IoT and Smart Manufacturing: Security must not be an afterthought
Following the virtually daily news on new attacks and incidents around the IoT (Internet of Things) and Smart Manufacturing (or “Industry 4.0”) proves the insight that security still commonly is an afterthought.
This is by no means surprising. Security always has been an afterthought. Why should it though be any different in IoT and Smart Manufacturing? However, the potential damage is far bigger than in traditional IT, for two reasons: It is not only about security anymore, but also about safety. And it is about far more and sensitive data than ever before. We even might add a third aspect: The financial impact might become considerably bigger, with respect to both availability and liability.
Safety obviously is the biggest challenge. Attacks on connected vehicles can cause accidents, leading to death and injuries. Attacks on the utility industry can cause blackouts with severe consequences. Attacks on the chemical industry or steel mills can cause massive incidents in their production environments. And so on… There is a good reason for many states now defining some industries as “critical” – not only because they are critical for a well-working society, but also because attacks on these can become critical to both the life and health of citizens and the economy.
The second aspect, the vast amount of data in particular in IoT, is another reason. While you could argue that Google and Facebook know all about us anyway, new types of devices, ranging from (again) the connected vehicle to the activity tracker or “smart” watch, collect additional data. Much of that data obviously is sensitive. Information about where you drive and how you drive is sensitive. Data about your health is sensitive as well. That data must be protected appropriately.
The third aspect is about the financial impact of successful attacks. Even while a lot of people will complain if the HR system is down for 24 hours, the real impact to the business is low. It might cause a few challenges in onboarding new employees. It might delay the monthly paycheck by a few hours. But who will really observe that the payment is a few hours late? On the other hand, a production line stopping for some hours can cause damage in the millions. It can even become more expensive e.g. in case of attacks on blast furnaces in steel mills, where it can take weeks to restart.
The same holds true when looking at liability issues. Imagine some robots producing small faults when producing goods, leading to massive call-back and repair activities some months later. This is the real problem, not some “dancing” robots. The latter will be observed immediately, thus it can be fixed immediately. But small mistakes might remain hidden for a while, with far higher cost to resolve.
There are good reasons to say farewell to the old habit of security being an afterthought. Neither IoT nor Smart Manufacturing have room for weak security. Security by Design and Privacy by Design must become mandatory principles in both areas. Modern security, by the way, taking into account all requirements such as secure and immediate patching and fine-grain access control to information for various parties. We can’t rely on patching firmware manually anymore in these days of Digital Transformation and the Hyper-Connected Businesses. We only will be able to solve all parties requirements by well thought-out access controls on data – think about insurance companies, automotive vendors, and police (and there are more parties) being interested in “black box” data of future cars.
Success in Digital Transformation, where IoT and Smart Manufacturing are vital elements, also depends on solving security well. Being good in that discipline increasingly becomes a competitive advantage: It reduces risks and it increases agility, by allowing for more flexible business models when it comes to sharing data and providing access. Security as an afterthought also means not having thought enough what the Digital Transformation is really about.
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.