Shifting Tides in IIoT Security
I’ve been writing about OT cybersecurity for a while and, although a consistent part of the message is that the overall level of risk is high and rising, some positive developments should be acknowledged. In particular, the past couple of years has seen increasing awareness of the issues and growing attention from business leaders. This is wholly positive for the organizations starting to work with rather than against the IIoT wave.
Technological transformations are by their nature disruptive and require adaptation and evolution to survive. Businesses able to innovate and incorporate new technologies efficiently can and do thrive, often coming through these times of rapid change stronger and more resilient than before, potentially having increased their relative market shares. Those following the more common pattern of defending entrenched methods and positions tend to suffer in the long run, with business models requiring greater dedication of resources to defensive, non-core functions.
We are in the midst of a massive technological change, termed variously the cyber-physical transformation, digital transformation, or Industry 4.0. The growth of interconnectivity and integration of sensors and computational power is unlocking improvements in production quality, efficiency, and agility at tremendous rates. The possibility of automated production facilities configuring and optimizing themselves for output responsively to demand input data is no longer seen in the realm of science fiction.
Many businesses take advantage already of these developments, of course, streamlining production, increasing insight and responsiveness, and more do so every day. A distinguisher in the long run, however, will be which ones incorporate the technologies with a complete view of their impacts. Every technology is at its root just a tool, after all, and tools can be used for different purposes by every party with access to them.
This is at the core of the OT cybersecurity challenge, that the very tools enabling such tremendous business improvements at the same time enable outcomes contrary to business interests. These can be summed up as unauthorized access to and interference with industrial management and production systems. Every enterprise installing “smart” systems (devices with controllers to enable automated altering performance parameters in response to external inputs) in industrial environments needs to include the securing of these systems against both intentional and unintentional misuse as part of their implementation and ongoing maintenance. To fail to do so is to invite unforeseen operational disruptions.
A maxim of business management is that early adopters accept more risk by taking on less mature technologies. What we seem to be seeing presently, however, is that securing the risk exposures created in adoption most often occurs only after a significant delay rather than during the adoption process. Combined with the tremendous growth of threat actors specifically targeting these new control system technologies, we believe that late adopters actually take on more risk exposure unless they collapse the gap between implementation of IIoT technology and the securing of it.
This article was written by Derek Harp, an industry leader in Industrial Control System cyber security and he has worked tirelessly to educate and guide companies in their journey to achieving cyber resilience. Mr. Harp is currently a board member of NexDefense, and the founder and Chairman of Control System Cyber Security Association International (CS2AI), a nonprofit organization dedicated to supporting local practitioner peer groups around the globe.