Supply Chain Impact of Industry 4.x #7 - Data Security Concerns with Industry 4.x

Industry 4.x is cited as being the union between virtual and physical worlds, where automation is seen as being key, from scheduling resources and materials, to automated manufacturing processes, using location aware Internet of Things (IoT) devices to sense changes, trigger different collating information and transmitting information to a central location (cloud / physical based servers) for further intelligent data processing.

Moore's law described the increasing power of processors leading to increasing computing power, growing at a rapid scale, as technological advancements have occurred, so to has the dramatically increasingly large amounts of data being transmitted, collated and exchanged across multiple systems.

Data is now seen as being more critical than the systems, storage devices, even the financial systems used to support investment in technology. Data is critical, it helps industry examine and identify new opportunities as well as areas for improvement, optimizing resources to enable maximum economic gain (profit).

Whilst the idea of using embedded devices to enable device-to-device data communications appears to be a fantastic idea, there are some concerns over data security using such devices, the data needs to be encrypted, with strong access controls to avoid unauthorized access to data and/or systems.

Early IoT devices used some pretty scarily open protocols, data was collated and transmitted in a pretty open state, to some extent if you operated in a closed manufacturing environment this may not have been too much of a concern.

However in trying to create an establish a common protocol, IoT devices were implemented in a lot of different non-manufacturing environment contexts, many of these early IoT devices are still in use today

If you tried to implement an internal IT data systems based on the same open data logic as deployed in early IoT devices, you would never get beyond the initial design reviews, without some form of red card for security issues being raised.

This practice has been common place in most IT communication protocols, they tend to start with an open exchange first, to gain mass adoption before the more secure methods are deployed, think back in time FTP the SFTP, HTTP then HTTPS, early Bluetooth devices were also pretty open.

As Industry 4.x becomes more widely adopted, it will inevitably attract the unwanted attention of hackers, who will develop tools and techniques to access data and systems the IoT devices connect to company digital models and in turn to the broader digital ecosystems to exploit customer and value chain data.

These attacks can consist of brute force web based attacks, one company I worked for had over 50,000 attacks on its web pages daily, another spent vast amounts of time virtualising and moving to cloud based technologies to find issues migrating OS and server platforms.

Hackers also look to passwords, using social engineering techniques to build profiles of employees, from social media sites, prior to launching attacks.

Being hacked is bad for business, scandals such as credit card companies, banks, financial institutions being hacked and data leaked have become common place. Companies fear loss of reputation, so much so they are prepared to pay hackers, ransom fees to avoid data leaks as Uber recently did.

Implementing basic design principles will help avoid issues, it does not prevent them entirely, it does makes it harder to to obtain unauthorized access to systems.

Just because an organisation has always worked in a set manner for IT projects, does not negate the need to follow logical steps to encrypt and protect data interfaces, they should not be seen as added costs and delays, if you value your data, spend money to secure and protect it.

Regulations such as the EU General Data Protection Regulation and the US DFARS NIST aim to make companies think about the basic controls for data storage, data cleansing and data access. The UK draft Data Protection bill and Digital Economy Act 2017, aims to make companies act further to secure data communications.

Conclusions

The problem a lot of companies face is managing too many systems containing amounts of data, and poor data management strategies.

Old systems become replaced with new systems, the old systems may remain as legacy systems, never fully migrating to a new system system. So ensues a state of multiple platforms Mainframe, Unix, Windows, Linux, etc.

The more systems and infrastructure a business has to maintain, increases the amount of potential security risks which can be exploited by hackers. Follow sound data security principles:

1. Analyse the flow of data between systems; 
2. Map out the devices and protocols used to exchange data; 
3. Ensure device security vulnerabilities are patched; 
4. Where possible encrypt the data traffic in and out of your business;
5. Ensure any default known admin passwords are removed and replaced with strong passwords, if you don't replace them, there will be hacker somewhere who has searched for publicly available data;
6. AES encryption methods may seem like the perfect answer, a key which has a crazy large amount of combinations - however it does have its flaws. Any encryption method which relies on a key, has the potential to be cracked, using the same methodology for generating the key (seed value string passed through a random number generator with a algorithm). A hacker could potentially guess the random number generator, thereby attempt to apply different algorithms;
7. Analyse network traffic flowing in and out of your business, analyse any unusual activity taking place;
8. Ensure all devices are patched to the latest security levels;
9. Protect internal devices from any malicious access (http vs https SSL protection / keystroke detection and protection / hard drive activity or sense ambient sounds are tools which could be used to gather data by a someone trying to hack your systems.
10. Use a strong password enforcement policy both for users and for system accounts (where the password may not expire but needs to be strong to avoid an attack).
11. If you think you have it all done, get a penetration testing company to try and hack your systems, and flag red cards. Correct the red cards!;
12. Monitor, check, correct and repeat again, the process of maintaining data security never ends.

Feedback

Please share any experiences / views on you have had with regards to the data security and Industry 4.x.

If any organisation is interested in being interviewed as part of my PhD research project, please feel free to contact me via LinkedIn or via the TICS website.