The business value of IoT is in doubt unless we solve the cybersecurity challenge

In today's internet of things era, businesses must address cybersecurity threats or risk losing out.

This is a contributed piece by Didier Appell, Head of Cybersecurity for Products and Industrial systems at Sogeti High Tech, Capgemini Group


The C-suite is well aware of the incredible potential Internet of Things (IoT) technologies have to generate business value. However, that potential is in danger of not being maximized unless IT can solve the associated cybersecurity challenges first.

With 62% of manufacturers already deploying IoT across their operations, the industrial sector provides CISOs with a great starting point for best practices that will help identify and remediate threats to their businesses.


The IoT challenge: the end of the air gap

IoT is predicted to generate economic value of up to $11.1 trillion a year by 2025, so organizations that securely deploy the technology early have an opportunity to gain a significant competitive advantage. But with every IoT device representing a new attack vector that can be exploited, it’s a complex task.

According to Gartner, there will be around 20.4 billion IoT devices in use by 2020, all of which will collect and transmit data, much of it of a sensitive nature. Industrial organizations have been early adopters due to the operational efficiencies IoT enabled robotics and automation can provide. Yet a single cybersecurity breach can easily negate these benefits.

Researchers at security firm Trend Micro and Italy's Politecnico Milano demonstrated this by hacking the kind of robotic arm commonly used in the industrial sector. They were able to cause it to insert defaults into products, permanently damage itself, and even appear in safe mode when actually fully activated – an extremely dangerous scenario should someone be within its range of movement. Interestingly, we achieved similar results in test attacks on robots in Capgemini’s labs.

The industrial sector used to depend on an approach called the ‘air gap’ – which involves physically isolating systems from unsecured networks and the public internet. This is no longer a viable approach for a number of reasons. A major issue is that consumer IoT products and trends like Bring Your Own Device (BYOD) mean that it’s become more difficult to prevent employees inadvertently bringing risk into an organization – a corrupted USB stick can be all it takes to compromise systems.

Furthermore, modern businesses need to access the cloud to compete: Industrial manufacturers, for instance, increasingly use sophisticated equipment like robotics. If this specialist machinery breaks down, the organization will most likely not have the skills needed to fix it in-house. Instead, it is much more cost effective for a specialist engineer to run remote diagnostics via an internet connection than to travel to the site itself. This is not possible when using the ‘air gap’ approach to security. 


Assessing your exposure

CISOs need to be able to trust the integrity of their systems but in the age of connected tech it can be difficult to know where the vulnerabilities lie. I’ve even heard accounts of plant managers inspecting machinery that, to their knowledge, was not supposed to be capable of sharing data and finding SIM cards built in enabling it to do so.

This is why the first step in addressing industrial IoT security is to conduct a comprehensive technical risk analysis including full mapping of equipment on-site. This will identify weaknesses and help IT create a plan that dictates where security efforts need to be focused. This may sound like common sense but a study from Deloitte found that almost a third of manufacturers had yet to conduct any sort of risk assessment of their industrial systems.

Cybersecurity needs to be based on accurate organization-specific insights for two key reasons. Firstly, to ensure it keeps threats out, and secondly because ill-targeted or excessive cybersecurity measures can actually degrade overall plant performance. Ultimately, there’s a balance to be struck – extensive asset monitoring, for example, would effectively safeguard against threats, but is impractical and can negatively impact output across the production line. 


The importance of collaboration

Following a risk assessment, the next task is to implement security measures specifically designed to defend identified vulnerabilities. When it comes to IoT devices, this can mean re-routing the access they have to wider systems, using gateways which can be more reliably secured. Further device authentication measures are required to secure communications between IoT devices and wider IT systems.

People are always one of the biggest cybersecurity threats to an organization so steps should also be taken to minimize workforce-related risks. Training is a must, but organizations cannot always depend on employees to make the right decisions. That’s why it’s a good idea to deploy hardware that can scan devices like USB keys and laptops for malicious software.

Beyond specific measures like these, industrial organizations need to change the nature of the relationship they have with vendors – cybersecurity used to be a set of products you could buy, whereas today it needs to be more of an ongoing program of collaboration between businesses and technology providers. CISOs need to ensure there are contractual obligations in place for third party software and hardware vendors to provide ongoing cybersecurity support. This is essential to ensure equipment performs effectively and does not become a potential entry point for hackers.


Always on-guard in the IOT era

Ongoing assessment and vigilance is paramount in the IoT era. Threats are always evolving, and some are designed to lay dormant for long periods of time once they infiltrate a system. Moreover, with the EU’s new General Data Protection Regulation (GDPR) set to come into effect on 25th May 2018, the added risk of non-compliance means CISOs should be looking to address this as a matter of priority.

In the past, there has sometimes been a mentality of “if it ain’t broke, don’t fix it”, especially in the industrial sector. But with the bottom line, and even lives at stake, CISOs can’t afford to take these kinds of risks anymore.