Securing the IoT by design

15 September 2020

Joe Lomako offers advice on the preventative measures that can be taken to secure processes against cyber attacks.

As devices, systems and processes become increasingly digitised and interconnected, the Internet of Things (IoT) offers opportunities for industry. However, the same technologies which enable value creation, also provide new attack surfaces for cyber criminals. For example, an open port on a device enabling a hacker to infiltrate the networks of companies and the critical infrastructure of connected production facilities. 

In the IoT age, every wireless-enabled product represents a potential threat to data security and privacy, but proactive, robust security planning enables a manufacturer to manage cybersecurity risk to mitigate attacks. 

Preventative security measures should begin at the design phase, or even the concept phase, employing the principle of ‘Secure by Design’. Although, as the name suggests, this is aimed at the design stage, it is important to understand that security is a continuous process. 

So, the Secure by Design principal is sensible. However, that in itself has to be defined. This process should therefore begin with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the appropriate security requirements for that product and indeed of the IoT system as a whole.

After risks are understood, the next step is to evaluate the hardware and software – the ‘attack surface’. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is very difficult to install as a software add-on after product development. Every aspect must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. 

Following component testing, an end-to-end assessment should be performed to determine the attack resilience of the individual components and support services. It is important that this process is continuous. The questions, ‘have we found every vulnerability?’ or ‘have we introduced new vulnerabilities?’ are always in the air. Thus, implementing a process of security validation for updates during the product lifecycle is also important.

Industry standards
There is often a perception that because a system is complex that it is automatically secure. Unfortunately this is not always the case. 

The introduction of the NIS Directive (security of network & information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cyber security. However, standards do exist, or are being developed by international organisations, aimed at providing baseline protection which would help to deliver basic security provisions for a first line in cyber defence.  

The two main standards for IoT devices are NIST 8259 (US) and Draft EN 303 645 (EU). The scope of the NIST has been written with the intent to address a wide range of IoT type products, which have at least one transducer. So, it follows that it can apply to Industry 4.0 products. More importantly this standard has been mandated in California under State Bill No. 327, and it will likely pervade across the US.

However, the scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not applicable for industrial products, although the general principles therein can certainly be applied generically to afford some modicum of protection.

Taking control
There is some debate that the present cyber security standards are lacking detail and appropriate in application, and do not adequately cover the scope of typical industrial applications. So, manufacturers should consider their own programmes and a starting point would be:

• Think ‘Secure by design’ and take a proactive approach to cybersecurity recognising that attacks are ‘when not if’.
• Ensure up to date compliance with all standards.
• Constantly review ‘cyber resistance’ status.

Ongoing investment in cyber security is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat new forms of hacker attacks into critical IT infrastructure. For example, companies often neglect IT-security training of their staff, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal. 

Following new IT investment or company acquisitions, businesses also often forget to disconnect obsolete or unused equipment. These may be running unsupported operating systems and are missing updated security patches and this opens gaps for hacker attacks. 

Traditionally ‘pattern matching’ has been used to identify security risks in the IT infrastructure, but this is no longer enough as cyberattacks are increasingly implemented with the use of machine learning and artificial intelligence. So companies should focus on identification of anomalies by deploying artificial intelligence in their cyber security efforts.

Cyber security is becoming a focal topic not only for IT managers, but increasingly also for C-level management. However, executives and IT experts often do not communicate effectively and adopt different perspectives on many issues. In this case, it is helpful to adopt a level of communication that is appropriate for the respective target group. Otherwise, communication problems may delay necessary IT security investment.
While having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage new and evolving cyber threats. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring – from design through to obsolescence.

Joe Lomako is business development manager (IoT) at TÜV SÜD.

Contact Details and Archive...

Print this page | E-mail this page