Ashish Khanna, Senior Managing Director, of Verizon Business (Security Consulting Services) explores how manufacturers can stay protected as they embrace an IoT-led future.
It’s a trend we’ve been talking about for a while, but with 60% of manufacturers embracing Internet of Things (IoT) technologies in their processes over the past few years, IoT has quickly shifted from being an industry buzzword to a reality.
And why not embrace IoT? With factory efficiencies ranging from predictive maintenance to resource innovation, better quality control and improved supply chain management, you can see why it’s predicted that the market for smart factory technology will to exceed $228 billion by 2027.
Security in line with a surge in adoption?
But, while a surge in IoT adoption comes with a certain amount of excitement, it also brings about a potential increase in cybersecurity threats. Unfortunately, too many IoT deployments happen with security as an afterthought or give devices access to data from legacy industrial systems that were designed without security in mind.
These same systems, through IoT deployments, are now connected to the internet, and to suppliers’ devices, which can leave an organisation exposed. Take, as an example, a legacy customer relationship management (CRM) system of either a manufacturer or even a major retailer they work with. If a bad actor can get into this system, they can have access to a lot of sensitive consumer data from across multiple companies. That could cause a loss of millions of pounds to their business, even without the added ruined reputation, and subsequent regulator fines.
Of course, this scenario is something every manufacturer, and their supply chain is keen to avoid. But the first step in mitigating the chance of the above happening is to understand where the risk of cybersecurity threat is coming from.
Human mistakes letting bad actors in
According to Verizon’s 2024 Data Breach Investigations Report (DBIR), most breaches globally (68%) involve the human element – perhaps an employee has opened a phishing email, connected to a suspicious WiFi network, or fell prey to a social engineering attack.
Across the manufacturing space, human error is especially rife when it comes to breaches. Last year, many manufacturers fell afoul of their employees being hit by social engineering attacks such as phishing (55%) and pretexting (42%). However, misdelivery was the real error du jour; employees sending important information to the wrong people accounted for almost half (48%) of error-related breaches across the sector last year.
Clearly the problem is a persisting one as the 2023 year’s report showed percentages at a similar level.
So what can one do to take the most out of IoT without exposing its organisation to human security errors?
Protecting against human error
The first thing to do is to implement a Zero Trust strategy. Actions might not be malicious – but they can still cost your business considerably. Training can go a long way to help mitigate employee-led risk, especially when it comes to reducing incidents of phishing or pretexting.
Enhancing protection by restricting third-party, employee or device access to systems, applications and resources is another point of consideration. The DBIR found that 15% of breaches in 2023 came from third-party involvement, including supply chain issues, issues with data custodians, vulnerabilities in third-party code, and malicious packages in software repositories – so it’s important to protect against errors from neighbouring environments, as well as those from within your own four walls.
A secure private network is paramount, as is network segmentation. Network segmentation limits who can access different parts of your IT environment, whether internal or external – based on the requirements of their job, or the task at hand. IoT security credentialing, meanwhile, adds a similar layer of security, but limits which devices can ‘talk’ to one another based on predefined credentials they’ve been given.
IoT devices are often more vulnerable to cyber-attacks than IT devices due to their limited security features. Unlike IT devices, IoT devices (e.g., sensors) are typically cheap and lack an operating system or sufficient computing power to run security measures on the device itself. Patching these devices can be challenging or impossible, making them susceptible to security threats when exposed to the internet. In addition, IoT manufacturers often provide incorrect and incomplete vulnerability reports, further exacerbating the security risk. This makes IoT devices attractive targets for hackers. Moreover, if the segmentation between the IT and IoT networks is non-existent or weak, IoT devices can serve as a backdoor for attackers to access and potentially harm IT networks. The most common attack vector today is ransomware, which can cause significant damage to organizations and individuals. Therefore, it is imperative to prioritize the security of IoT devices by implementing robust security measures, regularly applying updates and patches, and strengthening the segmentation between IT and IoT networks.
During tabletop exercises, Verizon frequently observes that organizations have a limited understanding of how Operational Technology (OT) processes depend on business systems. Compromising a critical business system can disrupt operations unless the asset owner acknowledges these dependencies and implements appropriate mitigation measures. Often, either the Configuration Management Database (CMDB) or business owner information is missing, leading to further delays.
Another scenario where Verizon witnesses this issue is primarily when a device undergoes maintenance by a supplier. During maintenance, threat vectors may exploit this opportunity and leverage it as a favourable juncture to introduce vulnerabilities into the environment.
Ultimately, cybersecurity should be intrinsic to any OT/IoT deployment – not added as an afterthought.
To ensure you’re getting it right, work with a managed services or connectivity provider who puts security and reliable and uninterrupted connection at the heart of their approach when implementing IoT devices into your operations. Your employees and the employees of your suppliers might not act out of malice when it comes to a cybersecurity incident, but that could mean very little when human error proves to be an extremely costly mistake.
Ashish Khanna, Senior Managing Director, of Verizon Business (Security Consulting Services).
For more articles like this, visit our Industrial Data & AI channel.