Why cybersecurity is not secure enough for IIoT

Industry is in a constant state of flux as technologies are being developed, evaluated and deployed in order to create competitive advantage, increase productivity and efficiency, and to work towards a sustainable future.

Ever-cheaper embedded devices and transducers, together with pervasive networking infrastructure has resulted in the rapid uptake of equipment that is now being implemented at massive scale. Consumers are becoming more familiar with the term Internet of Things (IoT); this technology is essentially driving a revolution within the commercial environment and is known as the Industrial Internet of Things (IIoT).

Since IIoT devices are being implemented across industry, the sheer increase in computational nodes that are inter-connected via a network inevitably increases the potential points of system vulnerability. More and more “back doors” to previously secure (albeit not connected) infrastructure. The value of sharing data may be arriving at some cost.

Security is therefore a pertinent issue for industry. A data breach from an organisation may leak valuable Intellectual Property (IP) to a competitor, with potentially disastrous consequences. A leak may expose confidential customer data, at the risk of jeopardising an organisation’s reputation. In the case of Cyber Physical Systems, they could be human lives lost.

It is the development and adoption of new technologies and business models that is at the heart of these new vulnerabilities. Cloud computing has transformed the infrastructure of many organisations by enabling processing and storage to be outsourced to shared computing facilities in data centres, enabling computing to be an on-demand, elastic utility.

Wireless communications enable data to be shred between devices where cables are either difficult to lay or their installation cost is prohibitive.

Both of these developments are examples of organisations needing to increase their awareness of security control measures, whilst some organisations get it wrong and suffer the consequences.

Wireless devices can be disabled remotely, or perhaps more worryingly, can be used to “listen in” to the data that is being sensed. CPS can be taken over, and physical actuation compromised.

Security systems to date have primarily relied upon authentication mechanisms that use a central authority to establish relationships of trust between known components. As the explosion of IIoT devices continues, such authentication systems cannot scale sufficiently and new methods – such as multiparty authentication – are viewed as one possible way of addressing this challenge.

Machine-to-Machine (M2M) communication is a key factor within digital manufacturing and the Industry 4.0 movement. This enables more data to be collected at the source of a manufacturing process so that tighter integration and coordination can be exploited between collections of manufacturing plant. The Internet means that the physical location of plant does not affect its ability to be included within a system, and thus much more macro-level system optimisations are possible.

The issue is that what was once a recognised risk of a rogue operator/factory worker leaking process data to a competitor for personal profit, we now have the possibility that more detailed process data, that may describe an entire function of an industry rather than just one piece of plant, can potentially be accessed remotely and silently. Thus, security is becoming a major concern for IIoT adopters.

As such, cybersecurity from an information security perspective is somewhat limited in its effectiveness for IIoT as it is concerned with the protection of data. IIoT’s inclusion of physical actuation as part of a control system, means that the security mechanisms have to take account of control mechanisms as well, as it is feasible that an adversary may hack an IIoT system, not to steal the data, but to “mess up” a process.

Be the first to comment on "Why cybersecurity is not secure enough for IIoT"

Leave a comment

Your email address will not be published.