{"id":49507,"date":"2023-11-03T06:55:31","date_gmt":"2023-11-03T10:55:31","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&#038;p=49507"},"modified":"2023-11-13T09:46:24","modified_gmt":"2023-11-13T14:46:24","slug":"insight-story-iiot-industry","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/insight-story-iiot-industry\/49507\/","title":{"rendered":"Industrial &#8216;Internet of Things:&#8217; Is security too far down the production line?"},"content":{"rendered":"<p>Imagine every part of the workplace \u2013 from manufacturing equipment to energy grids, healthcare devices to farms \u2013 had the connectivity of a smartphone. That\u2019s the Industrial Internet of Things (IIoT) \u2013 sometimes known as <a href=\"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/industrial-iot\/28210\/\" target=\"_blank\" rel=\"noopener nofollow\">Industry 4.0<\/a>. It brings a host of efficiencies, like real-time data-analysis and improved <a href=\"https:\/\/en.wikipedia.org\/wiki\/Predictive_maintenance\" target=\"_blank\" rel=\"noopener nofollow\">predictive maintenance<\/a>.<\/p>\n<p>But with great connectivity comes great responsibility. IIoT can be especially vulnerable to attack. And while it\u2019s now widely used, many businesses know their IIoT systems are poorly protected.<\/p>\n<p>In the second episode of Insight Story season 2, guests Chris Kubeska, Netherlands-based security researcher, cyber warfare specialist and CEO of <a href=\"https:\/\/www.hypasec.com\/\" target=\"_blank\" rel=\"noopener nofollow\">HypaSec<\/a>, and Alison Peace, patient management operations manager for UK and Ireland at <a href=\"https:\/\/www.medtronic.com\/\" target=\"_blank\" rel=\"noopener nofollow\">Medtronic<\/a>, illuminate how industry can use and protect game-changing IIoT.<\/p>\n<p><iframe style=\"border: none;min-width: min(100%, 430px);height: 300px\" height=\"300\" scrolling=\"no\" src=\"https:\/\/www.podbean.com\/player-v2\/?i=kmuyy-14dc42f-pb&amp;from=pb6admin&amp;pbad=0&amp;square=1&amp;share=1&amp;download=1&amp;rtl=0&amp;fonts=Arial&amp;skin=1b1b1b&amp;font-color=auto&amp;logo_link=episode_page&amp;btn-skin=2baf9e&amp;size=300\" width=\"100%\"><\/iframe><\/p>\n<h2>Where is IIoT most commonly used?<\/h2>\n<p>All sectors are using IIoT, but some more than others. Chris says, \u201cThe maritime industry uses IIoT a lot. It\u2019s also widely used in the space industry, medical devices and critical infrastructure.\u201d<\/p>\n<div id=\"attachment_49514\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49514\" class=\"size-medium wp-image-49514\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/11\/03064728\/Alison-Peace-300x300.png\" alt=\"\" width=\"300\" height=\"300\"><p id=\"caption-attachment-49514\" class=\"wp-caption-text\">Alison Peace, UK and Ireland Patient Management Operations Manager for medical therapy and device producers Medtronic<\/p><\/div>\n<p>Medtronic is a global developer and producer of medical devices and therapies like insulin pumps, pacemakers and implantable defibrillators \u2013 all increasingly connected. Alison explains the patient benefits: \u201cIn the UK, more than 100,000 patients receive an implanted cardiac device each year. They then have constant hospital checks, which places a burden on healthcare services. Remote monitoring for cardiac devices started in basic form almost 20 years ago. Devices can now send wireless alerts if they detect a problem. Data shows patient outcomes are better \u2013 they don\u2019t go into hospital as much.\u201d<\/p>\n<h2>Cybercriminals have noticed loosely protected IIoT<\/h2>\n<p>Despite its relative newness, there have been many documented attacks on IIoT.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/w74tiaGfzfM?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;start=50&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<div id=\"attachment_49513\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49513\" class=\"wp-image-49513 size-medium\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/11\/03064404\/Chris-Kubecka-300x300.jpg\" alt=\"Chris Kubecka\" width=\"300\" height=\"300\"><p id=\"caption-attachment-49513\" class=\"wp-caption-text\">Chris Kubecka, security researcher, cyberwarfare specialist and CEO of HypaSec<\/p><\/div>\n<p>In 2014 <a href=\"https:\/\/securityintelligence.com\/german-steel-mill-meltdown-rising-stakes-in-the-internet-of-things\/\" target=\"_blank\" rel=\"noopener nofollow\">an attack on a German steel mill\u2019s IIoT systems killed three people<\/a> and injured many more. The attacker gained access to the mill\u2019s office network then compromised its industrial control system. The compromise prevented a blast furnace shutting down, leading to an explosion.<\/p>\n<p>Even without a breach, users finding vulnerabilities in everyday tech means reputation-damaging headlines. At-home stationary fitness bike makers <a href=\"https:\/\/www.forbes.com\/sites\/emilsayegh\/2021\/07\/22\/peloton-breach-reveals-a-coming-iot-data-winter\" target=\"_blank\" rel=\"noopener nofollow\">Peloton were embarrassed when a security researcher found their gear included an open channel<\/a> that allowed access to users\u2019 private information like weight, gender and date of birth.<\/p>\n<p>Similarly, a\u00a0<a href=\"https:\/\/www.washingtonpost.com\/technology\/2021\/03\/10\/verkada-hack-surveillance-risk\/\" target=\"_blank\" rel=\"noopener nofollow\">hacker accessed footage from Verkada internet-connected security cameras.<\/a><\/p>\n<h2>Securing industrial smarts<\/h2>\n<p>Dr. Amin Hasbini, Head of Research Center Middle East, Turkey and Africa for Kaspersky\u2019s Global Research and Analysis Team (GReAT,) is concerned about the gap between businesses who use IIoT and those who fully secure it. \u201cA recent Kaspersky study found <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2023_miscommunications-in-it-security-lead-to-cybersecurity-incidents-in-62-of-companies\" target=\"_blank\" rel=\"noopener nofollow\">over 60 percent of businesses use IoT<\/a>. But close to half say these systems aren\u2019t fully protected. A third of these organizations blame lack of budget, but when it\u2019s not resources stopping them, what is it?\u201d<\/p>\n<p>Whatever it is, senior leaders in organizations using IIoT must shift the barriers to best-practice security.<\/p>\n<p>Amin says, \u201cSome technology vendors race to add features while largely ignoring security.\u201d<\/p>\n<blockquote><p>When vendors demonstrate a solution out-of-the-box, it\u2019s always as magnificent as a butterfly. But once implemented and confronting real-life scenarios, it\u2019s as vulnerable as a butterfly too.<\/p>\n<cite><p>Dr. Amin Hasbini, Head of Research Center Middle East, Turkey and Africa, Global Research and Analysis Team (GReAT,) Kaspersky<\/p><\/cite><\/blockquote>\n<p><strong>\u201c<\/strong>The challenge starts at the top in each organization. If security becomes a priority, it gets translated into policies, guidelines and methods.\u201d<\/p>\n<p>Chris advises thinking about how when security may not be front of mind in your organization\u2019s tech decision-making. \u201cYour procurement department will be looking for the least expensive deal, but that deal might not include the best security.\u201d<\/p>\n<p>She continues, \u201cMany IIoT systems come with older operating systems that don\u2019t have the security settings you\u2019d want. And then, there may not be a secure way to update the software. These are some of the risks. Know what you\u2019re buying so you can plan ahead and mitigate those risks.\u201d<\/p>\n<p>Alison says medical devices are now made differently to ensure security. \u201cIt\u2019s important to incorporate an encryption module to make sure others can\u2019t read the device\u2019s data. Our devices don\u2019t connect to the internet, but use a pass-through to a monitor or app. Data is encrypted in the device and sent encrypted.\u201d<\/p>\n<p>Alison believes the high standards of institutions they work with helps give patients confidence in their devices. \u201cIn the UK and Ireland there are strict controls when health systems engage third parties. You must have rules, regulations and systems in place to work with hospitals.\u201d<\/p>\n<p>Chris also has recommendations for contracts with third parties. \u201cFor encryption, your contract should specify meeting the standards of the time. So when you renew, the expectation is to keep to those standards. Have a <a href=\"https:\/\/www.kaspersky.com\/blog\/vulnerability-disclosure-ethics\/35581\/\" target=\"_blank\" rel=\"noopener nofollow\">responsible disclosure policy<\/a>, and ensure your suppliers have good data security and privacy policies.\u201d<\/p>\n<p>She says don\u2019t be shy to end a technology vendor relationship if security conversations feel awkward. \u201cIf you don\u2019t feel comfortable speaking about cybersecurity and privacy with your supplier, look for a new one. Look at suppliers who take part in security conferences. If they\u2019re actively looking at security, that gives credence.\u201d<\/p>\n<h2>Is regulation keeping up with IIoT?<\/h2>\n<p>Chris thinks business should expect regulation around IIoT to speed up. \u201cThe tech\u2019s definitely moving faster than law, but there are some guidelines and frameworks.\u201d<\/p>\n<blockquote><p>More governments and industry are aware of the potential risks. We\u2019re tackling this problem: We\u2019re able to talk about it with people who aren\u2019t super tech nerds.<\/p>\n<cite><p>Chris Kubeska, security researcher, cyber warfare specialist and CEO, HypaSec<\/p><\/cite><\/blockquote>\n<p>Alison feels those designing IIoT must allow for changing security requirements \u2013 something Medtronic has strived for. \u201cOur global security office is tasked with making sure our devices comply with standards worldwide. National legislation could say, we want the data from your device in this format, and our devices are designed to enable that.\u201d<\/p>\n<h2>Simplifying a tangled net of things<\/h2>\n<p>Chris thinks IIoT manufacturers could aspire to lead in many ways, but chiefly, making levels of security simple to understand. \u201cStart applying what I call \u2018easy standards,\u2019 like a traffic light system, so consumers and companies can know if something has a minimum level of security \u2013 for example, can it be updated? Medical uses would need a higher standard compared with consumer home grade.\u201d<\/p>\n<p>Alison agrees that clear and standard practice matter. \u201cA third party can easily comply with clearly communicated, standardized security requirements. Open communication and clear criteria are essential.\u201d<\/p>\n<p>IIoT is already commonplace and will only grow as those organizations yet to adopt see its potential to improve productivity and reduce costs. As technology becomes increasingly connected, securing IIoT is fundamental to the safety of just about everything in our lives. As Chris warns, \u201cI want to retire knowing my own technology won\u2019t kill me.\u201d<\/p>\n<p>Leaders can keep their organization and customers safe by asking the right questions and pursuing IIoT vendors who prioritize security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most workplaces are now using IIoT, but is its security improving? Experts express concern and give insight to help business stay safe.<\/p>\n","protected":false},"author":2521,"featured_media":49508,"template":"","coauthors":[3452],"class_list":{"0":"post-49507","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-industrial-cybersecurity","7":"emagazine-category-internet-of-things","8":"emagazine-tag-audio","9":"emagazine-tag-insight-story","10":"emagazine-tag-podcast"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/insight-story-iiot-industry\/49507\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/insight-story-iiot-industry\/29267\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/49507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/49508"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=49507"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=49507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}