https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

Why Industrial Automation Security Should Be a Renewed Focus

Industrial automation security is vital as manufacturers and critical infrastructure organizations weigh a technological reboot.  
  • Written by Brian Buntz
  • 27th April 2020

As industrial organizations grapple with COVID-19 fallout, automation has become an even hotter topic. Experts fear, however, that the acceleration of automation could drive unforeseen consequences for organizations that don’t focus on security.

“When it comes to automation and industrial control systems (ICS), there is no doubt haste makes more than waste,” said Dan Miklovic, an analyst at the Analyst Syndicate. “It leads to potentially catastrophic or deadly outcomes.”

Mission-critical systems in industrial facilities have traditionally relied on the close oversight of human workers because the senses were “usually the most effective way to ensure optimum uptime,” Chris Catterton, director of solution engineering at ONE Tech. That is changing. Automated systems often exceed human capacity to spot machine problems. An automated system can detect when a torque value on a bolt is, for instance, a few pounds light, or hear a high-frequency bearing squeal undetectable to the human ear, Catterton said.

But being lax in terms of industrial automation security can be dangerous. Hobbyist electronics, for instance, may make automating industrial machinery simple, but such products can also provide cyberattackers with a familiar target, Miklovic said. “Plug-and-play automation solutions that are not built with security in the forefront can also open the door for a vast amount of vulnerabilities,” Catterton said.

Take Care With AI Deployments, Too 

There’s also a risk that organizations will hastily deploy artificial intelligence (AI) as part of their automation initiative. With data science experts in short supply and many experienced industrial operators sidelined as a result of COVID-19 quarantines, there is a heightened danger of errors creeping into AI algorithms. There’s a risk that “the person trying to train the system lacks critical safety information,” Miklovic said.

Even in ideal conditions, developing software or AI algorithms inevitably introduces some error. One rule of thumb holds that there are one to 10 mistakes per 1,000 lines of software, as the book “The Fifth Domain” has observed. Even software for mission-critical space systems could have one to five errors per 1,000 lines of code.

With software often having millions or billions of lines of code, the need to prevent and correct bugs becomes critical. History provides examples that underscore the risk of cutting corners in industrial automation security. The Ariane 5 rocket disaster of 1996 is one such example. After software developers from the European Space Agency failed to adequately update code they borrowed from a predecessor rocket, the rocket exploded. Because the speed of the craft during the launch exceeded the bounds its software specified, the rocket self-destructed. “The cost of this software error was about $300 million,” said Johannes Bauer, Ph.D., principal security advisor at UL.

Another example of costly software shortcuts is the grounding of the Boeing 737 Max in 2019. After outsourcing software development tasks to $9-an-hour engineers, the plane killed 346 people in two accidents. An automated system relying on information from a sole sensor played a role in the crashes, according to the New York Times. The cost of grounding the 737 after the two accidents is $18 billion, according to Boeing estimates.

Discriminate When Allowing Remote Access 

In addition to the risks of cutting corners with software-driven automation or AI workloads, the expansion of remote access in industrial environments is another danger. “Think about using Zoom [the videoconferencing application] to have shop floor personnel communicate with a shared expert resource to diagnose a problem,” Miklovic said. In such a case, a cybercriminal could steal trade secrets or product manufacturing information, he noted. The rush to enable remote operations can also prompt organizations to make control systems accessible via the public internet without appropriate security controls. The threat of doing so is “a concern for safety instrumented systems,” said Mark Carrigan, chief operating officer of PAS Global. “Such systems are the last line of defense for processes operating beyond their boundary conditions, and a known attack target for malicious actors.”

Remote operations also heighten the risk of phishing attempts using social engineering. Such an attack could “identify employees who are likely to have privileged access so their credentials can be exploited to gain access to control system environments through increasingly accessible remote gateways,” Carrigan said.

Evaluating Threats by Sector

The rush to deploy automation and remote access won’t be uniform across the industrial sector. “The most critical of critical infrastructure systems” tend to have established protocols in place, and are less likely to redefine core processes, said French Caldwell, co-founder of the Analyst Syndicate. Critical infrastructure such as nuclear power plants, oil refineries and chemical plants are less likely to be impacted by social-distancing working restrictions given exemptions for such institutions.

Critical infrastructure organizations also tend to have regulatory requirements for cybersecurity. Energy utilities, for instance, must follow cybersecurity standards outlined by the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation.

At the opposite end of the spectrum is industrial infrastructure such as heating, ventilation and air conditioning (HVAC), lighting and plant systems. Such systems have been “operated and monitored remotely for decades now,” Caldwell said.

Organizations in the middle of these two poles are more likely to increase automation and remote working infrastructure, according to Caldwell. “It’s in the very large middle group of systems where, no doubt, there is a pandemic-led increase already in remote ICS access,” he said.

The Final Word

Ultimately, each organization has to evaluate the risks and rewards of digitization and automation. The risk of moving too slowly can be a threat to an industrial company’s longevity just as much as rushing a deployment. “There are many different views on what to automate, how much to automate and when to automate,” said Nitin Kumar, chief executive officer of Appnomic. “Physical assets are increasingly going digital. Not having automation woven around these with an adequate digital process will create a very inefficient digital operating model.”

One thing is universal: Organizations must collaborate to solve these problems. Especially during the pandemic, engineers and IT leaders “need to team up to ensure that reliability and security are aligned to both the criticality of the systems and the security risks,” Caldwell said. After the pandemic subsides, organizations will have more time to review how they can expand automation and remote access of ICS systems to accommodate “both unexpected contingencies and to improve effectiveness and efficiency of day-to-day operations,” Caldwell said.

From a business standpoint, organizations should consider strategies to deploy automation to enhance resilience in the face of uncertainty. “There is a lack of clarity on the duration of the shutdown and the risks posed to the workforce even if the economy migrates to a semi-open posture,” Kumar said. But more certain is the likelihood shareholders will “continue to be demanding as the recovery mounts,” he added.

Technologies such as automation, AI and remote access can enable industrial organizations to do more with less. Those who aim to deploy them should do so cautiously. Despite the adage of security by design, many organizations find them in a sort of continual remediation mode. “Security should be a functional requirement from the outset,” said Sean Peasley, a partner at Deloitte.

Tags: IIoT/Manufacturing Features Internet of Things World 2020 Conference Coverage

Related


  • Supply Chain Analytics and IoT Loom Large in Wake of 2020 Disruption
    The COVID-19 crisis has made disruptive events par for the course. Supply chain analytics, digital twins and other tools have become key to understanding and predicting disruption.
  • IoT App Development Gets Agility Boost From Container Technologies
    IoT app development has clamored for greater agility, productivity and security. Container technologies can realize those benefits.
  • Mixed picture
    IoT Spending Is a Mixed Picture in 2020
    While COVID-19 has forced budget cuts for some organizations, the pandemic has also driven IoT spending increases for others.  
  • Image shows a factory engineer wearing VR headset designing an engine turbine on a holographic projection table.
    Industrial Augmented Reality Promises Remote Support
    Industrial augmented reality is picking up steam during the pandemic.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • How Rolls-Royce Exploits Internet of Things Data
  • Developing a Critical Infrastructure Cybersecurity Strategy
  • Rethinking Smart Manufacturing for the New Normal
  • Digital Shop Floor Initiatives Benefit from Careful Planning

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Zero Trust Manufacturing: Navigating Complex Supply Chains to Build Trusted IoT Devices

27th January 2021

IoTConnect and How to Get Started

27th January 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

#IoTpentesting is critical as #IoTdevices proliferate and #edgecomputing becomes the norm. dlvr.it/RrWr0Y https://t.co/LsMH1VJJFk

28th January 2021
IoTWorldToday, IoTWorldSeries

Zero Trust Manufacturing: Navigating Complex Supply Chains to Build Trusted IoT Devices dlvr.it/RrTDP4 https://t.co/fuH0GrHJrX

27th January 2021
IoTWorldToday, IoTWorldSeries

PKI: The Solution for Designing Secure IoT Devices dlvr.it/RrTDNF https://t.co/KBWcsksAQi

27th January 2021
IoTWorldToday, IoTWorldSeries

Five Guiding Tenets for IoT Security dlvr.it/RrTDGS https://t.co/Ss17Vn4sFw

27th January 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD Silver Sponsor @ONETech_AI! 💡 Learn more about sponsoring Embedded IoT World here:… twitter.com/i/web/status/1…

27th January 2021
IoTWorldToday, IoTWorldSeries

IoTConnect and How to Get Started dlvr.it/RrT1gl https://t.co/6Vci1hvOV2

27th January 2021
IoTWorldToday, IoTWorldSeries

RT @IoTWorldToday: #IoTsecuritytrends in 2021 will feature new threats given #remotework, #digitalhealth and #edgecomputing. https://t.co/S…

27th January 2021
IoTWorldToday, IoTWorldSeries

#IoTsecuritytrends in 2021 will feature new threats given #remotework, #digitalhealth and #edgecomputing.… twitter.com/i/web/status/1…

25th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X