Manufacturers are increasingly adopting IIoT technology with the goal of boosting manufacturing productivity, but are security practices falling by the wayside? Here is why ensuring the security of these devices is key to long-term profitability:
The value of Industrial Internet of Things (IIoT) technology within manufacturing is becoming clearer than ever to industry. Used correctly, it has the potential to revolutionise manufacturing environments - driving a shift from reactive to predictive maintenance, boosting productivity, and deciphering swathes of big data for optimised business intelligence. A key factor behind uptake, however, is ROI and the IIoT’s potential to greatly increase profitability within whichever environment it is implemented.
The IIoT is set to be valued at $13.49 billion by 2020 – a 228 percent increase from its value of $4.11 billion in 2015. Furthermore, investment within IIoT has been estimated to exceed $60 trillion over the next 15 years. While it is clear businesses are taking notice of the opportunities that come with connected devices, they aren’t the only ones. A greater number of security issues are surfacing each day, attributed to both an increased number of vulnerable points within a network and the number of threat actors looking to take advantage of them.
The double-edged sword of IIoT profitability
With the networking of traditionally non-connected devices comes an increased risk of threats not often associated with Operational Technology (OT). Malware such as ransomware, worms and Trojans are now as much of a threat to OT systems as IT. In some cases, the threat carries even greater consequences due to underdeveloped security barriers within industrial environments. Because of these risks, without significant investment in IIoT security, the reliability and safety of manufacturing and industrial facilities is more than likely to be negatively affected in the long-term.
A variety of threats to OT systems have recently been unveiled – technology which had previously remained unexposed due to the practice of air-gapping systems and the implicit barrier between IT and OT. This includes threats such as rogue firmware in controllers, PLC worms, and IoT botnets utilised for launching massive DDoS attacks.
As attackers discover IIoT to be a lucrative business, a greater market for cyber threats is developed. Cybercrime-as-a-Service through the dark web, for example, is a serious issue that will increasingly affect industrial facilities. Due to the increased availability of ‘do-it-yourself’ hacking kits, less skilled attackers can target larger organisations - aiming for greater levels of profit. Often these kits require no upfront fee, instead claiming a percentage of the total dividend resulting from the hack, thus adding a ‘no win, no fee’ type incentive to utilising the malicious software.
Securing future profits; IIoT security as a business enabler
The boost in productivity offered by IIoT devices comes with an increased level of vulnerability. Currently, IIoT security is still immature and requires significant attention. As industrial systems shift from isolated, air gapped systems to an open and inherently insecure infrastructure, systems that were once presumed to be secure are now ripe for attack. Overall, industries still focus solely on the business benefits of IIoT, with security considerations addressed as a secondary concern. IIoT security must therefore be addressed at an early stage through two key avenues – namely, through ensuring a baseline of security within manufacturing environments and a push towards comprehensive testing and assurances around the IIoT device ecosystem prior to deployment.
In the first instance, a product must be created that is, at its core, secure by design and secure during deployment. In short – end users must be placed within an environment which already operates under a high standard of security, operates under the assumption that attacks will almost certainly happen, and takes steps to mitigate these risks. Once this has been achieved, the education of developers into appropriate secure coding practices can be considered, placing manufacturers in a position to protect products against both prevalent security risks and the associated costs of remediation.
It is simply a matter of time until the threat actors behind Cybercrime-as-a-Service begin to expand their offering to Industrial Internet with a greater focus on vulnerable, networked systems. With a greater number of threats and vulnerabilities surrounding IIoT, the onus is therefore on manufacturers and end users to ensure security and long-term profitability – an approach that will often require expert guidance. With a significant, concerted focus on security as a core business practice, organisations will be able to ensure both short and long-term gains within manufacturing environments.
About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk.