grandeduc - Fotolia
With manufacturers gradually implementing the internet of things (IoT) into production processes, they're also increasing the chance their connected systems could be vulnerable to cybercriminals and hackers, who are aiming to shut down the manufacturing floor or steal intellectual property.
But properly securing connected devices is within reach, according to experts. It takes basically the same philosophy, protocol and procedures that companies already use to secure their nonmanufacturing IT systems.
"Setting up security is possible, but not easy," said Albert Biketi, vice president and general manager of data security and encryption at Hewlett Packard Enterprise. "Like exercise, you need routine and effort, and you have to commit to the investment."
Powered by the industrial internet of things (IIoT), smart manufacturing holds the promise of vastly improving production by capturing all the available real-time and historical information -- from the machines and programs on the plant floor, to those along the supply chain -- and converting that data to actionable insights.
Companies overlooking IIoT security risks
But even though connectedness opens the door to cybersecurity risks, manufacturers apparently haven't fully embraced proper IIoT security.
A recent Deloitte survey revealed that nearly one-third of manufacturers have not performed any cyber-risk assessments focused on the industrial control systems (ICS) on their shop floors. Moreover, of the manufacturers that did conduct cyber-risk assessments, nearly two-thirds of them relied on internal resources, thus, in Deloitte's view, introducing organizational bias and the opportunity for failure into the assessment process.
"We suggest manufacturers develop things like a secure operation center, as they did for the enterprise side of business," said Sean Peasley, a partner with Deloitte Cyber Risk Services, and a co-author of the cyber-risk in manufacturing study. "They need to do it for their industrial control systems. That means gathering log data, seeing things from one point to another and correlating that to the bad things, which could be communication with an IT address in a nontrade country or the introduction of unfamiliar types of data."
Phil Neray, vice president of industrial cybersecurity and marketing for CyberX, couldn't agree more about the importance of continuously monitoring IIoT traffic to find anomalies and assess vulnerabilities.
"Unfortunately, at the management level, a lot needs to be done to raise awareness of risks," he said. "IT is aware, but management works under the presumption the manufacturing floor is segmented and not vulnerable."
Sean Peasleypartner with Deloitte Cyber Risk Services
Segmented doesn't mean isolated. Rather, it means establishing several safety buffer zones around ICS, according to James Piedra, a network platform specialist for Lanner Electronics, which works in the IoT industrial space. By using a distributed control system -- autonomous controllers that are distributed throughout a system that has a central operator supervisory control -- manufacturers can segment their IIoT, and have more than one single point of failure from something like a distributed denial-of-service attack. In other words, manufacturing devices are connected, but operate behind many security layers.
Yet, even segmentation carries risk. Half of the manufacturers that Deloitte recently surveyed found security vulnerabilities through segmentation. That's probably why some manufacturers go a step further, and choose isolation. Deloitte found that 43% of manufacturing executives believe being connected at all poses so great a risk, that they have isolated their facilities from networks in a process known as air gapping.
But air gapping comes with its own set of security flaws. Many manufacturers that isolate haven't tested or monitored how effectively air gapping will work, according to Deloitte. Nor have they conducted an inventory of connected assets, potentially leaving live network access points, especially easy to install wireless access points, hidden from view.
IIoT security best practices
What's a manufacturer to do, then, especially if it wants to take advantage of IIoT?
First, manufacturers should be sure they're using connected products and systems that have rich telemetry, which is basically a system to inform IT and employees on the manufacturing floor that something abnormal is occurring, said Biketi. These products must also have the ability to update patches to close IIoT security vulnerabilities, he said. This rests with the creators of the IoT devices themselves, whether they're geared for manufacturing or consumer use.
"If you're building something that goes into a nuclear reactor, obviously it's different than something that will go into a Fitbit. But the overarching reality for IoT security is one security standard that all can reach for," Biketi said.
Manufacturers also need to be vigilant by consistently monitoring devices that connect to their ICS, said Peasley. This can be done by completing a thorough inventory of all the devices and creating a never trust, always verify network that extends to all layers of the enterprise. He also recommends forming a cross-functional security team, with employees from departments such as IT security, engineering, operations and even the control system vendor.
Cybercriminals will always be knocking on a manufacturer's door with all sorts of hacking techniques, Peasley said. They'll want to sabotage the manufacturing process or steal propriety information, and until IoT products are designed with improved security, it will be "a very challenging thing to defend against," Peasley said.
Why process manufacturing needs IIoT
IoT vs. IIoT: A look at the differences
Companies where IIoT benefits have been shown