A new report has painted a gloomy picture of the security of industrial IoT (IIoT), and the prospects for improvement.
The report, Foresight review of cyber security for the Industrial IoT, from Lloyd’s Register Foundation, a not-for-profit created by Lloyd’s Register, says the current pace of change in operational security capabilities will not match the fast emergence of new security risks in IIoT environments.
It says existing security standards and guidelines are relevant for IIoT, but the ability to deliver these capabilities, and the ways in which they must be delivered, are altered in IIoT.
“Often capabilities do not scale, are not interoperable, are not technically feasible, do not exist yet, or are not tested,” the report says.
“As an added complication, gaps in some key capabilities have consequences for other risk controls. There are widening gaps in skills and awareness.”
There have been several initiatives to legislate security for IoT devices, but most of these, like that from the UK Government, have focussed on consumer IoT devices.
The report warns that industry is at a tipping point for recovery. “As manual fall-back becomes infeasible for complicated systems-of-systems and mesh environments, the approach to recovery will need to change.
Multiple challenges
And: “There are also challenges for mindset, regulation and insurance, as we seek to promote improved security practice.”
The report recommends the development of a set of guiding principles to increase the pace of operational cyber security change sufficiently to harden positions:
- “assume failure” as a basis for risk scenario planning, architecture and security strategy development;
- “assume insider threat” within systems and supply chains;
- “assume potential for systemic risk” and seek ways to identify and test for where it might manifest, and methods for limiting harm propagation.
It says there is “an urgent need for further research and investigation aimed at understanding and evidencing risk control performance.”
This would include: study into liability models, practicalities and implications for IoT markets; and exploration of potential international cooperation to develop trust in the supply chain for IIoT devices and software.
Dire consequences
The report warns that compromised IIoT security could have significant consequences for public safety and global economic wellbeing, and ends with a call to action to develop better understanding of systemic risk potential in IIoT, for proof-of-concept cyber security demonstrators for emerging IIoT environments to ensure proliferation of best practice and capacity building around the globe.
The report was authored by a number of academics from the University of Oxford, by Robert Hannigan, director of the UK’ Government GCHQ from 2014-2017 and now chairman of US cyber security provider BlueVoyant and by Ali El Kaafarani
Founder & CEO of PQShield, a company specialising in post-quantum cryptography that originated in the university.It was developed in part from workshops held in Singapore, Oxford and San Francisco in late 2019 and early 2020 with more than 100 contributors.
