Cyberattacks on Internet of Things (IoT) devices are increasing at an unprecedented pace, leaving manufacturing companies vulnerable and at risk of hackers bringing production processes to a standstill and/or stealing business-critical data, writes Lukas van der Merwe, specialist sales executive: security at T-Systems South Africa.
According to the 2019 SonicWall Cyber Threat Report, there were 13.5 million IoT attacks in the first half of 2019, an increase of 55% compared to the first six months of the previous year. This is demonstrating that the speed and ferocity with which IoT devices are being compromised to deliver malware payloads is alarming.
For manufacturing companies, this spells an urgent need to introduce new security strategies for their networked machinery, a critical enabler of business innovation and efficiency that has traditionally not been designed with security in mind.
IoT/Operational Technology (OT) devices are essentially soft targets for hackers, as they are unseen on traditional security networks. They are also unmanaged and unpatched, and often have weak or default credentials, as well as vulnerable open source components.
The more industrial control systems are connected to the Internet including those that are remotely accessible to allow remote process monitoring, system maintenance, process control and production data analysis, the larger the exposure becomes for an organisation.
Blurring the lines
Hence, the increased adoption of IoT and big data is blurring the lines between IT and OT, and the increased attack surface results in a heightened risk of cyberattacks. These risks must be mitigated, as digital transformation is here to stay and is driving a greater urgency to bridge the cybersecurity gap between IT and OT.
While companies optimise their development, production and logistics processes based on operational and status data, industrial control systems lose their previously insular position once production machines are networked.
These machines send data to control systems and, in some cases, even communicate over the Internet with devices in other locations. In the case of maintenance work, specialist service staff access machines remotely, either because the specialist resources are not on site, or to save on costs.
Companies are able to increase their productivity in this way – however, where the production and office spheres of a company were previously separated, there are now IT links, and this gives hackers a gateway.
Overall, cybersecurity is emerging as one of the top barriers to implementing successful Industry 4.0 strategies among many manufacturing companies. It is proving to be a massive challenge in the manufacturing environment, predominantly due to the risks posed by devices and systems that are unseen across the IT estate.
Major paradigm shift
At the same time, an increasing number of enterprises are beginning to recognise the need to bridge the gaps between IT and OT. This problem is being taken much more seriously than a few years ago but requires a major paradigm shift where numerous factors must be considered.
Organisations need to recognise that people in the OT space do not respond well to change. So, “digital empathy” must underpin the deployment of security tools that are empathetic of people’s environments, removing the blockers to productivity that traditionally present themselves.
With the assistance of an experienced technology solutions provider, organisations can empower those people to be part of the journey to improve productivity and build bridges to enable digital transformation at a whole new level.
A suitable partner can accelerate a company’s digitalisation initiatives with the simplest and most robust solution for reducing risk from IoT/OT network threats and unmanaged devices. This can be done via a passive approach that has no impact on productivity or the manufacturing technology.
Bridging the gap between OT and IT security should never be done by force, or seen as a retrofit, but should be about creating something new, especially in highly bespoke environments. Industrial companies often (legitimately) fear that IT security solutions in the field of industrial control systems can interfere with production processes, so security providers must adapt their strategy – developed within the world of IT security – for correct use in the OT environment.