Why Industry 4.0 must think more like Apple
Credit to Author: Jonny Evans| Date: Tue, 31 May 2022 12:16:00 -0700
For industrial applications, the Internet of Things risks becoming the Internet of Thieves. Perhaps industries making use of connected solutions should take a leaf out the Apple book and lock down their infrastructure.
As digital processes become deeply embedded across every industry, it makes sense that industrial control systems were tested at this year’s Pwn2Own contest. Hackers were asked to seek out vulnerabilities in industrial software and systems.
Contest winners Daan Keuper and Thijs Alkemade found that once they managed to break into the IT networks used at these companies, it was “relatively easy” to then cause havoc with systems and equipment.
In part, this is because at this stage of the transformation, much of the equipment used in manufacturing wasn’t originally designed to be connected to the internet or has weak or outdated security.
IT understands this, of course, which is why industrial IoT deployments tend to secure the IT networks they use, but this also means that if those networks are penetrated, much of the deployed equipment lacks additional protection. And it means that numerous potential attack surfaces exist.
This is never good, but at present the threat to critical infrastructure is growing.
In the event that security is broken, attackers may take over machinery, modify processes, or simply choose to shutter production. This can have huge consequences — on the company, its customers and partners, and across already creaking supply chains.
Louis Priem, consultant at ICT Group, said, “Systems in factory environments typically run 24/7, so there is very little opportunity to patch vulnerabilities. In addition, there is a lot of legacy, as machines are purchased for the long term, and there is usually no opportunity to install antivirus applications. All these make the industrial sector vulnerable to malicious parties.”
Speaking to MIT Technology Review, the Pwn2Own winners warned that security in industrial control systems is lagging behind badly. Think of how a successful attack against Target a few years ago made use of an insecure HVAC system to penetrate the corporate network, which shows the need to protect every available endpoint.
These days more than ever, security lives at the edge.
It’s not as if we couldn’t see problems like this coming.
The evolution of industrial IoT has seen the creation of a myriad of different standards with differing security levels. This has driven many in the space (including Apple) to develop joint standards for connected devices.
Matter, the consumer IoT standard that is the first fruit of that effort, should arrive this year, while the more industrial Thread standard is already seeing deployment. (I’m expecting more news regarding Matter pretty soon, potentially at WWDC.)
“Thread is based on the universally deployed Internet Protocol version 6 (IPv6) standard, making it extremely robust. A Thread network does not rely on a central hub, such as a bridge, so there’s no single point of failure. And Thread has the ability to self-heal – if one node (or accessory in your Thread network) becomes unavailable, the data packets will select an alternate route automatically and the network simply continues to work,” Eve Systems has explained.
To some extent, one way to protect any device is to follow Apple’s core mission, which is to ensure systems do as much as possible with as little information as possible.
While the effort has arguably slowed the company’s progress in AI development in comparison with more cloud-based competitors, Apple’s focus on placing intelligence at the edge is increasingly seen as appropriate.
Mimic Technology and Business & Decision, for example, seem to be developing industrial IoT systems that follow a model in which intelligence sits at the edge.
When combined with other emerging network technologies, such as SD-WAN or private 5G networks, placing intelligence at the edge helps secure industrial networks by helping cordon off individual endpoints.
The problem, of course, is that not every connected system is smart enough to be so protected, while the different priorities of IT and operational intelligence mean attackers enjoy a luxury of potential vulnerabilities for attacks.
And that’s even before dumb, short-sighted governments force sideloading and inherently insecure device security back doors onto the mobile systems and platforms we increasingly rely on to keep our connected infrastructure secure.
Perhaps enterprise IoT needs to borrow a page from the Apple book and design systems that are inherently more secure than anyone thinks they need? Because it’s only a matter of time before they find that anything less won’t do.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.