New industry, new danger
18 December 2017
Industry 4.0 may be more efficient and connected, but it will also be more vulnerable to cyber-attacks. David Craik looks at how businesses can best prepare
The interconnected nature of Industry 4.0 has huge potential for manufacturers and other sectors to boost their efficiency, creativity and profitability.
But the world of networking machines and connected operational and information and communication technology also poses severe security threats.
Indeed, a recent study from Deloitte University Press stated that cyber-attacks on Industry 4.0 devices and systems “heralds the greatest leaps in cyber-risk to date” across the supply chain from component supplier, to manufacturers in their smart factories and the end-user enjoying their new connected TVs or fridges.
Not only is the threat present in the digital sphere but also the physical world of machines and finished manufactured products. Malware and ransomware could cause catastrophic equipment failure, damage and loss of productivity.
Worryingly, a 2016 joint study by Deloitte and the Manufacturer’s Alliance for Productivity and Innovation (MAPI) found that a third of manufacturers have not performed any cyber risk assessments of industrial control systems operating on factory floors.
So how can businesses best prepare?
Mark Skilton, professor of practice, information systems management & innovation at the University of Warwick, says organised cyber-criminal gangs, opportunistic thieves and even employees are looking for system vulnerabilities. “Connected systems can be accessed by many people in the cloud or social media,” he states. “If you have even a bit of intelligence such as algorithms in your product or machines then people are out there looking to hack into that product and copy the information. The IP in a machine-learning algorithm is very attractive to a cyber-security hacker.”
Skilton says businesses need to look at creating strong authentication policies and firewalls to deter these threats. “You need firmware encryption controls so hackers will have trouble doing what they want to do. IOT chips can be hacked so they must also be made secure and you need to constantly look at updating virus protections,” he says. “You need employee mobile device management policies if they are using devices remotely, and you need to ensure that SME component suppliers are also doing their due diligence on cyber-security. It is about developing perimeter management of IoT.”
Deloitte agrees that every smart machine should be considered a risk inside a smart factory – whether on the shop floor or remotely located at a third-party contracted manufacturer.
It believes that cyber-security should be part of the strategy, design and operation of every new connected Industry 4.0 initiative from the beginning. It recommends developing a secure software-development life-cycle approach, with so-called security gateways in place to regularly assess security controls, identify vulnerabilities and create secure software codes.
Secure and hardened hardware and firmware is needed, as are AI machine-learning solutions which can identify real-time threat intelligence and create intrusion prevention strategies.
Manufacturers must also consider the danger of product botnets as hackers target consumer IoT devices post-production.
Data is another area of vulnerability, with more sharing taking place across networks and users. Such data needs to be securely stored and a strong security focus being placed on vendor acceptance, information sharing and unauthorised system access. Encryption and tokenisation of data is vital.
“Data is the new oil,” says Skilton. “Most of the value in an Industry 4.0 product or machine is in the data. You have to be extremely careful if you are using and collecting customer data. You need to redact or obfuscate such data, especially with new privacy legislation such as GDPR coming into play.”
Skilton says SMEs struggle with both the cost of implementing security measures and a lack of necessary cyber-skills. “They need to look for cyber-security expert partners to identify threats and prevent them,” he says. “Hackers are getting smarter, so we need to get smarter.”