In previous articles, we dove head-first into the issue of IIoT security. We discussed why malicious actors would possibly want to hack an IIoT device and looked at the increasing sophistication and cooperation that we’re seeing from the cyberthreat ecosystem. Then, we talked about why that’s a problem for equipment manufacturers, in particular, and how new legislation could put pressure on them to address that challenge sooner rather than later.
While you can go back and read those IIoT security articles, what we effectively detailed was a convergence of factors that make the hacking of industrial and commercial equipment increasingly profitable to cybercriminals, resulting in an increased need to take the security of those devices more seriously. We then explained that equipment manufacturers are more focused and equipped to make an effective device than a secure one.
It wasn’t a shot at the hard-working equipment manufacturers and OEMs making incredible boilers, elevators and other industrial and commercial devices, I was simply speaking the truth. When someone’s experience and expertise is making a boiler that’s better than any other at heating water, they’re most likely not an experienced cyberwarrior as well.
How can these equipment manufacturers, the incredible boilermakers, and elevator builders, and commercial refrigerator manufacturers, make their devices more secure when they’re not cybersecurity professionals?
Let’s first talk about how these IIoT security vulnerabilities are coming into being, and then we can look at how one of the tools creating these vulnerabilities can also help to eliminate them.
From individual device to susceptible system
Connecting commercial and industrial equipment isn’t a new concept. There has been a movement to make individual devices more connected and make them work together as a system instead of dedicated machines since the late 80s and early 90s.
The early connected devices were just connected locally, within one physical location. This made them relatively low-security risks since you’d have to physically be onsite and interact with the device directly to make changes or cause problems.
That’s not the case anymore. Today, equipment owners want equipment manufacturers to connect devices to the cloud. How can incredible boilermakers make their devices more secure when they’re not cybersecurity professionals? The same devices that they rely on to connect to the cloud could hold the key.
By connecting devices to each other and to the cloud, the equipment owners gain new and incredible capability and functionality. Now they can monitor the device or system of devices from anywhere. They can change settings on the devices or systems from anywhere.
Now a problem with a piece of equipment is no longer a surprise since the device was being monitored for red flags. A device that needs to have a setting changed or optimized no longer requires a dedicated trip to the worksite, plant or factory. The manufacturer can play a larger role in helping to optimize their installed equipment and provide proactive maintenance since they can monitor their installed devices remotely.
It’s this cloud connectivity that’s opening the door to these advanced capabilities. While the cloud connectivity is holding that door open, it’s a security vulnerability that allows malicious actors to sneak through, undetected.
To make these devices more connected in the first place, equipment manufacturers have traditionally turned to a particular tool, gateways. These gateways are platforms that can be integrated into devices, new and old, to make them talk to each other via a number of different protocols, the most widely known of which is BACnet.
Utilizing these gateways kept device manufacturers from having to bake connectivity into their devices, saving them time and money by effectively outsourcing something that wasn’t core to their business and expertise. Now, they’re turning to a new generation of these gateways to deliver cloud connectivity, as well. This makes the gateway the source of their security vulnerability, but it doesn’t have to be.
Not just a standard gateway – a secure gateway
As gateway providers increasingly incorporate cloud connectivity into their solutions, some are beginning to wake up to the vulnerabilities that they’re creating for their customers. Smart gateway providers are starting to take security seriously and work to ensure that the gateways that they provide, and the device cloud solutions that they offer, are secure.
It’s smart that equipment manufacturers turn to gateways and gateway providers to make their devices more connected. It outsources something that’s not in their wheelhouse. Introducing the cloud into the equation means that there’s now something else that manufacturers need to look for when they’re identifying which gateway solution to utilize.
When equipment manufacturers choose a gateway provider, they need to take time to ensure that security, and not just connectivity, is baked in. They need to know if they’re choosing a secure gateway, one with cybersecurity certifications and considerations incorporated, or if they’re choosing just some standard gateway solution.
To make that happen, here are three things that equipment manufacturers should be asking of gateway providers when doing discovery and due diligence:
If a gateway provider can answer confidently that security is baked into their solution, that they’ve pursued the proper cybersecurity certifications and that they’ve independently worked to have their solutions tested and approved by organizations that exist to find vulnerabilities in devices and applications, then an equipment manufacturer can feel good about implementing their solution. In that instance, they’re effectively outsourcing both the connectivity and the security of their devices to a company that is more qualified to handle it.
If they can’t answer those questions confidently, there’s a good chance that their solution will outsource the connectivity part of an equipment manufacturers cloud conundrum – but will only function to create cybersecurity vulnerabilities for their customers in the future.
The threat of malicious actors hacking commercial and industrial equipment isn’t an imagined one. The future could very well see factories, office buildings, and other workplaces physically shut down and held for ransom if equipment manufacturers don’t start to take security seriously. Luckily, if manufacturers choose the correct gateway provider, they can effectively outsource connectivity and security, and ensure that their products are secure for their customers.