Imagine every part of the workplace – from manufacturing equipment to energy grids, healthcare devices to farms – had the connectivity of a smartphone. That’s the Industrial Internet of Things (IIoT) – sometimes known as Industry 4.0. It brings a host of efficiencies, like real-time data-analysis and improved predictive maintenance.
But with great connectivity comes great responsibility. IIoT can be especially vulnerable to attack. And while it’s now widely used, many businesses know their IIoT systems are poorly protected.
In the second episode of Insight Story season 2, guests Chris Kubeska, Netherlands-based security researcher, cyber warfare specialist and CEO of HypaSec, and Alison Peace, patient management operations manager for UK and Ireland at Medtronic, illuminate how industry can use and protect game-changing IIoT.
Where is IIoT most commonly used?
All sectors are using IIoT, but some more than others. Chris says, “The maritime industry uses IIoT a lot. It’s also widely used in the space industry, medical devices and critical infrastructure.”
Alison Peace, UK and Ireland Patient Management Operations Manager for medical therapy and device producers Medtronic
Medtronic is a global developer and producer of medical devices and therapies like insulin pumps, pacemakers and implantable defibrillators – all increasingly connected. Alison explains the patient benefits: “In the UK, more than 100,000 patients receive an implanted cardiac device each year. They then have constant hospital checks, which places a burden on healthcare services. Remote monitoring for cardiac devices started in basic form almost 20 years ago. Devices can now send wireless alerts if they detect a problem. Data shows patient outcomes are better – they don’t go into hospital as much.”
Cybercriminals have noticed loosely protected IIoT
Despite its relative newness, there have been many documented attacks on IIoT.
Chris Kubecka, security researcher, cyberwarfare specialist and CEO of HypaSec
In 2014 an attack on a German steel mill’s IIoT systems killed three people and injured many more. The attacker gained access to the mill’s office network then compromised its industrial control system. The compromise prevented a blast furnace shutting down, leading to an explosion.
Even without a breach, users finding vulnerabilities in everyday tech means reputation-damaging headlines. At-home stationary fitness bike makers Peloton were embarrassed when a security researcher found their gear included an open channel that allowed access to users’ private information like weight, gender and date of birth.
Similarly, a hacker accessed footage from Verkada internet-connected security cameras.
Securing industrial smarts
Dr. Amin Hasbini, Head of Research Center Middle East, Turkey and Africa for Kaspersky’s Global Research and Analysis Team (GReAT,) is concerned about the gap between businesses who use IIoT and those who fully secure it. “A recent Kaspersky study found over 60 percent of businesses use IoT. But close to half say these systems aren’t fully protected. A third of these organizations blame lack of budget, but when it’s not resources stopping them, what is it?”
Whatever it is, senior leaders in organizations using IIoT must shift the barriers to best-practice security.
Amin says, “Some technology vendors race to add features while largely ignoring security.”
When vendors demonstrate a solution out-of-the-box, it’s always as magnificent as a butterfly. But once implemented and confronting real-life scenarios, it’s as vulnerable as a butterfly too.
Dr. Amin Hasbini, Head of Research Center Middle East, Turkey and Africa, Global Research and Analysis Team (GReAT,) Kaspersky
“The challenge starts at the top in each organization. If security becomes a priority, it gets translated into policies, guidelines and methods.”
Chris advises thinking about how when security may not be front of mind in your organization’s tech decision-making. “Your procurement department will be looking for the least expensive deal, but that deal might not include the best security.”
She continues, “Many IIoT systems come with older operating systems that don’t have the security settings you’d want. And then, there may not be a secure way to update the software. These are some of the risks. Know what you’re buying so you can plan ahead and mitigate those risks.”
Alison says medical devices are now made differently to ensure security. “It’s important to incorporate an encryption module to make sure others can’t read the device’s data. Our devices don’t connect to the internet, but use a pass-through to a monitor or app. Data is encrypted in the device and sent encrypted.”
Alison believes the high standards of institutions they work with helps give patients confidence in their devices. “In the UK and Ireland there are strict controls when health systems engage third parties. You must have rules, regulations and systems in place to work with hospitals.”
Chris also has recommendations for contracts with third parties. “For encryption, your contract should specify meeting the standards of the time. So when you renew, the expectation is to keep to those standards. Have a responsible disclosure policy, and ensure your suppliers have good data security and privacy policies.”
She says don’t be shy to end a technology vendor relationship if security conversations feel awkward. “If you don’t feel comfortable speaking about cybersecurity and privacy with your supplier, look for a new one. Look at suppliers who take part in security conferences. If they’re actively looking at security, that gives credence.”
Is regulation keeping up with IIoT?
Chris thinks business should expect regulation around IIoT to speed up. “The tech’s definitely moving faster than law, but there are some guidelines and frameworks.”
More governments and industry are aware of the potential risks. We’re tackling this problem: We’re able to talk about it with people who aren’t super tech nerds.
Chris Kubeska, security researcher, cyber warfare specialist and CEO, HypaSec
Alison feels those designing IIoT must allow for changing security requirements – something Medtronic has strived for. “Our global security office is tasked with making sure our devices comply with standards worldwide. National legislation could say, we want the data from your device in this format, and our devices are designed to enable that.”
Simplifying a tangled net of things
Chris thinks IIoT manufacturers could aspire to lead in many ways, but chiefly, making levels of security simple to understand. “Start applying what I call ‘easy standards,’ like a traffic light system, so consumers and companies can know if something has a minimum level of security – for example, can it be updated? Medical uses would need a higher standard compared with consumer home grade.”
Alison agrees that clear and standard practice matter. “A third party can easily comply with clearly communicated, standardized security requirements. Open communication and clear criteria are essential.”
IIoT is already commonplace and will only grow as those organizations yet to adopt see its potential to improve productivity and reduce costs. As technology becomes increasingly connected, securing IIoT is fundamental to the safety of just about everything in our lives. As Chris warns, “I want to retire knowing my own technology won’t kill me.”
Leaders can keep their organization and customers safe by asking the right questions and pursuing IIoT vendors who prioritize security.
