Protecting Service Revenue from Hackers: Cybersecurity for Connected Maintenance Apps

Industry 4.0 has already created a raft of exciting opportunities for manufacturers and predictive maintenance is a great example of this. With the benefits of increased connectivity and real-time data collection, traditional maintenance models are evolving from “repair & replace” to “predict & prevent.” Predictive maintenance shortens service interruptions and can avoid downtime altogether, resulting in enormous cost savings and higher customer satisfaction.

With equipment getting more complicated, smarter and inter-connected, manufacturers are now going beyond predictive maintenance and developing proprietary mobile apps to support their service technicians in the field. These apps provide technicians with service information and history, diagnostics, performance measurement and tunability of systems while on-site. They can also provide a virtual reality augmented guide to critical service operations, which can help improve quality of the service and reduce the need for specialized knowledge and training. 

These new categories of apps are vital to the economics of the service and maintenance business and provide crucial information to enable working on the complicated machines found on a manufacturing floor today, hence they are a key target for hackers that are supporting grey market services and possibly industrial espionage efforts by competitors.

However, as is the case in so many connected industries, and in many mobile apps in general, inadequate cybersecurity is proving to be a big risk. Even WhatsApp, which plays on its security and end-to-end encryption has been in the news recently due to a security vulnerability, and when it comes to industry, popular maintenance apps have been hacked in the past. 

Addressing security issues
The bottom line is that if a hacker gains access to a maintenance app, it will mean that your service business is compromised – a business which continues to make up more and more of a manufacturer’s ongoing revenue. As a result, competition from unauthorized service and maintenance providers could pose a substantial threat to the business model.

One example of the impact of a hacked service app is a well-known maker of farming machinery. The organization attempted to roll out a service application which obligated that all equipment maintenance must be performed by authorized technicians, but the lack of software security led to application licenses being easily circumvented.  The end result was that both the anticipated service revenue as well as the direct application revenue was dramatically curtailed due to poor software security. 

Manufacturers must also consider that their connected maintenance apps may well contain their intellectual property, which if compromised, will allow hackers to make money by selling it on the Dark Web or holding the business to ransom. 

There are also potential health and safety and legal repercussions. If the app were to be copied and used by untrained, unauthorized service technicians, this can put the equipment’s users in physical danger with potential lawsuits to follow. Equally, without tight control over the service app and a log of activity, manufacturers could struggle to stop the use of grey market parts, again potentially endangering the end user.

All these dangers exist within the service and maintenance business, but hackers can also use access to a mobile app to pivot onto a corporate network, placing even more valuable data at their fingertips.

Deploying apps in a hostile environment
Despite the risks posed to companies through mobile apps of this nature, security is still often not up to the standard it should be. This is partly because security is often an after-thought in the development of mobile apps, which makes it difficult to integrate properly later on. It’s also partly due to the fact that many companies still rely on standard mobile security measures such as Mobile Device Management (MDM)/Mobile Application Management (MAM), app wrapping and authentication. Although these measures are valuable, security needs to be more extensive, particularly if there is critical IP in the app. 

As a result, there are three crucial elements which organizations must consider when it comes to application security:

  • Design security in – Software engineers need security training at the beginning of the software development lifecycle and a security design review should be done by a reputable application protection vendor or threat and risk assessment specialist. 
  • Apply layered software protection techniques to your app and APIs – Service maintenance apps require strong, multi-layered software security. This should include data security at rest and in transit, network/API security and robust software protection for IP. The apps can also be protected by code hardening tools to conceal proprietary algorithms and secrets, including cryptographic keys, private and personal data, and credentials.
  • Develop a monitoring, maintenance and feedback plan - application security can never be a ‘set-and-forget’ scenario. It requires ongoing monitoring, maintenance and feedback. Software protection tools should offer easy diversification and renewability to generate an entirely new instance of secured code with a simple change of a random seed. 

In the age of Industry 4.0, connected maintenance apps play an important role in creating a thriving service and maintenance business for equipment manufacturers. However, deploying mobile apps in a hostile environment, like off-the-shelf tablets and phones, where they can be easily reverse engineered or copied may have quite the opposite effect.

To protect your service business model and critical IP, you must create a robust application security strategy. This strategy ideally uses a defence in depth approach which combines secure coding best practices, regular analysis and feedback and the use of advanced software protection techniques. Done well, it ensures a continuous evolution of software protection from one release to the next.

What’s Hot on Infosecurity Magazine?