By Elisa Cassi | Cyber Product and Services Manager
Enabling safer and more resilient infrastructures
Lloyd’s Register Foundation and the University of Oxford, with contributions from Nettitude and a wide-range of industry players, have recently published a foresight review of Operational Cybersecurity for the Industrial Internet of Things [IIoT]
The foresight review informs the wider cross-industry debate about the cybersecurity related challenges coming with the adoption of IoT models in Industrial environments, as well as providing insights for the research community. In particular, the review focuses on IoT-enabled industrial control systems that are aimed at a significant proportion of our future critical infrastructure, specifically energy, transport, the built environment and manufacturing facilities.
The foresight review:
1. Presents a vision of what the IIoT is and how it is likely to evolve:
2. Highlights the major challenges for operational cybersecurity in the IIoT domain, and
3. Suggests options for addressing capability gaps, whether technical countermeasures, research targets, regulatory recommendations, or human-centred interventions such as training, organisational culture or information-sharing.
What is the Industrial Internet of Things (IIoT)?
The Internet of Things (IoT) is a network of technologies which interface and compute across the internet, largely without human intervention: it is often a collection of small, low-powered devices designed to function as part of a coordinated system for data collection and analysis. To be part of the IIoT, the digital components must connect to the internet and this adds a cyber element to something physical, resulting in a cyber-physical system potentially vulnerable to cyber-attacks.
IoT-enabled industrial control systems (ICS) are becoming a significant proportion of current and future critical infrastructure, in particular in areas like energy, transport, the built environment and manufacturing facilities.
The consequences of failure in these environments can be severe, so it is essential to understand how to deliver infrastructure that is resilient in the face of these threats. The IIoT exacerbates existing security challenges as well as posing new ones of its own so it is essential to prioritise actions by identifying key emerging risks and gaps in capability.
What are the key forces driving the adoption of IIot?
The review identifies four key forces driving the adoption of IIoT technologies:
1. Improving operational processes for safety, productivity, monitoring, efficiency, adaptability, risk management or other outcomes.
2. The green agenda: optimised energy efficiency, proof of energy consumption, etc, whether in support of internal priorities or for external compliance.
3. Data markets: whether to monetise proprietary data on open markets, or to create or expand internal processes and services.
4. Convenience and customer experience: providing data-based customisation and external windows into real-time status will become increasingly valuable.
Together, these drivers contribute to fast paced changes in terms of:
- Scale and resilience: As the scale of adoption of IoT devices, networks and data is growing rapidly, industries like CNI, manufacturing, energy, transport, utilities, government are developing a critical reliance on IoT systems and their smart functionality.
- Interconnectivity and faster communication: IIoT systems within and across organisations and industries are becoming increasingly connected to each other and faster and more reliable communications between components of the IIoT are enabling new functionalities and interoperability.
- Automation: A widening range of devices and networks can be created, grow, shrink and disappear without human intervention. This dynamism and agility are increasing as a result of automation and software-defined network architecture.
We envisage that as the IIoT advances, there will be greater potential for cyber harm, which will be more severe and potentially systemic as mission-critical systems are connected and automated. Though at a conceptual level existing security standards and guidelines are still relevant for the IIoT and new guidelines specific to IoT are being published; ie: ENISA framework for Iot) and Enisa good practices for IoT, in practice the ability to deliver these capabilities are altered in the IIoT and do not necessarily scale as expected. There are clear gaps in skills and awareness and as manual fall-back becomes infeasible for complex IIoT environments, the approach to recovery will need to change. There are also challenges for mindset, regulation and insurance, as we seek to promote improved security practice.
Emergent risks in the IIoT domain
The report identifies the following risks within the IIoT domain:
1. Risk of harm propagation, in particular through the supply-chain. As interoperability between organisations increases, also the risk that harms will propagate across critical industrial systems, with systemic societal impacts, increases.
In particular, looking at the supply-chain, as the density of IIoT devices and connections develops, mapping, monitoring or mitigating supply-chain risks will become increasingly difficult.
2. Unclear responsibility and shared ownership. Deciding responsibility for applying operational cybersecurity measures becomes a challenge in distributed systems where organisations increasingly rely on service providers.
Additionally, manufacturers and customers share risk and ownership of data. Contracts increasingly relate to the provision of services, or licensed use of data, rather than defining straightforward data ownership.
The emerging risks can be shared at many levels, including business, individual, societal, community, or national. This may prevent adequate security measures being taken.
3. Exposure to upstream and downstream risk and exposure to risk through users. The upstream or downstream data flow might not be under an organisation’s control (either technically or contractually) but the organisation will still be exposed to resultant risks.
Also, users of devices can expose the device owner, or even manufacturer, to risk. As security measures may be circumvented, ignored or removed by users, data sources might become compromised, or organisations might be subject to liability for failed components.
4. Enslaved IoT. There is the risk that botnets, made of compromised IoT devices, could be coordinated in highly distributed attacks and used to create much greater harm. Far larger botnets will be achievable, simply due to the numbers of devices available for enslavement, and these new IoT botnets will be extremely difficult to defend against.
Should significant damage arise from such IoT-powered botnets, then legal liability of device owners and manufacturers is likely to become a focus for risk control.
Looking ahead: recommendations and actionable findings for IIot Technologies
The foresight review highlights the need to adopt a set of guiding principles to increase the pace of operational cybersecurity change:
- Assume failure as a basis for security strategy development and always consider harm consequences when planning how to manage risks
- Assume insider threat within systems and supply chains; in particular consider how your supply-chains are using IoT and consider their failure to maintain cybersecurity as risk to your security risk management plans
- Assume potential for systemic risk and seek ways to identify and test for where it might manifest, and methods for limiting harm propagation.
- Use techniques that can provide you with a continuous assessment of your position (near real-time) as opposed to periodic assessments
- Invest in forensic readiness processes
- Invest in training for staff on IoT standards and good practice
The review also identifies an urgent need for further research and investigation aimed at understanding risk control performance, defining new liability models and exploring international cooperation to develop trust in the supply chain for IIoT devices and software.
If you want to know more, please don’t hesitate to get in touch.