How a global cybersecurity standard and conformance assessment scheme can save on downtime and lost revenues

In a world of ubiquitous connectivity, trusted equipment is the backbone of safe network environments. But as more manufacturers and industries build and deploy smart Industrial Internet of Things (IIoT) devices, the security and safety of systems providing essential operations become more important and more difficult to manage. These complexities are due, in part, to a lack of a global, universally accepted cybersecurity standard and conformance assessment scheme designed to validate connected products.

Today, countries throughout the world develop requirements without regard to global conformity. This conformity gap makes it difficult for manufacturers to determine the standards to which they should build and comply, particularly as products are manufactured and sold around the world. With that, I believe industry partners and standards bodies must take proactive steps to codify security expectations and best practices for IIoT ecosystems. This will help ensure security is built consistently into products and ultimately save companies billions of dollars in system design and cyberattack recovery costs.

The security realities companies face

With the integration of IIoT devices in legacy systems and solutions on the rise, critical infrastructures and other industrial control system networks become more open to cyberattacks that are increasingly challenging to mitigate. Today, the overall loss caused by cybersecurity crime is estimated at $600 billion¹, 0.8 percent of global GDP. Several incidents in recent years manifested in a series of serious security breaches that attracted worldwide attention, including 2015’s “Industroyer,” or “Crash Override,” malware that crashed the Ukrainian electric grid and the massive Mirai botnet attacks in 2016, which compromised IoT security cameras and routers to launch several distributed denial-of-service attacks.

Such attacks are typically more sophisticated and damaging than many pre-IIoT cyberattacks because of their scale and physical system consequences. And they’re harder to mitigate. While governments and manufacturers do issue cyber defense warnings and suggest updates, protocols hinge on individual asset owners taking heed and following detailed instructions. Although recommendations issued by government agencies and manufacturers are most often timely, system update procedures can be slow, ineffective and unwieldy. All too often, companies are constrained by the lack of system architectures that support “on the fly” system updates without impacting downtime. Taking these critical infrastructure systems offline to apply updates would lead to loss of productivity and revenue; most often, cybersecurity updates must be scheduled or aligned with yearly maintenance schedules. 

The challenges and potential solutions to securing connected ecosystems

The unique characteristics of IIoT technologies present technical and economic challenges. From a technical perspective, IIoT devices have limited computational and storage capabilities; they’re not designed to support effective security measures like advanced encryption or vulnerability and patch management. The solution to this challenge requires the development of light-weight cryptographic algorithms and business models that allow for more timely upgrades to IIoT products and designing systems to support firmware upgrades over the air. In my opinion, the security of a network or system is only as strong as its weakest link. Organizations should employ basic cybersecurity hygiene and continuously analyze emerging threats to ensure systems deploy securely. Additionally, companies should take inventory of everything connected to their networks and employ a zero trust model. This will require partnership and collaboration with trusted vendors to identify threats. 

The economic challenges to safeguarding IIoT ecosystems spawn from the complex manufacturing supply chain and the difficulty of assigning clear liabilities to manufacturers and system integrators for any vulnerabilities introduced. Most products and systems assemblies consist of components from different suppliers. Where should the element of trust begin and end if there is no global conformity assessment scheme to ensure that integrated components lack vulnerabilities? Having a common set of verified product requirements at a global level, similar to what we already have for safety evaluations, is a great starting point. Possible solutions to the liability conundrum include third-party conformity assessments of IIoT device components, as well as the periodic inventory of deployed IIoT technologies in networks to ensure that only trusted devices are installed. 

The lack of a common global cybersecurity compliance standard

While the solutions I mention are feasible, a lack of harmonized global product standards for IIoT security dramatically slows the adoption and deployment of such options. Uncoordinated cybersecurity standards, guidelines and regulations from various entities across the globe make aligning universal IIoT system-level cybersecurity requirements for manufacturers difficult, if not impossible. Many countries, regions and local-level governments develop their own cybersecurity best practices and standards for IIoT devices and critical infrastructure, resulting in a lack of parity. In many cases, those governmental bodies lack the expertise needed to account for the complexities of IIoT devices and their application.

Further, cybersecurity standards and requirements are highly fragmented by region and country as governments have begun regulating IIoT technologies in very different and sometimes conflicting ways.  This creates challenges for manufacturers and system integrators who attempt to build and deploy services for a global market.

Industry global standard and fast-track conformity assessment schemes for IIoT

Industry and standards bodies must support appropriate conformity assessment schemes to help validate global requirements for products and systems to solve the complexities of complying with multiple requirements from different countries and regions.

I feel strongly that standards bodies can lead the charge in the development of global IIoT cybersecurity standards, including appropriate conformity assessment schemes. Global standards will also pave the way for corporate and academic partnerships; these relationships will help build the stronger talent pipeline needed to address the skilled labor shortage in cybersecurity and especially IIoT. 

What industries can do now

The challenge ahead of us is to generate more dialogue across standards bodies by educating manufacturers, suppliers and consumers of IIoT on the risks associated with unsecured products and solutions. While I feel standards bodies can help guide cyber safety conversations, cybersecurity is a collaborative effort—and collaboration takes time, especially in sectors slower to react to advances in technology.

As industries slowly begin to push cybersecurity forward, there are steps business owners and facility managers can take today to reduce cybersecurity risks in systems and networks: 

Integrate cybersecurity into product design and development 

Security is a continuous journey. Product complexities, threat scenarios and technologies evolve, so it’s crucial to have protocols in place for every phase of the product development life cycle—from threat modeling to requirements analysis, verification and ongoing maintenance. These procedures help organizations spot emerging threats, identify ways to defend against them and help customers maximize efficiency, reliability and safety. Eaton’s Secure Development Life Cycle (SDLC) process is an excellent example of a model where security is integrated at every phase of product development.  

Apply basic cybersecurity hygiene on networks

Basic cybersecurity hygiene ensures maintaining an up-to-date inventory of assets and knowing what is connected to a network. This should include physical and data assets, applying patches when vulnerabilities are discovered, ensuring strong access control policies and assuring the continuous monitoring of logs and systems for abnormal behaviors. Organizations should also work to schedule a series of cybersecurity updates based on their risk-level assessments performed on each security patch.

Collaborate with knowledgeable third-party organizations

Developing strict procedures at each stage of product development helps establish measurable cybersecurity criteria for network-connected products and systems. Partnerships with trusted third parties can help organizations augment their cybersecurity best practices as those institutions often create widely accepted guidelines in the international community. Our collaboration with UL is a working model, as Eaton now tests products with intelligence or embedded logic to key aspects of UL 2900-1 and IEC 62443 standards, which require mandatory testing protocols for vulnerabilities, software weaknesses and malware.

Now is the time to act

Manufacturers can no longer afford to operate under different security standards. Cybercriminals and the technologies they use continue to evolve, and diverse standards lack the uniformity needed to combat the latest threats.

The time to drive a global conformance assessment for cybersecurity across industries is now. Industries and standards bodies across the globe must accelerate the dialog needed to address today’s cybersecurity challenges and keep up with the pace of changing technologies before it’s too late to catch up.

References

1, 2 - Lau, Lynette (February 2018). Cybercrime ‘pandemic’ may have cost the world $600 billion last year. Retrieved from: https://www.csis.org/analysis/economic-impact-cybercrime.