IoT as a challenge for security
A strategy for Internet of Things (IoT) is essential for companies. IoT is one of the most underestimated and neglected cybersecurity threats. The use of digital technologies offers immense potential - but also poses considerable risks. Vulnerabilities in devices are (unfortunately) omnipresent and the number of malware is continuously increasing. Holistic approaches and a systematic approach are needed to establish cybersecurity in the fast-growing IoT.
Increasing mobility and the use of connected devices mean that access points are ubiquitous. It is estimated that by 2019, around 85 percent of Swiss companies will have IoT components in use. This means that connectivity is penetrating business areas that were previously independent. Industrial production is also being transformed by advancing digitalization. The increased use of digital technologies will bring about a major change in the world of work in the coming years. Computers, robots, intelligent devices, etc. perform increasingly sophisticated tasks and communicate not only with people, but also with each other and with the manufactured products. This close integration of artificial intelligence elements, machines and employees is creating a new, networked workforce in the manufacturing industry. Compared to traditional, isolated devices, those with IoT technology have many advantages, such as greater efficiency and automation.
Security risk increases due to networking
Companies are therefore becoming increasingly dependent on networking, communication, IoT and Industry 4.0, which also increases the risk of such systems being manipulated or disrupted. The potential increases equivalently to the possibilities: Theft, fraud, extortion and manipulation are possible consequences. With the use of cryptocurrencies such as Ethereum, Bitcoin or Litecoin (non-exhaustive list) as micro-payment systems, the risk of attack is further increased - without the user being directly involved. Attacks on the air conditioning, ventilation and control systems at a US discount retailer, the "WannaCry" attack on the UK National Health Service or IoT botnets have shown this very clearly. Tragic, really, because studies continually point to countless vulnerabilities. At the same time, basic security principles that have been considered best practice for years often fail to find their way into the development cycle of IoT components. The fly in the ointment - once again - is security. Politicians have also noticed this. Therefore, the National Council approved a postulate 17.4295 in the final session of the spring session. The Federal Council is now to show how the security of IoT devices is to be increased and how misuse for cybercrime is to be made more difficult.
Acting instead of reacting
Cybersecurity should be high on every agenda - and not just when something has gone wrong. Anyone who deals with IoT and Industry 4.0 must also deal with the issue of security. It is advisable to take a systematic approach and give security the necessary weight. International standards (for example, the ISO/IEC 270xx family or the cyber security framework from NIST; more IoT-specific security standards are being developed) offer recognized models for the establishment, implementation, review and continuous improvement based on an information security management system (ISMS).
Technologically, the key to security lies in a suitable architecture and the appropriate zoning for IoT and Industry 4.0 networks. One of the most important aspects is the authentication and protection of data, as well as the optimal segmentation of the environments, data streams, operating processes and monitoring of the zone transitions and data streams created in this way. Thus, it is necessary to establish different lines of defense. Each zone and each zone transition must be provided with appropriate security measures. Here, it is important to follow proven best-practice approaches. In addition, regular update and patch management of IoT devices should not be forgotten. IoT security as an integral part of cybersecurity IoT security is not a one-time affair, as the risk situation is constantly changing. Companies must continuously monitor the current threat situation and optimize and constantly improve their security posture, taking into account new threats and vulnerabilities. Important elements of security governance therefore include risk assessments, organizational audits, system security testing, penetration tests and vulnerability scans etc. Companies should be able to identify security incidents at any time, react to them and reduce the impact to a minimum. Security should not be a topic that is addressed sometime after the fact - possibly only after an incident has occurred. Anyone who deals with IoT and Industry 4.0 must also deal with cyber defense.
Markus Limacher, Head of Security Consulting, InfoGuard AG, Baar
