also be past their life because they’re tied to applications on the shop floor that haven’t kept pace with technology and also don't run on a current release. “That’s a really tough spot because the reality is all those machines are connected. They’re on the internet, and they’re not being maintained. They’re ripe for a cyber-attack; they're sitting ducks.”
Another easy target when it comes to Industry 4.0 are HMIs - human machine interfaces - which tend to be shipped with industrial equipment and are often running on older software, such as Windows 97, which means they can’t be patched as they are out of support, Snell points out.
“So you have all of these things where you have old, outdated software that needs to keep running and is very insecure,” he says. “It’s a potential danger to the rest of your environment, yet it has to keep running.”
The security risks that industry 4.0 and X.0 present are not, of course, easily solvable. There is obviously no silver bullet, Hampshire notes, but there are things that firms can be doing to help mitigate their exposure, such as applying a good set of security principles like those used in the IT world - covering people, process and technology.
Staff awareness training is also key. However, in manufacturing in particular, it’s office staff who have traditionally received cybersecurity training rather than shop floor staff, Hampshire points out. But with industry 4.0, it will increasingly be the people operating and securing the interconnected machines who are exposed to cybersecurity risk, “so educating them is really important”, he says.
Also crucial to security and industry 4.0 and X.0 is understanding your business. Knowing exactly what connections you’ve got and where you are vulnerable is fundamental. This knowledge can then be used as a basis to implement technical controls, put training in place, and look at business processes in terms of risks and how they can be mitigated.
When it comes to the future of Industry 4.0 and security, the challenges only increase as our connections grow. Any business that wants to flourish in today’s interconnected world has no choice but to embrace digitisation and all that it brings - including its security risks.
With our growing dependency on one another for security, a point will come where organisations can only go so far individually, Hampshire says. “The future will probably be more about securing the ecosystem in which you operate - business partners, customers, suppliers, IT service providers. There's probably going to be a lot more collaborative working and efforts to secure that ecosystem, rather than just trying to secure individual points.”
Maddox takes a slightly starker view. “I think what you'll see is the cream will rise to the top. Those who are willing to embrace solid security profiles and new technologies in a smart, strategic way - not technology for technology's sake, but as a part of an overall strategic plan - will rise to the top and see their business increase. And those who don't will fall by the wayside. I think we'll see a great parting of the sea over the next 10 years in industry.”
To enable comments sign up for a Disqus account and enter your Disqus shortname in the Articulate node settings.