CyberInsecurity and the Industry 4.0

The Digital Transformation theme is present in almost all video conferences’ rooms where the discussion involves technology. Subjects such as Process Automation; Critical Infrastructure; Internet of Things (IoT) and Industry 4.0 (also called Industrial IoT, or IIoT); are some of the terms associated with it. I safely say that - in the context of remote teams and the mass adoption of Cloud-based solutions (a consequence of the Coronavirus epidemic) - this transformation has been migrating at an accelerated pace from theoretical discussions to the concrete world of practices.

 Until less than a decade ago, organizations in industrial markets worked only through Operational Technology (Operational Technology, or OT) to manage their industrial equipment in their monitoring, production and logistics functions. According to Gartner, Operational Technology refers to the set of hardware and software that detects or causes change, through direct monitoring or control of equipment, assets, processes and industrial events.

OT systems range from SCADA and ICS technologies, to industrial robots and smart grids. It is worth remembering that, while the former systems are more traditional and isolated, the latter ones are disruptive and connected. Other important topics linked to OT are smart cities, connected infrastructure, wearables, utilities and smart agriculture. According to Gartner,

“40% of industrial IoT implementations will expand or replace current OT monitoring and control systems.”

Since 2013, the market has been promoting a new industrial revolution based on the adoption of new digital technologies to improve industrial processes. According to an IDC study, by 2022, the digital economy will be associated with at least 50% of Latin America's GDP. And this transformation of IT environments shows no signs of cooling. In addition to a migration to “as-a-service”, digital services and technologies must be increasingly integrated in this industrial context.

IT and cybersecurity leaders will have to deal with increasingly heterogeneous and complex environments, with solutions from different vendors. According to the pwc, in 2020 alone, businesses, governments and customers will invest at least USD 1.6 trillion in promoting this transformation. 

In this context, increasingly cybersecurity objectives must be aligned with business objectives. The Information Security area has gained more prominence and the attention of C-level leaders. However, according to Gartner, these leaders still lack insight into the appropriate means to protect both IT and OT (Operational Technology).

Delays in addressing concerns about aspects of industry security, not only implementation, but also regulatory, highlight the difficulty in reaching an integrated strategy that includes this topic.

Worldwide, the manufacturing industry and manufacturers of industrial devices have made significant strides in connecting their devices to Industrial IoT. However, business success in this hyper-connected era requires much more than just the connection, it is necessary for security leaders in organizations to manage the relationship with customers, partners, suppliers, and even why not say employees. This is all supported by business models based on IIoT (Industrial Internet of Things).

For organizations willing to adopt the concepts related to Industry 4.0, it is important to make an effort to adopt appropriate cybersecurity practices in their OT environments. This is because, by successfully executing a cyber attack against a victim, a malicious agent is able to have access not only to the IT infrastructure, but also to its OT network.

Some standards and frameworks have been introduced to help organizations protect their industrial environments from malicious attacks and actions, such as the NIST Cybersecurity Framework, CIS Security Controls and the ISA 62443 set of standards.

Isolated or together, these regulations provide a series of best practices associated with the cyber security of industrial systems, including aspects such as preventing attacks on systems motivated by cyberactivism, in addition to malware infections (including ransonwares) and data theft carried out by both insider threats.

By implementing the provisions of such standards, it is possible to overcome the challenges of cybersecurity management in industrial environments. Below are some examples of how to do this:

• Asset inventory - cybersecurity management frameworks and standards for industrial systems recommend a complete inventory of assets in the environment, to allow full visibility of the attack surface and associated security risks. Without this visibility, it is impossible to implement actions to mitigate cybersecurity risks in industrial environments;
• Legacy device management - Some equipment in industrial organizations has been in use for many years and many of its manufacturers no longer support or update software. In addition, these legacy devices were designed without the proper security approach, using hardcoded (built-in) passwords, or even without the proper authentication mechanisms. That is why identifying them and including them in a management model is essential;
• Remote and third party access management - most industrial organizations set up remote access to allow their third party suppliers to access ICAS assets remotely. In some cases, remote access to these assets is carried out with shared credentials, without providing for the use of double factor authentication mechanisms, Privilege Management or mechanisms for detecting malicious activities through remote session channels;
• Multiple types of suppliers, protocols and OT devices - the automation market is filled with suppliers of industrial control systems, each with their respective specialists. This requires, in many cases, heavy investments in hiring professionals with deep knowledge and understanding in the implemented solutions;
• Access Management - In an IT environment, access control to applications and systems is usually managed by centralized authentication and access services. These services offer visibility and individual management of actions performed on these systems, usually through privileged or administrative users. These users have permission (or privilege) to access and modify IIoT element settings in the environment. In this case, Privileged Access Management, or PAM, can be used to provide strong controls for administrative access to systems.

An organization that seeks to implement devices linked to Industry 4.0, and yet still comply with best practices, CIS security controls and comply with the ISA 62443 series of standards, needs to address the issues associated with Privileged Access Management, or WFP. Thus, the implementation of cybersecurity solutions allows complete control over access to critical data associated with industrial systems.

When implementing best practices, it is possible to detect and respond appropriately to any undue attempt to modify configurations in the OT environment, thus ensuring the continuity of operations and the production cycle in industries.