Internet of Things

Setting the IoT security standard By Joe Lomako, business development manager of IoT at TÜV SÜD I

ndustry 4.0 (I4.0) systems include various components or sensors and are often referred to as Internet of Things (IoT) devices. These connect industrial systems and are the interface to the outside world – continuously collecting data. As devices, systems and processes become increasingly digitised and interconnected, a wealth of positive opportunities are created. However, these same technologies may also present weaknesses, as cybercriminals seek out opportunities to hack into critical infrastructure.

According to a report from Kaspersky Lab earlier this year, half of all industrial control system networks have faced some form of cyber-attack. Some connected devices lack the appropriate cyber robustness to prevent attacks and this, coupled with the fact that some control systems could be using outdated or bespoke operating systems or software, increases cyberattack vulnerability.

The introduction of the NIS Directive (security of network & information systems) in Europe is intended to improve this situation. However, uptake within businesses is slow, as is the introduction of the standards required to assist in improving cyber security. However, baseline protection standards do exist or are being developed by international organisations, which would help to deliver basic security provisions for a first line in cyber defence. Two important documents relating IoT device security are NISTIR 8259 (US) and Draft EN 303 645 (EU). EN 303 645 covers only consumer products, whereas the scope of the NISTIR document addresses a wider range of IoT type products. So, it follows that it can apply to I4.0 industrial products. More importantly, cybersecurity of IoT devices have been mandated in California and Oregon, and the NISTIR 8259 document and its general principles can be applied to help demonstrate a baseline of cyber security protection for an IoT product. There are several other groups of published standards that are aimed at improving security from network infrastructure to devices. For example, it is possible that an industrial IoT device could be certified under the IEC 62443 series of standards, which aims to mitigate risk for industrial communication networks by providing a structured approach to

cybersecurity. This would probably be more familiar to operators and integrators of control and automation systems. While this standard series has a mix of process and technical requirements, it covers what we would typically call a “product”. In addition to this, process requirements can be found in IEC 62443-4-1, and technical requirements in IEC 62443-4-2. Although the standards do not cover everything, they do at least offer confidence in that first line of defence. However, manufacturers should consider their own cybersecurity programmes, which offer a more robust demonstration of security. This could include more stringent, bespoke testing or “pen testing”, which will identify deeper and more serious threats to a device and the IoT system within which it sits. It is also vital to think “secure by design” and take a proactive approach to cybersecurity - recognising that attacks are “when not if“ and that security should be a priority in designing a product.

What‘s more, threat resilience is an iterative task. Not all threats may have been discovered on the first assessment, or may even exist yet. Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack. It’s therefore also very important to ensure up to date compliance with all standards and constantly review your ‘cyber resistance’ status. We often hear of devices being hacked and hijacked within minutes of connection to the internet

Sadly, there currently needs to be more traction in device and component cyber assessment and it would be prudent for any integrator or end-user to ask their supplier what level of cyber assessment has been performed and to prove its cyberattack resilience. A report from Make UK revealed that 60 per cent of its members have been subject to a cyber security incident, almost a third of whom suffered some financial loss or disruption to business as a result. 41 per cent of manufacturers went on to report that they have been asked by customers to demonstrate or guarantee the robustness of their cyber security processes. There is some debate within industry that the present cyber security standards are lacking in detail and do not adequately cover the scope of typical industrial applications. While this may be true, they are at least a good fi rst start where nothing previously existed. Tackling the problems of cyber security risks can only really be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence.

While digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Both industrial IT security and the security of wireless products that manufacturers produce is therefore becoming increasingly important.

Components in Electronics October 2020 21

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54