June 2021

30 n COMMUNICATIONS, SECURITY AND NETWORKING June 2021 www.drivesncontrols.com Minimising IoT cyber-security threats A s devices, systems and processes become increasingly digitised and interconnected, the Internet of Things (IoT) opens a wealth of opportunities for manufacturers. However, these same technologies also open up vulnerabilities as cyber-criminals seek opportunities to hack into the critical infrastructure of connected production facilities. Likewise, every wireless-enabled product represents a potential threat to data security and privacy. A recent report fromMake UK revealed that 47% of its members have been subject to a cyber-security incident over the past year, almost a third of whom suffered some financial loss or disruption to business as a result. Some 43% of the manufacturers went on to report that they have been asked by customers to demonstrate or guarantee the robustness of their cyber-security processes. Manufacturers can manage cyber-security risks and mitigate attacks by taking a proactive and holistic approach to security planning. This will help them to avoid costly product recalls, design changes and possibly heavy penalties due to data security breaches. Such preventative security measures should begin at the design stage and employ the principle of“secure by design”. This should start with an assessment of the business impact and processes, and the probability of risks because, without clearly understanding and prioritising risks, it is not possible to determine the appropriate security requirements for the product being manufactured or the manufacturer’s IoT systems. Risks can be also minimised by monitoring the security of the IT infrastructure continuously. For example, it is all too common for companies not to disconnect equipment that is no longer being used. This“shadow IT”, creates potential cyber-attack gaps, particularly if the software that drives them is no longer supported. The risks can be minimised by monitoring the security of the IT infrastructure and decommissioning equipment and software that is no longer required. After risks are understood, the next step is to evaluate the hardware and software, which is a typical vulnerability surface. Testing individual components against requirements determined by the risk assessment is the foundation of a secure product. Vulnerabilities Security is exceedingly difficult to install as a software add-on after product development. Every aspect of the product must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. An end-to-end and continuous validation process should also be performed to determine the attack resilience of the individual components and support services. However, it is also important to go beyond embedding security into products, and end- user behaviour should be considered. This includes unintended misuse by the end-user and ensures that they are made aware of potential issues. The introduction of the NIS (Network and Information Security) Directive in Europe is intended to improve the situation. Other standards also exist or are being developed by international organisations. Although these assist in defining and verifying a product as having a first line of defence, manufacturers should also consider their own cyber-security programmes. For example, a starting point would be: n think“secure by design”and take a proactive approach to cyber-security, recognising that attacks are“when, not if”; n ensure up-to-date compliance with all standards; and n review cyber-resistance status constantly. As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cyber-crime. Security of both industrial systems and wireless products will therefore become increasingly important. Ongoing investment in cyber-security is crucial to keep up with technological development, as cyber-criminals develop new forms of attack to hack into critical IT infrastructure. Tackling cyber-security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence. Remember, that cyber-attacks in the IoT are a case of when, not if, so manufacturers should ensure that they are fully up-to-date with compliance requirements and constantly review the cyber- resistance status of their systems. n Cyber-criminals are rapidly developing and adopting new forms of attack to hack into the networks of companies and critical infrastructure. Joe Lomako, business development manager (IoT) at the product testing and certification organisation, TÜV SÜD, looks at how to minimise the risks.