In the old world, operational technology (OT) was self-contained within the enterprise. Sensors, actuators, programmable logic controllers, and everything else was hardwired, used long-established protocols, and security was not much of an issue. Enterprise IT systems enjoyed the same comfortable existence, and most security concerns were simply about the levels of access that people within the organisation should be given.
The arrival of the internet and cloud platforms changed everything. IT leaders were forced to focus on enterprise network security to prevent access by outside intruders. Security protocols were developed and implemented, and these were universally built upon software-based protection with the inevitable stream of patches to follow as new threats were identified. This threat-and-response cycle is ongoing and responsibility for warding off threats has traditionally come under the remit of enterprise IT specialists within organisations.
We’ve also seen the emergence of the specialist role of Chief Information Security Officer (CISO). Most of the individuals occupying these roles come from an IT background where the hardware is almost irrelevant – their focus is on using software to address threats, wherever they see vulnerabilities. They focus on making servers, routers, and gateways secure, often forgetting about the little IoT devices that they’ve not had to consider before. It’s like locking a couple of doors to secure your house but leaving ten windows wide open.
Meanwhile, many OT operators have been dragged, often reluctantly, into the online world. The promises of greater operational efficiency, better preventative maintenance, and greater insights into their enterprises through effective data collection and analysis have proven too attractive to ignore. Others have held back, not least through security fears, which have proven to be well-founded. As a result, the widely forecast 50 billion IoT devices by 2020 are now seen as wildly optimistic. According to some cellular connectivity specialist, Eseye, 41 billion of them are missing. Estimates from other analysts vary but all seem to agree that the early estimates were a long way off the mark. There’s a lot of friction in play here.
Caution has been warranted. According to a 2019 Forrester study carried out across 400 North American manufacturing companies, 41% had experienced at least one system attack in the previous 12 months, 66% had experienced an IoT-related security incident, and 76% felt their current security practices were not adequate. More recent reports highlight how fast these threats are growing.
In a two-year study sponsored by Microsoft, published in November 2021, 44% of the IT and IT security professional surveyed said that their organisations had experienced an IoT/OT cyberattack in the past two years, and 60% said that IoT/OT devices are one of the least secured part of their organisations’ IT/OT infrastructure.
The sheer quantity and diversity of IoT devices make IoT security so challenging. With billions of devices deployed, the majority with little consideration for security, the attack surface for malicious actors is immense – almost too good to be true.
The diversity of sensors, actuators, HMIs, and other IoT devices within a typical industrial network makes it difficult, if not impossible, to protect everything with software patching. Many of those responsible for IoT and OT networks admit to not even having visibility of all the devices in their systems, let alone the ability to ensure that they are secure.
In these circumstances, the answer is to build security into the hardware of every IoT device. IoT devices are almost invariably built around or controlled by semiconductor Chips. Most of these are microcontrollers or microprocessors, others are custom-designed integrated circuits.
The foundation of good IoT security is to use these digital Chips to give each IoT device a unique, immutable, and unforgeable identity in the form of a random number. The same Chips need to be able to generate or securely store cryptographic keys. These are also random numbers and are needed to encrypt and decrypt data to ensure secure communications between IoT devices and their server-based applications. Together, the device identities and cryptographic keys form a root-of-trust for each device. Without that root-of-trust built into device hardware, the network can never be secure – the IoT device windows are permanently open to intruders.
To summarise, connected IoT devices are changing the cybersecurity paradigm for businesses. Enterprise security traditionally is about network security and protecting the assets in that network but when IoT devices start communicating with services outside the enterprise network, edge security becomes salient. Achieving edge security is tough because of the complex ecosystems and supply chains in the IoT. The only way to solve this problem is for security to be integrated into devices. In other words, to embrace security-by-design in both hardware and software.
Dr Shahram Mossayebi is Co-founder and CEO of Crypto Quantique. He holds an MSc in Information Security and a PhD in Post-Quantum Cryptography, both from Royal Holloway, University of London.
Before founding Crypto Quantique, Shahram worked as a self-employed cybersecurity consultant and as a security solutions architect at CyNation, a risk management company. Of his current role, he says, “After years working in the cybersecurity industry, I have seen how companies are continually choosing between expensive and complex security or highly scaled systems without meaningful protection. Recognising the need for a holistic solution that is easy-to-use at scale yet delivers robust and reliable security for everything from connected cars to high-end consumer goods, I founded Crypto Quantique.”
Rosalind Franklin Mars rover drives ahead for September launch
No lag for ESA’s ColKa connecting astronauts direct to Europe
Successful Virgin Orbit horizontal launch cheers Spaceport Cornwall
Astroscale signs up for Gas Stations in Space