Industrial cybersecurity is years behind; IoT security has a standards issue

Industry 4.0 and industrial transformation overall require a heightened attention for cybersecurity. Yet, industrial cybersecurity is years behind general IT security and standards pose a challenge for IoT security says the TÜV Rheinland Cybersecurity Trend Report 2019.

It’s high time to protect safety-critical operational technology (OT, converging with IT in Industrial IoT) from cyberattacks. The warning isn’t new but takes center stage in the Cybersecurity Trend Report 2019 of TÜV Rheinland, the independent inspection services group.

As each year the report contains findings from TÜV Rheinland’s own cybersecurity experts and from companies in Europe, North America and Asia. Realizing the vision of Industry 4.0 or, in general, industrial transformation projects in the converging world of OT and IT often needs even more attention from a cybersecurity perspective, given the significant consequences cyberattacks can have in many Industrial IoT environments and the attack surface of organizations continues to expand with all those devices.

The existential question for many companies will be whether they can manage the security challenges in the digital economy. It may simply amount to a question of success or failure, without the opportunity to compromise (Björn Haan, MD Cybersecurity Germany at TÜV Rheinland)

The challenges are well known as is the increase of, among others, state-sponsored attacks on critical infrastructure and of security concerns regarding, for example, industrial control systems. Yet, TÜV Rheinland states that industry is only slowly realizing the risk to their plants and systems through cybersecurity attacks as the infographic from the report’s main page at the bottom of this post shows. It’s a scary finding in times that organizations in critical industrial markets really should be looking at cyber resilience instead of just security.

TUV Rheinland Cybersecurity Trends 2019 - 8 OT IT and IoT security trends

OT security risks and weaknesses in OT systems can’t be overlooked anymore

Moreover, OT security risks must be better understood, and action needs to be taken – and that’s not all. From an IoT security standards challenge to a shortage of skilled workers: the industry has quite some challenges ahead.

TÜV Rheinland is not particularly optimistic about the (near) future, among others citing the fact that despite the impact weaknesses in OT systems can have these weaknesses have been overlooked for too long.

Standards prove to be an ongoing concern regarding IoT cybersecurity in the industrial space (more below). So, more than time for increased action. Not just because that should be obvious but also because how well organizations can ensure the security of their data and IT in the digital economy determines their success or failure as TÜV Rheinland puts it in one of the findings.

Industry is only slowly realizing the risk to their plants and systems through cybersecurity attacks

In the sixth annual edition of its Cybersecurity Trend Report TÜV Rheinland further writes that companies are increasingly recognizing cyberattacks as a key business risk and are starting to align their organization accordingly.

The report looks at, among others, how cybercrime influences operational technology and the Internet of Things (IoT), why the skills shortage could become a growing problem and which role concepts such as Red Teaming or agile security are expected to play.

Takeaways from the TÜV Rheinland’s Cybersecurity Trend Report 2019

We summarize a few of the mentioned and other “trends” from the edition 2019 of TÜV Rheinland’s Cybersecurity Trend Report below.

Cybersecurity has become a topic for senior management

Until recently, lack of cybersecurity was seen not as a business risk but as an IT issue. This has changed TÜV Rheinland points out.

A reason for this changing view according to the inspection services group? Not that much the many years of warnings but the impact of the NotPetya cyberattack in 2017 which it refers to as the most expensive cyber-attack in history, citing the losses of several large companies such as Maersk, FedEx, WPP, and Reckitt Benckiser.

OT cybersecurity risks must be better understood…do not wait for tougher cybersecurity regulations

At the same time, violations of data protection remain a cause for concern the group reminds. Risks associated with a lack of cybersecurity have thus evolved from a hypothetical problem to a recognized business risk.

All of this seems to have – finally – led to long-term changes in the management of cybersecurity risks and the question of who is responsible for this issue.

Industrial cybersecurity is years behind mainstream IT security

Industry insiders know this but given the mentioned critical nature of several industrial applications it’s essential to keep it mind. TÜV Rheinland points out that in an OT system, computers detect or manipulate physical processes by controlling and monitoring devices such as electric motors, valves, or relays – and they are used, for example, by energy and water utilities as well as industry. Critical infrastructure indeed.

Protecting safety-critical operational technology from cyber attacks - graphic TÜV Rheinland Cybersecurity Trends 2019 - click for source and more information about the report
Protecting safety-critical operational technology from cyber attacks – graphic TÜV Rheinland Cybersecurity Trends 2019 – click for source and more information about the report

Although the lack of cybersecurity of OT systems, also known as industrial cybersecurity, can have serious consequences as TÜV Rheinland reminds, it has long been neglected and characterized by indifference and under-investment. Today, the risks of neglecting the protection of OT systems have changed radically due to new technologies and geopolitical tensions. The group refers in particular to systems for security surveillance. If something can become a target, those in charge should do everything possible to prevent the success of such an attack TÜV Rheinland concludes.

IoT cybersecurity faces a major standards challenge

Across the globe standards organizations and industry consortia are developing security and privacy standards which are needed for the development of IoT and OT – and, as mentioned – success or failure.

While this is of course a good thing, for manufacturers it can be confusing and time-consuming to figure out which standards – industrial and regional – they need to take in account in order to be compliant. With different standards – sometimes even conflicting – wasted time can be the results. We might add that the standards issue unfortunately still is a major one and not just with regards to compliance and security standards either.

The pressure imposed by the GDPR which represents a turning point for consumer data protection, not just in the EU, but worldwide. For most industries, it will simply be cheaper to design their products and services to meet the highest global standards, rather than relying on geographically limited privacy, TÜV Rheinland states.

The looming shortage of skills as the importance of security increases and demand for workers in this field is expected to outweigh “supply”. This shortage is particularly a potential challenge for smaller organizations who might not have the means to recruit skilled workers. However, the impact would also be felt by larger ones as supply chains connect large and small businesses.

We’ll tackle some of the other topics such as Red Teams, holistic tests, agile security development (which are gaining mainstream acceptance) and the dependence of threat detection and response on maturing Security Orchestration, Automation, and Response (SOAR) later.

In the mean time you can download the full report in English here and check the source for this article (in German).

All images are property and courtesy of their respective mentioned owners.