Cybersecurity The Biggest Threat to IIoT Adoption
Published on : Saturday 16-05-2020
Cybersecurity should be seen as an essential requirement that can support and enable plant availability and safety of operations, asserts Vivekananda Bhat.
The Industry 4.0 revolution inherently drives the confluence of cyber-physical systems and manufacturing processes. The wide chasm between information technology (IT) and operational technology (OT) is now just a fine line. There is no doubt that companies that are not on the Industrial Internet of Things (IIoT) bandwagon are going to be relics of a fast-eroding manufacturing era. IIoT adoption can significantly contribute to improving production efficiency and enabling transparency in the supply chain. During Frost & Sullivan’s India Manufacturing Excellence Awards assessment, which involved interactions with senior leadership across 100+ companies, over a span of 2 years), it was noted that seven out of 10 CEOs either already had IIoT as a part of their strategy or were in the process of doing so.
Companies are often more focused on the cost savings and convenience that IIoT offers but are largely unaware of the vulnerabilities that IIoT presents. The number of potential risks that threaten the performance and safety of devices and the integrity of IIoT data is set to increase exponentially with the pace at which IIoT adoption is growing. According to Frost & Sullivan's report “Industrial IoT Driving Manufacturing Innovations”, about 70% of the vulnerabilities are concentrated at the operational and enterprise levels. Industrial IT systems are converging into command centres designed to monitor and control industrial processes to promote business effectiveness and real-time, data-based decision- making. With these IT systems becoming accessible from anywhere on the planet, the growing dependence on internet-connected devices could outpace our ability to secure them.
Disruptions in Organisations
Cybersecurity threats are increasing and the sophistication of attacks boosts the security challenge for people, technology, and processes – the tripartite system of security needed to protect business-critical data. According to the Insurance Institute of Canada, manufacturing is one of the top industries targeted by cybercriminals. For any industrial or critical infrastructure organisation, the top priority is to secure its operations and process controls from potential disruptions. However, the operations team largely banks on trust and experience. It often perceives investment of time and resources to enhance cybersecurity as unnecessary and believes that “it could never happen to us.” Cybersecurity should be seen as an essential requirement that can support and enable plant availability and safety of operations. In the current environment, it is imperative to safeguard the organisation from global cyber threats like malware and ransomware.
Threats based on the source of generation
Industrial plants are prone to cyberattacks from internal and external sources. Internal issues are largely due to employee errors, and these errors and incidents could be void of any malicious intent. External issues can arise out of contractor or supplier errors. Smaller suppliers generally have fewer resources, time, and money to secure their plants, processes, and data. They could be targeted by cyber attackers to gain quick access to sensitive information. On the shop floor, we often come across instances of plant engineers or contractors charging personal devices on PLC or HMI USB ports or gaining wireless access from the hidden router in the back room. There could be many such real examples.
Threats based on the impact layer
Industrial plants need to be secured from cyberattacks across all levels, ranging from plant management to the field level, and from access control to copy protection. A multi-layered security concept covering plant security, network security, and system integrity ensures comprehensive and extensive protection for industrial facilities.
Steps to help secure critical data
1- Know where all your data is and identify who has access.
2- Classify your data as high or low risk.
3- Bring in an outside firm to objectively evaluate and understand your systems and processes.
4- Create a plan and a specific scope of work so you know what technology partners you need.
Suggested Countermeasures
Companies can adopt the following step-by-step procedure to implement robust cybersecurity practices:
1. Interweave Cybersecurity into Organisation's CEO Strategy
Understanding the security requirements is the all-important first step to developing a robust information security strategy. The requirements should be in sync with cybersecurity threats, which can multiply in frequency, complexity, and severity. In addition to meeting regulatory obligations/legal compliance, it is more important to suitably address business and customer obligations.
2. Formulating and Effectively Deploying IT Policy for Data Security
This could be a contentious and challenging process as the organisation needs to balance the need for security against business needs without favouring one side at the expense of the other. There should be a clear consensus on what the organisation wants its information security policy to achieve. The debate over the content and nature of the policy is encouraged during the early stages of the development process. In case of any disagreement after its establishment, enforcement is most likely to suffer.
3. Certification for IT Security Systems
According to Cyber Risk Analytics, human error contributes to over 60% of the reported breaches. This necessitates making cybersecurity a mandatory element of educational and training programs. Certification of systems and personnel serves as an important measure of excellence and commitment to quality.
4. Audit of Security Systems Compliance
Audits involving corporate personnel as well as the plant operations team will help identify the gaps in employee awareness as well as the implementation of systems and procedures. Through a third-party or expert agency assessment, the system could be benchmarked against industry
standards and best practices. Each audit should be a closed-loop with the recommended mitigations to close the gap.
5. Infrastructure IT Systems to Support “Smart Factory” Architecture
Smart factory architecture needs the support of manufacturing software that can provide visibility, connectivity, and autonomy via real-time insight. The entire manufacturing process is unified through seamless data flow between machines and enterprise systems. Intelligent systems bring in features like predictive analytics, machine learning, and autonomous decisions and actions (such as paying invoices, ordering materials, or making shipment decisions based on multiple sources and huge amounts of contextual fast data, analysed and leveraged in real-time with artificial intelligence and self-learning components).
Vivekananda Bhat is Industry Manager, Manufacturing Process Consulting Practice, Frost & Sullivan. To know more about Frost & Sullivan's analysis on COVID-19 from across the globe, visit: https://ww2.frost.com/insights/covid19/. For more information, contact Srihari Daivanayagam at [email protected]
