At three recent conferences, the topic of security as it relates to IIoT devices, was identified as a critical review requirement when using IoT for equipment and process systems. Two of the conferences focused on medical equipment and the third on process industries. All shared one common concern: as systems become more advanced and include more technology, the potential for intrusion increases.
In the medical equipment industry, patient information privacy requirements have compelled hospitals and clinics to restrict field service access and limit the use of common field service technology tools.
Now, the emergence of IIoT sensors, edge devices and associated cloud applications, coupled with IT/OT integration in many organizations, has opened possibilities for nefarious agents to hack through these newer technologies and find their way into the more sensitive IT systems.
Universal opinion is that the benefits of IIoT, and its associated analytics, far outweigh the risks. However, the risks must be recognized and mitigated. IIoT is delivering on the promise of increased asset performance, customer satisfaction and the creation of new service models. But if potential intrusion points are left unprotected, the results could be significant.
At the recent ARC Industry Forum in February, one of the presenters was a security lead at the Department of Homeland Security (yes, this is how damaging potential security breaks can be). One key issue was the merging of IT systems with machine and operating technology. As equipment and process systems become more advanced - with more automation and communication functions- they are often connected to IT systems in order to report production data, generate alerts and perform other valuable functions. However, this leaves sensitive IT systems, like finance and HR, vulnerable.
Three examples were detailed in the conference session:
1. The most widely known is probably the hack into Target Stores where personal customer information stored on the POS system was accessed through the login of an HVAC contractor. This contractor monitored equipment performance and energy usage. Once the hackers were in the system, they were able to move about undetected and install malware. This resulted in the theft of data associated with 40 million credit and debit cards.
2. Another example is shipping giant A.P. Moller-Maersk, who was hit by the NotPetya ransomware attack which disrupted operations by complicating shipments, orders and other transactions. The attack did not involve the extraction of sensitive data, but it disrupted operations until a ransom was paid. Maersk admitted this attack cost $200-300M in lost revenue.
3. Finally, as confirmation of some hackers’ particular ruthlessness, hospitals in the US, UK and other countries became the victims of NotPetya and WannaCry ransomware. These attacks essentially locked them out the IT infrastructure until a ransom was paid. The result of one widely-known attack on 16 hospitals in the UK was inaccessible systems. Even more frightening, Forbes reported last year that one attack directly infected medical devices with this ransomware.
So, how can we mitigate some of these risks?
Coresystems Chief Security Officer, Peter Mountain says: "First, be aware that there is a potential threat and then follow policies and procedures to help guide you and your organization towards the safe, legal use of personal data. Remember that this data belongs to your clients, not you or your organization. A digital virus is just like a biological virus. When it infects its host target, it causes pain, fever and loss of revenue. Sometimes even the demise of its target."
Assume that your customers will integrate equipment into their IT system, and review each potential intrusion point you may have in your system: IIoT sensors, edge devices, cloud applications, remote service, and even patch update processes. You can add significant value for your customers by making this a part of your discussions on system design and implementation. This will help maximize the benefits of IIoT and minimize the risks.
Learn more about Data Protection and read the interview with our Chief Security Officer: 11 questions about GDPR
Author: Mike Fuller, Sales Development Representative USA, Coresystems