Cyber security for Industrial IoT still a concern

Automation, enhanced connectivity and the Internet of Things (IoT) in industry are improving cost-efficiency, efficiency and productivity. But cutting-edge technologies are also making the sector vulnerable to cyber attacks.

Industrial IoT attacks are one of the biggest threats facing the manufacturing industry. For the second year in a row, manufacturing topped the list of industries that cybercriminals were likely to target, according to an IBM report. In 2022, backdoors were deployed in 28% of incidents, surpassing ransomware, which appeared in 23% of incidents remediated by IBM Security X-Force.

To improve IoT security request for industrial communication standards and development, processes must be carefully considered, starting now. The problem is that IIoT cybersecurity is competing with all other enterprise priorities for funding and support, and leadership teams often lack deep technical knowledge. Therefore, a significant initial challenge is to eliminate the technical details in determining the criticality or importance of investments.

It is important that businesses quickly understand that IIoT cyber security is not simply a new problem for IT or OT staff to manage, but a comprehensive business issue that deserves the full attention of senior leaders.

With help in mind, in 2018 the World Economic Forum even developed the IIoT Safety and Security Protocol which, correctly, starts from the premise that the IIoT has several nuances that differentiate it from traditional IoT.

While IoT operates in domestic environments, IIoT operates in industrial environments. As such, it involves optimizing supply chains, for example. IIoT is the same as Industry 4.0. It features a modular structure, whereby computers monitor and manage smart factories and the subsequent physical processes, creating a digital copy of the physical processes while making decentralized decisions. Along the way, computer systems interact with each other and with people.

In addition, organizational and cross-organisational services can be provided to supply chain actors. Interconnected objects, managed and accessed through data mining processes, such as Blockchain, can be partially accessed and function as sensors enabled to interact with other devices. Such systems, constituted by intelligent artifacts in the IoT system, demand minimal or no human action for data exchange and production, often aided by Artificial Intelligence mechanisms.

In summary, the main concerns of IIoT include the reduction of material and energy consumption, better management of the temporal dimensions of security in terms of “intrusion detection”, cloud computing and the interface between supply chain management and marketing processes, and better management of the complexity of infrastructures in terms of the number of entry points.

In summary, IIoT comprises cybersecurity and IoT concerns in general. It focuses on integrity, in which data is protected from modification by unauthorized parties; authentication, in which the data source is verified as the understand identity; privacy, in which users’ identities are not traceable from their behaviours; confidentiality, in which information is made unintelligible to unauthorized entities; and availability, in which system services are available only to legitimate users.

It thus faces important challenges, notably regarding operations in decentralized environments and the changing nature of smart artefacts. This requires substantial improvements in terms of authentication of remote systems, encryption of new sensors and web interface and computer software for intrusion detection.

Therefore, as the IIoT environment explodes to create Industry 4.0 and all its benefits and advantages, organisations will need to adopt strategic approaches and innovative architectures that promote reliable and secure working environments. To this end, they should already be addressing some important questions about the security of the IIoT, including defining their immediate priorities for IIoT capabilities, the level of automation required for machine-to-machine communication, and the appropriate security program and architecture needed to secure the IIoT environment.

The consultancy KPMG proposes an approach contemplating:

1 – The development of a business-focused cyber security roadmap to capture and support your strategic vision;

2 – Conducting a strategic assessment of current security resources to create a personalized risk profile;

3 – Determining ownership and responsibility around IIoT cyber risk.

This includes collaborating with stakeholders to identify gaps in their ecosystems that may inhibit their security programme.

Where to start?

As your organisation tackles the challenge of implementing IIoT, KPMG also recommends starting by exploring some key questions:

• What are your organisation’s immediate priorities for IIoT resources?

• What level of control and automation will your M2M communication technology perform?

• How will IIoT data be collected, stored and transmitted and what classification category will the data fall into?

• Are there proven technologies for the applications under consideration?

• How will M2M communications technology address challenges such as data encryption, network access control and signal interference?

• What security mechanisms, if any, are being provided with IIoT-enabled devices and are you getting current threats and vulnerability information for each?

• What external factors (environmental, regulatory, etc.) can affect the reliable transmission of data from one endpoint to another?

• Have you considered cyber security and physical security for this deployment?

• What ongoing improvements, upgrades and maintenance will you carry out or receive from suppliers?