KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Internet of Things tends to mean different things to different people. This diversity of understandings makes it hard to pick up speed in joint efforts to improve the security of IoT. Fortunately, recent developments in international collaboration, particularly in standardisation initiatives, have started to bear fruits in this direction. This talk will introduce the landscape of standardisation IoT security, highlighting particular areas of technical significance to security and where improvements are challenging. In addition, areas where standardisation initiatives have been converging towards common goals - and making progress - will be identified and presented.
The Internet of Things tends to mean different things to different people. This diversity of understandings makes it hard to pick up speed in joint efforts to improve the security of IoT. Fortunately, recent developments in international collaboration, particularly in standardisation initiatives, have started to bear fruits in this direction. This talk will introduce the landscape of standardisation IoT security, highlighting particular areas of technical significance to security and where improvements are challenging. In addition, areas where standardisation initiatives have been converging towards common goals - and making progress - will be identified and presented.
Experts define Operational Technology (OT) as «hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.»
OT differs from IT, in terms of functionalities, the culture of operators and threats. In recent months, we witness an increasing convergence of IT and OT systems. This area is a novel and rapidly expanding one for both cybercrime and industry. Recent IBM’s 2020 X-Force Threat Intelligence Index summarizes that attacks targeting operational technology (OT) infrastructure increased by over 2000 per cent in 2019 compared to the previous year. The COVID-19 pandemic accelerated these trends: it is the digital accelerant of the decade and accelerated companies’ digital transformations by approximately a global average of 6 years.
For example, one of the impacts of COVID-19 –at least until a vaccine is discovered– is the reduction of on-site staff. In the case of OT systems, this put a strain on the already limited resources and required an increase in external connectivity. The result is the numerous industrial plants exposed to, for example, ransomware attacks.
From a bird-fly point of view, IT and OT are still missing a holistic approach that includes cybersecurity, physical security and cyber-physical security, an integrated cyber-risk estimation and governance models able to span across IT and OT domains. Overall the primary need concentrates around as reconciliation of IT Security (typically built on Confidentiality-Integrity-Availability paradigm) with OT Cybersecurity (which fundamental properties are instead Safety-Reliability-Productivity).
Key Takeaways:
- Status of IT and OT security
- long term impacts of the pandemic on the digital transformation agenda of industry
- Main challenges and trends for the IT and OT security
- Some possible solutions
As more and more consumers, businesses, public sector companies and even whole countries are embracing the Digital Transformation, smart devices of all types are proliferating in all areas of our daily lives. It is safe to say, however, that, after the initial rush of making every device in the world smart and connected, the Internet of Things has already passed the peak of inflated expectations, with both vendors and users of the technology finally starting to care more about such things as interoperability and security. Although consumers have recently become somewhat disillusioned about “smart homes”, the industrial IoT segment is growing, fueled by the constant need of companies to increase their operational efficiency in the digital age. Unfortunately, many existing IoT devices were never designed with security in mind and lack any technical capacity to perform basic identity and access management or protection against cyberattacks, which makes them easy targets for hackers.
Identity management plays an important role in protecting both IoT devices and the systems with which they interact. Digital identity is the basis for authenticating and authorizing device management and data flows. For years, identity has played a crucial role in protecting users, applications, and services. Bringing the notion of identity to smart industrial devices is thus especially important for ensuring not just information security but physical safety and business continuity of manufacturing, power generation, transportation and many other critical processes.
- More aggressive, complex and well organized: Cyber threat landscape on the rise
- Cyber Security – added value for industry 4.0?
- Industry 4.0 needs company-specific security strategies
In his talk, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at security challenges in Industry 4.0 and how established technologies from IAM and cybersecurity might be utilized for improving security. His talk will also cover the wide range of themes to look at from a security perspective in Industry 4.0, including Edge Computing and SASE.
The Internet of Things is disrupting all industries and use cases; from customer IoT, to Industrial IoT. Companies are forced to become more innovative with their products whilst their services are being, or will be, digitized. Top drivers of this digitization are eroding margins and changing customer behaviour, whereas new market disruptors face security challenges. The question now becomes: where do companies decide to focus their money and efforts, in order to capitalize on this disruption?
Either on business optimization, by doing things better and more efficiently, or focusing on a business transformation, to move from CAPEX to OPEX.
So I will be focusing a bit on the standards for IOT. And I will start with saying, I think one giving one definition of IOT, if it's not communicating, it's not IOT. So the definition from on the internet of things says that it has to have a communication component inside it. And what it may not have is that it may not interact with a human. So IOT involves machine to machine communication between, you know, embedded computing objects, but also between objects and online services. What are the standards in that space? There are a lot.
So we have standards from three GPP for mobile communications and also for the communication mode known as narrow band IOT, which is optimized for IOT products. We have standards from one M Tom, which is focusing on the service layer that you can use then to build applications for IOT in a technology agnostic way. We have standards from I ETF basically also security standards there, GSMA, which is basically giving us industry best practices for IOT, especially narrowband IOT, since GSMA is focusing in the domain of mobile operators.
It's an industry association and of course, standards from Oasis OS for web application security I and international standards. Now, if we look at IOT, I want to give you at first a view of what are the risk components. IOT is basically about a value chain. There's an embedded computing product, which is communicating through some infrastructure, either to other embedded computing products or also to some online services.
So all these stakeholders are part of the things, the, the kind of entities that get involved in IOT, you will have service customers, which are the users of the online of the online services involved in IOT. These are not necessarily human users. They can be applications, right? You have the service provider, which is basically what the on IOT service is running.
You have your platform provider, and then you have connectivity providers, device, provider, and that's basically at the device provider where we see the aggregation of the different components that you get from the supply chain perspective. So you have component providers, someone may be manufacturing the, your IOT product, the device, and somebody else may also giving you the framework for, for it, because it may be a firmware based on an open source component. And therefore it's not entirely within one player to own that. So this is like the risk ecosystem of IOT.
And I want to give you just a brief overview, just a brief enumeration of the different kinds of, of standards that we have here. So in IOT, it's not the problem that we don't have standards for things. We have a lot of standards for different aspects of it. What we are challenged with is basically the fragmentation that we have in IOT, because we are covering many domains, consumer industrial automotive cellular, and those standards typically having evolved from a different tracks are not entirely aligned sometimes. So it's a bit of challenge to actually work with them.
So if we look for instance, at the supply chain, we have the ISO 28,000 series of standards for how to build security management systems for the supply chain, best practices, requirements for different kinds of bodies who will audit those kind of systems and who will certify those kind of systems. And why are this relevant?
Well, if we're going to be embedding computing into products and we are going to be making those products part of the physical world around us, we need to have some kind of, you know, supply chain assurances, because those things are going to have, for instance, actions on, on physical level, like the brakes on an automotive vehicle, for instance, controlled by some closed loop sensor or some other standards in that area.
Some of them may be known also in the it domain because they have, they come from another older standard, the O TTPs, which is about the open trusted technology provider standard, which is basically to provide you protection against the counter five products and tainted products. But these are also relevant. We shouldn't actually exclude them from this discussion Standards also from N on again, on the supply chain risk management. And you can see now that I'm only touching three stakeholders in the value chain, but I'm starting to enumerate probably around eight standards so far.
And I haven't even mentioned the whole 27 K series on, on cyber security, other standards, which are relevant. There are standards from the manufacturing domain, so actually not manufacturing the fabrication domain. So the stakeholders who are fabricating circuits have done significant work in AC in developing standards to ensure that there's no TA painting and no countered of digital secrets boards and manufactured PCBs, and so on. And I'm not saying that these are directly, for instance, applicable in the context of it, I'm saying they're relevant.
And I'm saying they're probably good lessons there for anybody who is involved in an IOT product manufacturing position, finally again on the ISR level, also other standards from the supply chain. And I know I'm focusing a bit more here on the supply chain, but I will move out of it and give you also later on, hopefully an update from how the standards are developing and how the standards are responding actually to the fragmentation that I mentioned, Again, just a brief listing of the ISO standards, 27, 0 36 information security for supply relationships.
This is a multipart standard from part one from the overview concepts part two requirements, part three, you are the guidelines for supply chain security. And part four is basically the security of cloud services. And I'm not saying these are the only standards again for first and part for their additional standards for cloud security, which are relevant, but there's not enough time to actually go through them.
Now, There are some framework standards, which are relevant when I say framework standards or standards, which can help the organization in establishing what we, we refer to as the control framework and the governance framework around cybersecurity, which is these aspects covered. For instance, capability, maturity models, common terminologies, all the things that we need to get people speaking the same language, because that's one of the first impediments that we find in IOT. Exactly because we have a very diversified value chain.
You have product manufacturers, developers, service providers, integrators, application developers. So you all these people do not necessarily use the same parlance and do not necessarily attach the same meaning to the same words. Now we'd like to take a post and speak a little bit about the security situation in IOT. And why is it important looking first of all, at the, at the, the market situation, I think it's a common knowledge that right now there's an economic, as we say a market failure, because they're not economic incentives for cybersecurity.
And that's, for instance, we have seen some regulations like GDPR, which refers to privacy, but provides economic incentives for instance, to actually put privacy measures in place. The similar situation we have in cybersecurity, because simply put customers and people attach more value to utility and lesser value to cybersecurity and that's their priority right now.
The other problem is that even when we, when we have a secure product, because which is based on software, the security level of that product does not remain the same after it's released, because it's impossible to make perfectly perfect software it's or actually extremely costly. And therefore the discovery of new vulnerability means that the security level of a software depreciates with time, because there's always a probability that a new vulnerability will be discovered and discovered does not mean disclosure, necessarily somebody may discover a vulnerability and simply leverage it.
So that depreciates over time. And the other problem we have, which is more, more intense in IOT is that poor security practices result in a cost, which is external. So for instance, if somebody is making, if a product manufacturer in a specific version of their, for instance, IOT hub component has poor software. And that hub component is that compromised and assembled into a botnet. The manufacturer doesn't actually have any direct costs of that per security. It's somebody else who is paying the cost from the Dedos attack that that botnet will be used to launch, right?
That's the cost externalization factor. And finally, I think it was also mentioned by the first picker, this session, the human factor, the consumers who are using IOT products and services, do not necessarily have an awareness of, of security. Okay. And this is a problem in general because the more we use products, which rely on software, the more, and the more we that software reaches different aspects of life, the more, the more amount of the wider public we reach. And those people do not necessarily come from a computer science background, let alone a cybersecurity background.
So this is inevitable as a society becomes more digitized. So if I wanted to summarize this, what I've said so far, what would be the main points? First of all, scale IOT devices are easily expected to be low cost so that they can be, be produced in large number. And that's why it's important that we have some sufficient level of security for those devices, because otherwise the impact of low cybersecurity and those devices has, is multiplied by the scale at which they are distributed and deployed.
We don't have good incentives for engineering robot security at the device level economic incentives that I mentioned. And we have a low security awareness from the perspective of the human user, who will be using, for instance, a consumer ID device. There are also the fund underlying issues of economic incentives in the value chain, which I mentioned before. We have a market failure for security people pay for features first security later, that's the generally accepted reality. And finally, there's an aspect of practice.
If you look at all the reports of about security breaches and incidents, they all agree on one thing. Misconfiguration is the number one cause of security root cause of security incidents or breaches or anything. And misconfiguration is usually attributed to a human factor because there was a human in the loop and something was not configured properly. So this is the kind of, these are two main parameters of the problem we are facing.
One, one, we have scale on other one, we have poor incentives, not a good economic model. What can we do? One other thing we can do in which I will briefly explain how relevant standards take action in this space is for instance, to start leveraging and deploying some light white route of trust for IOT. And they are at least two or three different things that are being done in the space, the work of the trusted computing group on first of all, trusted platform modules, which are for more capable systems, but also for the thin profiles that they started working, for instance, for automotive TPM.
And for instance, the trust computing group is working on TPM for automotive. There's a, a thin profile, which is targeted to the more resource constrained components in a car. And there's a more capable profile, which is targeted to the more central components in the car. Like for instance, the T are called telematics box in the car and so on. And these approaches are, are, are directly aligned to the environment of I IOT, where we have products and that are constrained in resources.
And that's why we need thin profiles, another relevant approach in this direction, which is not TPM capable, but has as upset of the TPM features that enable you to build hardware, supported identities is the dice device identifier composition engine, which is also from TCG trusted computing group and allows you to build a hardware baked hardware, supported identity for constrained IOT devices with minimum hardware footprint. The other aspect where we can take action is that we should to develop standards that allows us to build infrastructure that can cope with different levels of details.
If you look for instance, at the I ETF dots, working group, what that working group is doing and where we participate, of course, as Hui, we are building standards that enable you to build a market for DDoS so that you can have market stakeholders, which go and request DDoS mitigation services. And then you can have DDoS mitigation providers, which actually offer those services when needed. And that allows you to build an efficient mechanism around the whole DDoS mitigation required.
Another aspect, which in my mind is one of the most important ones is standardization are the standards for firmware and for software updates, because at the end of the day, we, we don't, we can't build perfect software. It's going to be deployed with imperfect software. And unless we have a mechanisms to actually update things on the field, update their software, we are fighting a losing battle. And if you look here, there's a significant work, which is being done.
The automotive industry has worked and basically refined a version of the software update framework, which was used for Android into the so-called obtain framework, which has been now considered for the automotive industry as a, as a de factor standard for software updates. And also the ATF software update for internet of things, which is a new working group, is working on, on ratifying basically and defining what are the minimum information that I need for software update in IOT, which is very important in to be able to have updates of any software IOT device.
And finally, the other aspect will be into balancing stakeholders, initiatives. And that's where basically we can look into also other aspects of the developments that are coming into, for instance, law and regulation.
Recently, I mentioned those things before, but now I'm just putting in putting them on the slides for you. So if you're interested, you can go and see what DCG dies has done. And the TPM also in the economics area. I don't know if you have heard of units working party 29. This is a working party of an international organization, which is the focusing on the regulations of vehicles.
And one of the regulations which is coming for vehicles is that first of all, whoever's manufacturing them will have to have a cyber security will have to have a security management system, which is certified and pass some criteria. And the other thing with scamming is that the vehicles will be type approved for cybersecurity. So it doesn't get on the road. If it's not in some way, cyber security certified Anisa has done a lot of work. I'm a member of their working group on IOT security. We have published, we're close to publishing three reports because the last one has isn't out yet.
And they're all focusing on IOT security. So if you want to, you can go there and see also what recommendations and best practices are GSMA needs, CSA. Like they all have good materials on that one. And I will spend now a couple of minutes to talk to you about, to give you an overview of the latest developments that we have seen in the standards. So We're out of time, We're out of time. So you wanna stop or I can finish in one minute for this. Yeah. Just wrap it up Real quick.
No, no problem. So roughly a year ago in the UK, the, the CMS published 13 principles of good practice for cybersecurity. And later on, they were BA they were adopted in TSI in a technical specification, Ts 1 0 3, 6 45 cybersecurity for consumer IOT that now is being in the, in a new work item for TSI to, towards a new harmonized standard in Europe for consumer security, but that's work in progress. So it's not out yet.
And at the same time, we have some developments and publications from nest on securing small business and small it IOT devices, considerations for managing cybersecurity and privacy risks. And also from the GSMA, a series of I IOT security guidelines and all these are the latest updates from the standards. And I thank you for your patience and your time. Great. Thank you.
