Posted to News on 23rd Sep 2020, 00:00
IoT device security standards challenges
Industry 4.0 (I4.0) is the fourth industrial revolution, pushing industry towards a more automated, and sophisticated manufacturing process. As devices, systems and processes become increasingly digitised and interconnected, the Internet of Things (IoT) opens a wealth of opportunities for manufacturers. However, these same technologies also present cyber weaknesses, as joe Lomako of TÜV SÜD explains.
A report from Make UK revealed that 60% of its members have been subject to a cyber security incident, almost a third of whom suffered some financial loss or disruption to business as a result. 41% of manufacturers went on to report that they have been asked by customers to demonstrate or guarantee the robustness of their cyber security processes.
Industry 4.0 systems include various components, such as cyber-physical systems, cloud computing, edge computing and Artificial Intelligence (AI). But usually there is some physical component or sensor (usually many hundreds or thousands) which will be part of the system, often referred to generically as an IoT device. These components and sensors connect industrial systems to each other and are the interface to the outside world – continuously collecting data.
Although these components and sensors could be regarded as the strength of any given system it is entirely possible that it could conversely also be its Achilles heel. According to a report from Kaspersky Lab earlier this year, half of all industrial control system networks have faced some form of cyber-attack. Some connected devices lack the appropriate cyber robustness to prevent attacks and this, coupled with the fact that some control systems could be using outdated or bespoke operating systems or software, increases cyberattack vulnerability.
When we visit industrial sites, we are finding that there is sometimes a perception that because a system is complex that it is automatically secure. That is unfortunately not always the case. The introduction of the NIS Directive (security of network and information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cyber security. However, standards do exist or are being developed by international organisations aimed at providing baseline protection, which would help to deliver basic security provisions for a first line in cyber defence. Examples include not having default passwords or ensuring that a device’s software can be updated “over the air”.
Two important standards that we see for IoT devices are NIST 8259 (US) and Draft EN 303 645 (EU). The scope of the NIST has been written with the intent to address a wide range of IoT type products, which have at least one transducer. So, it follows that it can apply to I4.0 industrial products. More importantly is that this standard has been mandated in California under State Bill No. 327, and it will likely pervade across the US. However, the scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not applicable for industrial products, although the general principles therein can certainly be applied generically to afford some modicum of protection as part of a tailored risk assessment
There is some debate that the present cyber security standards are lacking some detail and appropriate in application, and do not adequately cover the scope of typical industrial applications. That may be true, but they are at least a good first start where nothing previously existed that had a focussed scope.
There are several groups of published standards which are aimed at improving security from network infrastructure to devices. For example, it is possible that an industrial IoT device could be certified under the IEC 62443 series of standards, which aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity. This would probably be more familiar to operators and integrators of control and automation systems. While this standard series has a mix of process and technical requirements, it covers what we would typically call a “product”. Therefore, in addition to this process requirements can be found in IEC 62443-4-1, and technical requirements in IEC 62443-4-2.
Although it may seem that the standards do not cover everything, and they don’t, they do at least offer that first line of defence. However, manufacturers should also consider their own cybersecurity programmes and there are other options outside the present standards‘ landscape. This includes more stringent, bespoke testing or “pen testing”, which will identify deeper and more serious threats to a machine and the IoT system within which it sits. It is also vital to think “Secure by design” and take a proactive approach to cybersecurity recognising that attacks are “when not if”. What‘s more, threat resilience is an iterative task. Not all threats may have been discovered on the first assessment, or may even exist yet. It’s therefore very important to ensure up to date compliance with all standards and constantly review your ‘cyber resistance’ status.
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime.
Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack to hack into critical IT infrastructure. Sadly, at the present moment in time there needs to be more traction in device and component cyber assessment and it would be prudent for any integrator or end user to ask their supplier what level of cyber assessment has been performed and to prove its cyberattack resilience.
