In our last article, I talked about the threat of cyberattacks facing OEMs and the equipment that they create. Ultimately, as commercial and industrial equipment becomes more essential to operations, as cyber threats grow increasingly sophisticated and as devices become more connected, there is a real need to think about the security stature of all equipment, from boilers to elevators.
Unfortunately, many OEMs don’t focus on the cybersecurity of their devices. Many believe it to be infeasible for an arbitrary piece of industrial equipment to be attacked. Others focus on improving and optimizing their equipment and don’t focus on security.
So, what can these OEMs do to ensure that their products are secure against cyberattacks?
Select technology partners that take security seriously
Small and medium-sized OEMs often can’t afford to employ teams of IT personnel. They operate lean and, unlike larger global OEMs, don’t have the budget for a staff of cloud experts, app developers and IT professionals to make their devices smarter, more connected and cloud-enabled.
For many of these OEMs, that task falls to technology solution providers and industry partners. Luckily for them, many of the solution providers and technology partners that they rely on to help make their equipment smarter and more connected are thinking about cybersecurity.
Security needs to be baked into every device. It needs to be taken into consideration from the very beginning. It’s not something that can simply be slapped on a product or solution after it’s been developed. The best solution providers and technology partners have built their solutions from the ground up with security in mind.
The responsibility falls on the OEM to ensure that any solution that they’re integrating into their devices, from cloud gateways to building automation gateways, are built to be secure.
But how can they tell?
One of the best ways is to look for industry certifications and third-party security testing.
Solution providers and technology partners that take security seriously will often submit their products and solutions to third-party companies for rigorous security testing. These companies exist to relentlessly hack, crack and compromise devices in an attempt to validate them as being secure against cyberattack.
For example, at Sierra Monitor, we’ve submitted our device cloud for testing by a third-party company called ProvenSec, an organization that specializes in cybersecurity assessments and vulnerability management. ProvenSec keeps its team up-to-date on the latest trends in hacking and security testing and assessment techniques so that they can accurately gauge how easy it is to access a system, or how difficult it is to hack an account.
Any OEM looking to partner with a technology solution provider, like a cloud gateway, should ensure that they’re partnering with a company that tirelessly tests and retests their solution for cyberattack vulnerability. This includes submitting their solutions for third-party testing and certification.
But that’s still not enough.
Build high walls, but don’t rely on them alone to save you
Even if a solution provider or technology partner has baked security into their product and is rigorously testing it for vulnerabilities, it can still get hacked.
Today’s security threats are incredibly sophisticated and constantly evolving. Over time, malicious actors get better and adapt to security measures. It’s not enough to just build a high wall, these solution providers need to anticipate a breach and build fail-safes into their product that can help to mitigate the damage should a cyberattack be successful.
For example, does the product allow the OEM or end-user to “collar” certain variables or settings? In this scenario, the solution will deny anyone that gains access to controls of a piece of industrial or commercial equipment the ability to change settings to something that will make that device fail, break or become inoperable. With these measures built into the solution, the OEM and equipment owner are insulated from damage should a breach occur.
The concept of connecting devices to each other, to networks and to the cloud is a whole new world for many OEMs. For some, that place may seem dangerous and filled with threats. But it doesn’t have to be. By making smart decisions when selecting solution and technology providers, and partnering with those that take security seriously, OEMs can rest assured that their devices remain secure by effectively outsourcing security to those that know it better.