Don't Manufacture Cyber-Risk

Written by

The industrial sector is rapidly realizing the vast potential for digital-physical systems to improve efficiency and performance. However, this realization is going to incur an increase in both cyber-risk likelihood and impact to the sector’s production processes, supply chains and workforce.

A power plant that uses smart sensors to monitor temperature or pressure presents an interesting example of the new risks posed to the sector. Should the system reach an unacceptable level, an alarm can be sounded and release valves may be utilized to resolve the situation. However, if a hacker were to gain access to this system it is not beyond the realms of possibility that they could disable this crucial safety functionality. This could therefore cause critical situations to occur without employees being aware.  The safety repercussions of this type of incident are relatively unique due to the nature of the industrial sector. When hackers are able to take down internet commerce websites it has a negative impact on revenue for a spell. However, if a hacker is able to affect physical equipment in an area such as a power plant the situation becomes much more dangerous, could cause significant damage to equipment and, ultimately, put lives at risk.

Manufacturing in an Internet of Things (IoT) Environment

Hackers are able to initiate attacks against smart devices the same way they have been attacking computers for years. Most of the wireless protocols that are currently being used by smart devices have well known vulnerabilities such as weak encryption and the devices have weak configurations such as open ports and default passwords. When the average person sets up a smart device and has it up and running, as far as they’re concerned the job is done. There is no thought to security. The problem lies in the fact that, for these devices to communicate, they must have functionality such as the ability to transfer data or access network. These are very rarely locked down and therefore provide hackers with an easy access point to smart devices.

The manufacturing industry views the Internet of Things (IoT) as the latest industrial revolution, or industry 4.0, and has acknowledged that the implementation of IoT can create more efficient manufacturing plants that allow for increased productivity while reducing energy consumption.

The most pressing vulnerabilities currently lie in the lack of manufacturing companies considering security implications before developing and connecting these devices to the internet without proper protection. One of the latest issues caused by the IoT was a botnet of things (or as the press liked to call it – ‘Thingbots’) discovered by Proofpoint at the end of 2013. Proofpoint discovered that out of all the devices sending spam (routers, printers, computers etc.) there included in this botnet at least one smart fridge.

This demonstrates that the IoT is being actively attacked, and should a manufacturing plant become compromised, there is the potential for very real repercussions when devices act in totally unexpected ways that no one has prepared for. Does your business have an incident response plan for a hacking fridge?

In order to minimize the security risk of the IoT, it is important that manufacturers take into consideration both software and hardware when developing their device(s).  Most issues currently identified within the IoT are caused due to poor security configuration. It is important that, as the IoT develops, devices use secure software and abide by current security best practice policies. Utilising secure hardware that can implement secure boot and storage locations will also significantly help to secure the data held by smart devices.

How Can Manufacturers Ensure Their Sensors and Equipment are Protected?

Security must be considered well in advance and throughout every product’s lifecycle. To date, the majority of IoT attacks have been successful due to poor security configuration such as default credentials. Adoption of accepted security standards needs to be implemented to ensure that smart devices do not end up as vulnerable to attack as desktops were ten years ago.

From a business perspective, you should also be getting your information security team to help define your digital strategy, as opposed to holding it back. New technology will always simultaneously provide businesses with a huge competitive advantage and an almighty impact on their cyber-risk profile. However, the companies that are able to proactively research and assess new technology before it is required will ensure their organization stays (and remains) one step ahead.

So What Now?

Companies developing products designed for the IoT need to acknowledge that they more than likely have no experience with device security. It is not in the interest of a company that builds toasters to be aware of the potential havoc an internet-connected toaster could wreak on the world.

Indeed, the whole idea of a malicious toaster may be considered almost laughable or something out of a sci-fi novel. However, the fact remains that once this device is connected to the internet there exists an endless possibility for its usage – whether that be a platform for hackers to attack networks or to assimilate into an existing botnet that can then use the device to distribute spam or conduct Denial of Service attacks.

What’s hot on Infosecurity Magazine?