As we head into the Industry 4.0 era — where connected Internet of Things (IoT) devices and automation will reshape industries — our world is already highly connected. According to Statista, there are more than 10 billion connected IoT devices, and that number will increase by well over a billion new connections each year, exceeding 25 billion in 2030. Much of this growth will come from industrial connectivity and automation products, which improve energy efficiency, operating productivity and safety at-scale, while also reducing costs and unnecessary downtime.
Yet, as we’ve witnessed over the past two years, increased connectivity creates increased risks. As networks of connected smart devices exchange critical data, they also open numerous vulnerabilities for exploitation by hackers. Given the inherent complexity of industrial-scale automated systems and the fact that malicious actors need only find a single vulnerability to access an entire network, it’s clear that organizations are facing an incredibly tough challenge. This challenge will only grow as IoT devices become ubiquitous in the Industry 4.0 era.
In February 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert acknowledging a yearlong uptick in sophisticated ransomware incidents targeting critical infrastructure organizations across the globe. Only days later, the FBI and Secret Service warned that the resurging BlackByte ransomware gang had successfully compromised multiple U.S. and foreign organizations. These attacks included “at least three critical infrastructure sectors,” ranging from food and agriculture to financial institutions and government facilities. Unfortunately, mitigating the security issues that enable these attacks is easier in theory than in practice.
Complexity is security’s greatest enemy. Increased digitization of organizations and industries without adequate advance consideration of security risks has created insecure interconnections. In many cases, organizations have proved unable to maintain acceptable levels of security and, in some cases, exposed critical infrastructure elements to the internet for the first time. Since infrastructure failures can be catastrophic, cutting off food, water, electricity and oil supplies, these elements became desirable targets for profit-hungry cybercriminals. In fully connected ecosystems, including those that Industry 4.0 organizations are building, attacks on these sectors can spread to customers and supply chains, giving bad actors even greater leverage to demand payments.
At my company, UL, we believe that hardening security requires a proactive, tactical approach to both risk management and security, building protections upfront in the product development process. Moreover, meeting legislative and industry compliance requirements should be part of every company’s comprehensive product security program. This approach to reducing cybersecurity risks is known as security by design. This strategy enhances trust for all stakeholders across the product’s entire lifecycle and is implemented in several steps.
- Treat cybersecurity as a shared responsibility. Securing data and assets in the Industry 4.0 era isn’t just one person or organization’s job. It requires a variety of players with differing roles and priorities, including asset owners, system integrators, maintenance managers and manufacturers of components and finished products. Given that cybersecurity can be compromised anywhere from the deepest chip level to a supply chain partner’s information technology (IT) team, collaboration is crucial to ensure security across all these different roles and interdependencies.
- Meet the standards. Considering the global breadth and technical depth of today’s products, organizations must meet national and international regulatory requirements and industry-specific standards and security frameworks.
- Test regularly. Given the dynamic regulatory landscape, products and systems need to have security built in and must regularly test and verify their cybersecurity capabilities against established standards. As many organizations face challenges in supporting ongoing security assurance, working with a trusted expert for assessment, testing and certification is advisable.
As attackers become more malicious in targeting industries through connected devices, organizations can no longer afford solely reactive approaches to cybersecurity. Sustainable and strong cybersecurity postures now depend on holistic approaches to governance and processes, starting with security by design and continuing with ongoing testing to meet evolving industry and regulatory standards.
Original content can be found at International Society of Automation.