Cyber Safety & Security are a Shared Responsibility

From Kepware Technologies

The Industrial Internet of Things (IIoT) has introduced unprecedented connectivity and major shifts in the way businesses innovate and operate. To realize the full promise of IIoT, we must all acknowledge the possible peril connected technology presents and each take responsibility for securing the IIoT landscape. We must work together.

With the advent of physical and digital convergence, now that bits and bytes meet flesh and blood, this new world requires a fusion of once disparate disciplines — and even innovation.

Changing Threat Landscape

1. Predators. Software is not new to safety-critical environments, but the growing levels of remote connectivity are changing our threat models — significantly. Systems that once enjoyed air gaps now are deliberately connecting and exposing themselves to myriad accidents and adversaries. Systems that enjoyed relative obscurity from predators now find themselves both prone and prey.

Worse, many of these attacks are being perpetrated by top predators such as nation-state adversaries, with significant resources and tenacity. And perhaps even worse than that, malicious intent is not a prerequisite to harm.

Safety-critical and industrial IIoT environments simultaneously:

• Face some of our most capable and funded adversaries.
• Carry relatively higher consequences of failure.
• Can be significantly under-resourced and immature with regard to cyber hygiene.

2. Ourselves. Most industrial and safety-critical environments are change-averse and far from nimble. As W. Edwards Deming said, “It is not necessary to change. Survival is not mandatory.” But we choose not only survival, but the transformation of the way we innovate and operate. Therefore, we need to act now to fight the inertia that prevents change.

Failing to act, whether willfully or unknowingly, imperils the promise of IIoT, as illustrated in the table.

3. The Relay Race. We are in a complex relay race against the clock, which is perhaps our greatest challenge. The pace of connectivity continues to accelerate and our adversaries’ sophistication is evolving rapidly. But today, the ecosystem and supply chain players are notoriously slow to deploy, change or patch/update.

As an example of how we’re losing the race against the clock, let’s take a look at the current statistics between vulnerability exploitation and vulnerability remediation. When a new Common Vulnerabilities and Exposures (CVE) — publicly known security vulnerabilities — is published, we’re now seeing the attackers’ mean-time-to-exploitation of that vulnerability compressing down to days. In stark contrast, the defenders mean-time-to-remediation or mean-time-to-patch still is holding at months or years.

Delays in any leg of this relay race or a poorly executed baton hand-off among stakeholders allows for accidents and creates opportunities for adversaries to cause significant cyber physical harm.

Stakeholders need to be aware that:

• It’s not enough to supply a security fix or patch in one “leg” of the IIoT landscape if downstream players introduce or allow elective or egregious.
• It’s not enough for fixes to get to the last mile only for operators to wait another six months or a year to enhance operational security.

Remove Obstacles Early

Compression and streamlining must occur not only at each leg of this relay race, but also with an eye toward how change flows throughout the entire ecosystem to achieve the ultimate desired result. All stakeholders should be considered and brought to the table to remove obstacles. This includes regulators, auditors and certification authorities, who, with the best of intentions, can contribute to and perpetuate our collective inertia.

Located in Portland, Maine, Kepware Technologies is a software development business of PTC Inc. and an Encompass^TM Product Partner in the Rockwell Automation PartnerNetwork^TM program. The company provides next-generation cybersecurity. Its DualDiode technology has been deployed in more than 2,000 solutions across government, military and critical infrastructure networks.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.}