In a world of ubiquitous connectivity, trusted equipment is the backbone of safe network environments. But as more manufacturers and industries build and deploy smart Industrial Internet of Things (IIoT) devices, the security and safety of systems providing essential operations become more important and more difficult to manage. These complexities are due, in part, to a lack of a global, universally accepted cybersecurity standard and conformance assessment scheme designed to validate connected products.
Today, countries throughout the world develop requirements without regard to global conformity. This conformity gap makes it difficult for manufacturers to determine the standards to which they should build and comply, particularly as products are manufactured and sold around the world. With that, I believe industry partners and standards bodies must take proactive steps to codify security expectations and best practices for IIoT ecosystems. This will help ensure security is built consistently into products and ultimately save companies billions of dollars in system design and cyberattack recovery costs.
With the integration of IIoT devices in legacy systems and solutions on the rise, critical infrastructures and other industrial control system networks become more open to cyberattacks that are increasingly challenging to mitigate. Today, the overall loss caused by cybersecurity crime is estimated at $600 billion1, 0.8 per cent of global GDP. Several incidents in recent years manifested in a series of serious security breaches that attracted worldwide attention, including 2015’s “Industroyer,” or “Crash Override,” malware that crashed the Ukrainian electric grid and the massive Mirai botnet attacks in 2016, which compromised IoT security cameras and routers to launch several distributed denial-of-service attacks.
The unique characteristics of IIoT technologies present technical and economic challenges. From a technical perspective, IIoT devices have limited computational and storage capabilities; they’re not designed to support effective security measures like advanced encryption or vulnerability and patch management. The solution to this challenge requires the development of light-weight cryptographic algorithms and business models that allow for more timely upgrades to IIoT products and designing systems to support firmware upgrades over the air. In my opinion, the security of a network or system is only as strong as its weakest link. Organisations should employ basic cybersecurity hygiene and continuously analyse emerging threats to ensure systems deploy securely. Additionally, companies should take inventory of everything connected to their networks and employ a zero trust model. This will require partnership and collaboration with trusted vendors to identify threats.
While the solutions I mention are feasible, a lack of harmonised global product standards for IIoT security dramatically slows the adoption and deployment of such options. Uncoordinated cybersecurity standards, guidelines and regulations from various entities across the globe make aligning universal IIoT system-level cybersecurity requirements for manufacturers difficult, if not impossible. Many countries, regions and local-level governments develop their own cybersecurity best practices and standards for IIoT devices and critical infrastructure, resulting in a lack of parity. In many cases, those governmental bodies lack the expertise needed to account for the complexities of IIoT devices and their application.
Further, cybersecurity standards and requirements are highly fragmented by region and country as governments have begun regulating IIoT technologies in very different and sometimes conflicting ways. This creates challenges for manufacturers and system integrators who attempt to build and deploy services for a global market.
Industry and standards bodies must support appropriate conformity assessment schemes to help validate global requirements for products and systems to solve the complexities of complying with multiple requirements from different countries and regions.
I feel strongly that standards bodies can lead the charge in the development of global IIoT cybersecurity standards, including appropriate conformity assessment schemes. Global standards will also pave the way for corporate and academic partnerships; these relationships will help build the stronger talent pipeline needed to address the skilled labour shortage in cybersecurity and especially IIoT.
I feel strongly that standards bodies can lead the charge in the development of global IIoT cybersecurity standards, including appropriate conformity assessment schemes.
The challenge ahead of us is to generate more dialogue across standards bodies by educating manufacturers, suppliers and consumers of IIoT on the risks associated with unsecured products and solutions. While I feel standards bodies can help guide cyber safety conversations, cybersecurity is a collaborative effort – and collaboration takes time, especially in sectors slower to react to advances in technology.
As industries slowly begin to push cybersecurity forward, there are steps business owners and facility managers can take today to reduce cybersecurity risks in systems and networks:
Integrate cybersecurity into product design and development
Security is a continuous journey. Product complexities, threat scenarios and technologies evolve, so it’s crucial to have protocols in place for every phase of the product development life cycle – from threat modelling to requirements analysis, verification and ongoing maintenance. These procedures help organisations spot emerging threats, identify ways to defend against them and help customers maximise efficiency, reliability and safety. Eaton’s Secure Development Life Cycle (SDLC) process is an excellent example of a model where security is integrated at every phase of product development.
Apply basic cybersecurity hygiene on networks
Basic cybersecurity hygiene ensures maintaining an up-to-date inventory of assets and knowing what is connected to a network. This should include physical and data assets, applying patches when vulnerabilities are discovered, ensuring strong access control policies and assuring the continuous monitoring of logs and systems for abnormal behaviours. Organisations should also work to schedule a series of cybersecurity updates based on their risk-level assessments performed on each security patch.
Collaborate with knowledgeable third-party organisations
Developing strict procedures at each stage of product development helps establish measurable cybersecurity criteria for network-connected products and systems. Partnerships with trusted third parties can help organisations augment their cybersecurity best practices as those institutions often create guidelines that are widely accepted in the international community. Our collaboration with UL is a working model, as Eaton now tests products with intelligence or embedded logic to key aspects of UL 2900-1 and IEC 62443 standards, which require mandatory testing protocols for vulnerabilities, software weaknesses and malware.
Manufacturers can no longer afford to operate under different security standards. Cybercriminals and the technologies they use continue to evolve, and diverse standards lack the uniformity needed to combat the latest threats.
The time to drive a global conformance assessment for cybersecurity across industries is now. Industries and standards bodies across the globe must accelerate the dialogue needed to address today’s cybersecurity challenges and keep up with the pace of changing technologies before it’s too late to catch up.