Security, Efficiency Must Converge

Wednesday, August 9, 2017 @ 02:08 PM gHale


By Jalal Bouhdada
The Industrial Internet of Things (IIoT) is a system of connected devices which brings the potential for significant efficiency gains – and with it, significant risk.

IIoT security is currently at an immature point in its lifecycle, requiring greater attention before it becomes a reliable facet of infrastructure.

A perfect case in point is under the WannaCrypt attack this June, Chernobyl’s nuclear power station suffered disruption with automatic radiation monitoring systems knocked offline, forcing manual use. Furthermore, Industroyer, hailed as the largest threat to industrial environments since Stuxnet, was just revealed as the tailor-made malware targeting Ukraine’s Ukrenergo in 2016.

RELATED STORIES
IIoT Growth: All Eyes on OT
Security Trends on Growth Curve
IIoT Security: A Holistic Approach
Secrets Under Attack: Report

There is no doubt the number and quality of attacks which affect industrial environments are rising, providing a greater challenge for industry to tackle than ever before. The reasons for this lack of security capacity are becoming apparent; attributed either to outdated technologies, unsecured IIoT systems or a simple lack of security best practices.

To date, the focus of the IIoT industry has been on accelerating the pace of innovation, echoing that seen in the consumer IoT sphere.

It is now becoming evident that implementing technology with a focus on productivity alone is a recipe for disaster, and must be tempered with effective security practices.

As with any unsecured technology, short-term benefits such as enhanced productivity and cost reduction will be felt immediately. However, the long-term impact of using such technology far outweighs the initial benefits. Among businesses utilizing Industrial Control Systems (ICS), ineffective cybersecurity practices were found to cost each one up to $498,045 per year.

Rising Cyber Threat
When focusing on industrial systems, attackers are now ready and able to lock down critical technology, motivated by the increased incentive for victims to pay a ransom.

When levied against the cost of a lost batch or plant shut-down, a bitcoin payment becomes trivial in comparison to reduced productivity. While influencing process control is often a more difficult undertaking than locking systems, ransomware can have a highly disruptive impact. Organizations often overestimate their security capabilities. 83 percent of organizations utilizing ICS technology now claim they are prepared to meet cyber attacks head on. Clearly, more must be done with half of businesses globally admitted to suffering between one and five security incidents in 2016.

With hackers deliberately targeting industrial environments for greater likelihood of return on investment, industry is no longer the obscure counterpart to IT technology. While IT security has developed in response to security threats, Operational Technology (OT) has not had the same incentive. Now, with IT threats making the leap to OT systems through networked technology, industry is left to contend with a security threat which has had decades to develop – without the security capacity to tackle that same threat head on.

Cultivating Collaboration
Networking of traditionally non-connected devices brings increased risk not often seen in OT.

Ransomware now presents as comparable a threat to OT systems as that of IT. To encourage the development of secure OT, decision-makers have the opportunity to look beyond immediate efficiency results.

With rising investment into secure IIoT technology, the natural reaction from market leaders will be to create and develop this infrastructure further to meet product demand.

IIoT technology is heavily influenced by its IoT consumer counterpart, with initial security legislation still some time away.

The level and scale of innovation we see in this area does not lend itself to industrial environments.

Instead, industrial specialists must look to integrate a combined approach – one which takes the efficiency benefits provided by IIoT systems, and integrates them with strong, replicable security practices. To ensure maximum long-term benefit, IIoT technology must be designed, built and installed with security integrated across the product lifecycle and throughout the supply chain – a true collaboration between efficiency and security.

Jalal Bouhdada is the founder and principal ICS security consultant for Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment with a focus on process control domain and industrial IT security.



Leave a Reply

You must be logged in to post a comment.