As Industry 4.0 cements itself in enterprise strategies, the industrial sector must come to terms with an Achilles’ heel. The internet of things (IoT) is proving to be a pioneering change agent for industry, and cybersecurity is naturally a concern. The IoT’s ballooning coverage opens up an even greater attack surface for cybercriminals. Within the industrial IoT (IIoT), however, the prominence of legacy devices among newer, digitally native additions amplifies the challenge. The lack of IT awareness among industrial engineers and operators further magnifies it. There are three powerful actions security leaders of the industrial IoT can take to bridge the knowledge gap:

• Pioneer cybersecurity literacy throughout industrial operations.
• Make clear cybersecurity’s criticality to the operation and worker safety.
• Bring engineers and operators into project conversations with cybersecurity vendors.

Cybersecurity is critical not only for day-to-day operations but also for innovation, and it can be the downfall of many an IoT project. But the stakes increase for industrial IoT, where network and system availability and resilience are critical not only to the business but also to worker safety. You don’t need to look far beyond the Norsk Hydro attack that cost the aluminum producer $75m – industrial executives will be carefully considering cyberattacks that might aim to go beyond the financial… and their consequences. 

Industrial IoT presents both the breadth and depth of cybersecurity threats

The IoT is firmly in the minds of executives when it comes to cybersecurity, regardless of their vertical.

Exhibit 1: Enterprise leaders see the IoT and its partner in crime the cloud as the biggest cybersecurity risks

Please estimate the level of risk that your corporate brand might incur if it suffered a major data breach or service disruption or a delay in implementation. 

 Source: HFS Research, State of Security 2018, N = 300

But within the IIoT, concerns are magnified: The level of concern in Exhibit 1 increases from 63% to 77% for manufacturing leaders.

As the industrial sector embraces the IoT, newly incorporated digitally native devices must engage with legacy devices that were never designed with cybersecurity in mind. Programmable logic controllers (PLCs), for example, are a mainstay of industrial process control but still widely rely on ethernet connections and similar dated means. Industrial engineers’ and operators’ poor understanding of not only IT issues but also how these IT issues relate to the core operation compound these shortcomings.

In industrial settings, no two machines are alike; for example, oil drilling, wells, fields, pipelines, and refineries. On top of that, industrial processes are modified, integrated, and specialized, and they operate over extremely long lifecycles. For these scenarios, consider how many traditional security solutions operate at a network’s core where malicious attacks may target legacy or far-removed devices and then propagate through the core operation.

Mindsets exacerbate the challenge—something industrial security leaders must recognize

Industrial engineers and operators don’t expect process-related issues to stem from a cyberattack; they anticipate these issues to be process deviations that they can correct. Security leaders must recognize how their own priorities differ from those of operating and engineering employees—for them, it’s about process availability and product quality, not checking firewalls and code.

Readily available cyberattack tools put legacy machines and the wider industrial ecosystem at risk

At the recent Digital Transformation EXPO Europe, presenters used some example code as a damning reality of the challenge facing industrial systems. Available online, the code could stop hundreds, if not thousands, of PLCs upon simply entering a device’s IP address. The takeaway: Standardized cyberattack tools are easy to procure and use.

Small operating errors planted into industrial operations can magnify into severe consequences; for example, altering a pharmaceutical process’ temperature and ingredient composition or setting a robot’s welding pathway off by a few millimeters. Manipulating sensor readings might make these moves invisible to an operator yet have dire consequences to a final product—or even to the safety of the operator or end user.

The Bottom Line: New technology won’t solve your cybersecurity problems in the Industrial IoT. Security leaders must fix legacy and people problems first by bridging the communication and skills gap.

We’ve spoken to many in the IoT space whose primary objectives are bridging the cybersecurity gap between both new and old devices. The biggest service providers press on cultural aspects of cybersecurity within industry, while many smaller vendors we’ve spoken with offer solutions that protect the “hybrid” installations that industrial firms demand.

Security leaders must now take the initiative and address the pressing challenges of the Industrial IoT:

• Acknowledge that those in IT are no more aware of operational intricacies than operators are aware of the subtleties of cybersecurity.
• Change the cybersecurity conversation at both the enterprise and vendor levels to include engineering and operator expertise so that a provider can understand and tailor a solution to an industrial process’ unique requirements.
• Embrace the priorities of industrial operations—availability, safety, and quality—and show how cybersecurity is fundamental to achieving these objectives and wider business value.
• Ensure you have the right team of providers and vendors to cover all bases—process, people, and technology—to solve your headaches when it comes to the industrial IoT.