In 2017 NotPetya ransomware caused an estimated $10 billion in damage as it shut down ports, disrupted shipping, infected factories and hit power grids. Such havoc is entirely predictable. The Industrial Internet of Things (IIoT) is expected to transform manufacturing, energy, agriculture, transportation and other industrial sectors of the economy that, together, account for nearly two-thirds of the global gross domestic product. Unfortunately, many of these companies are unprepared for the potential risk and liability that may be brought on by connecting new technologies with old-world systems, including new threats to public safety, physical harm, and catastrophic systemic attacks on shared public infrastructure, says a World Economic Forum report on secure market incentives for IoT.
As today’s economy continues to prioritize time-to-market and the profitability of solutions over security, the threat of serious physical, financial and institutional harm grows, making factories and other types of critical infrastructure an increasingly tantalizing target for state-sponsored hackers, cybercriminals and political activists. “There is more and more need for security,” says Philippe Duluc, chief technology officer, big data and security, at ATOS, the European IT services giant. “The surface of attack is increasing every day because we have this convergence between IT and objects. And with this evolution of global interaction we have more and more risks.” Just how big the risk is can be hard to quantify. But in September, Germany’s digital association Bitkom released a study that gives a troubling window into the magnitude of the problem. It revealed that 66% of the country’s manufacturers have already been hit by some kind of cyberattack, resulting in $50 billion in losses to the German economy.
Groups like Bitkom are calling on manufacturers to take such threats seriously. As networks expand and more objects get connected, the ripples from any attack can spread rapidly. Yet it’s easy to overlook such dangers. Manufacturers look out over factory floors filled with machines and control systems that in some cases have been in place for decades and are dazzled by the potential to revolutionize that equipment by packing everything full of sensors, installing robots, harvesting rich data sets, and using artificial intelligence to optimize it all. The problem, say security experts, is that the old equipment never required much security, since it was manually operated, or only connected via internal networks. Critical infrastructure providers such as factories are then adding sensors, robots, or other types of IoT equipment that also lack basic security, introducing yet more weak entry points for hackers. “When you have a large volume of operating systems, it creates vulnerabilities,” says Adam Kujawa, director of malware intelligence at Malwarebytes. The older Industrial Control Systems, or ICS, make the security industry especially nervous. ICS refers to the technology that triggers a machine to perform a task or operate in some way. Such controls were at the center of an infamous hack on a steel mill that Germany’s federal agency for digital security disclosed in great detail four years ago.
In that case, hackers launched the attack by sending “phishing” emails that looked legitimate, but which included an attachment that installed malware when opened. This got them into the office network, and from there they were able to navigate into the software inside the steel mill. Once there, they seized the control systems and were able to stop a blast furnace from activating security settings, which caused systems to fail and damaged the mill. Those tactics have evolved, leading to the more recent attack that shut down a Middle East plant late last year. Security firms said they detected a piece of malware called TRISIS that was optimized to attack ICS. While other attacks had targeted controls, TRISIS targeted the safety systems, meaning that the systems that might trigger alarms or emergency shutdowns had been compromised.
Mitigating Mischief
More than two dozen companies, governments, organizations and universities have been collaborating with the World Economic Forum to co-design the Industrial IoT Safety and Security Protocol. This first-of-its-kind policy framework generates an understanding of how insurance might facilitate the improvement of IIoT security design, implementation and maintenance practices. It also sets forth a universal set of security best practices that should be incorporated in all IIoT deployments. The next steps are to pilot these incentive structures with governments, insurance firms and other private sector companies, refine the underlying operating models, and then share these outcomes to scale-up adoption internationally and across sectors. In the meantime this complex security puzzle has led traditional cybersecurity leaders to develop specific solutions and expertise for Industry 4.0. Trend Micro of Japan, for example, offers extensive guidance to industrial customers on how to design their networks to limit access and potential fallout by segregating some operations. The company has also developed computing equipment that can be installed on ICS networks to monitor traffic as well as software to continually scan for vulnerabilities and mischief.
“The exponential growth of highly-available wireless networks coupled with an equal growing market of cheap and commercially available IoT devices is changing the risk equation,” says Ed Cabrera, the chief cybersecurity officer for Trend Micro. “The threat landscape is changing, making it more profitable for cybercriminals to hold factory floors and hospitals for ransom.” Unfortunately, cybersecurity firms face the challenge of explaining these issues to executives in industries where the knowledge base and experience is low. Christian Polster, chief strategy officer for the Vienna-based cybersecurity firm RadarServices, says the company has developed a wide-ranging platform that allows industrial customers to monitor operational and informational technology from a single security center. But reactions vary widely when Polster explains to a factory owner why such a comprehensive approach is needed. “Very often they are in the stage where they say they have a scanner and a firewall, and that’s it,” Polster said. “And then it’s very hard to convince them. But if they have a CIO and compliance programs, then it’s a signal that they are on their way to understanding what they need to do.” Urgency may be growing as Industry 4.0 adoption accelerates. San Francisco- based Nozomi Networks was founded in 2013 to focus specifically on industrial security. It has developed a comprehensive industrial security platform that monitors all aspects of the network for vulnerabilities and malicious traffic, and pulls it all together into a central management console. The company has raised $54 million in venture capital, including a new round of $30 million at the end of September. Investors were no doubt responding to the huge market opportunity. “Next year is going to be the first mainstream year for industrial cybersecurity,” says Edgard Capdevielle, Nozomi’s president and CEO. “We have passed the tipping point. People want more integration and a lot more intelligence in the production process, which creates more risk. Everyone has to care about security. If it’s connected, it’s exposed.”
