Urgent industry action needed given increasing reliance on IIoT

Posted on 9 Jul 2020 by Jonny Williamson

A new report has highlighted an impending threat to critical infrastructure from cyberattacks, given the growing reliance on the Industrial Internet of Things (IoT).

Published by global safety charity, Lloyd’s Register Foundation, the Foresight report specifically focuses on the inherent risks for Industrial IoT (IIoT), fast becoming a core part of critical global infrastructures, across sectors including energy, transport, infrastructure, and manufacturing.

Safety is particularly critical in IIoT environments, and so it is essential to understand how to deliver secure and resilient infrastructures. The IIoT also exacerbates security challenges that already exist.

The report prioritises action by identifying key emerging risks, and gaps in capability for which the current pace of change in operational cybersecurity will not be sufficient.

In these environments, the consequences of failure can be systemic, and the report calls for the urgent adoption from the IIoT community of guiding principles to increase resilience to cyberattacks.

The core finding of the report is that the current pace of change will not match the fast emergence of new security threats to IIoT environments. Current capabilities, the report points out, either do not scale, have not been tested or simply do not yet exist.

In addition, the report points to the approaching tipping point for recovering from cyberattacks, and the challenges for mindset, regulation and insurance that can build preventative security practices.

While regulation, the requirements of cyber-insurance providers, and the adoption of a cybersecurity mindset within organisations could drive progress towards bridging operational capability gaps and developing risk controls that translate effectively into the IIoT, there are new, pressing challenges to confront.

The management of cybersecurity risk for traditional systems already faces many challenges, such as the sheer difficulty of trying to map the complicated relationships between technical and human systems, and the challenges of communication between different communities where the frameworks for understanding risk are fundamentally different.

Many of these existing challenges will remain and be exacerbated, and new ones will arise, as risk-management approaches are translated into the IIoT, creating key capability gaps.

In addition to exploring these challenges as IIoT expands, the report contains actionable findings including:

1. Always consider harm consequences when planning how to manage risks

2. Consider how security controls may fail as you increase use of IoT devices

3. Use techniques that can provide you with a continuous assessment of your position (near real-time) as opposed to periodic assessments

4. Consider how your supply-chains are using IoT: consider their failure to maintain cybersecurity as risk to your security risk management plans

5. Invest in forensic readiness processes

6. Include a consideration of future scenarios in your risk assessments

7. Invest in training for staff on IoT standards and good practice

8. Collaborate to establish a device interface protocol for sharing security monitoring information