In our last article, we took a detailed look at the rise of ransomware and talked about the current cybersecurity threat landscape. We also discussed the Industrial Internet of Things (IIoT) and talked about whether connected industrial and commercial equipment is really a cybersecurity threat.
We concluded that the potential benefit to cybercriminals was too high to simply ignore connected equipment as a target, or as a potential entryway into networks.
The fact is, commercial and industrial equipment is necessary for companies to operate and employees to do their jobs. Bringing equipment to a stop can have significant ramifications on a company, making it very profitable to hold equipment for ransom. At the same time, lateral movement across a network from a connected device or system can also lead to the theft of sensitive data and other breaches.
Now that we’ve established that IIoT security is a real problem, let’s talk about why it’s a hard one for OEMs to solve.
More boilermaker less cyber warrior
When you’re looking to build a great boiler, you’re looking to create a device that heats water as efficiently and effectively as possible. A good boiler, a real top-notch piece of equipment, will require the least amount of energy possible to take water up a single degree. That’s what boiler companies are completely focused on. The same thing can be said about HVAC companies. And refrigeration companies. And elevator companies. And wastewater centrifuge companies. Companies in these market segments and industries are focused on making their devices the best and most effective at their jobs. They’re looking to increase efficiency, make them more effective and make the jobs of the owners and operators of their equipment easier.
The individuals that are designing and building these devices understand the physics and calculus of cooling a room, boiling water or getting people up a story in a building without them having to take the stairs. But their industry and solutions are changing.
If you go back just ten years, maybe these devices had a small microprocessor installed in them to make them smarter and easier to operate. That device and the primitive computer in it had a security perimeter that encompassed the physical area around it, or the building that it was in. But that’s not the case anymore.
As customers began to demand smarter, more connected devices, these companies found themselves forced to keep up with the demand or risk falling behind. Today, everything is connected and that equipment is so much smarter. The power and capability of the equipment is greater because of that connectivity, but it’s also more vulnerable.
Unfortunately, the companies making that equipment are thinking more about the capabilities that they can bake into their equipment than the vulnerabilities they create. IIoT security is an afterthought.
Worse, they’re not really a computer company or an IT company. They’re old school manufacturing companies. They know boilers. They know elevators. They know the most minute detail about their equipment from a mechanical standpoint. They’re rock stars at boiling water. But they’re not cyber warriors.
While these equipment manufacturers are checking off the “connectivity” box because their customers demand it, they’re creating IIoT security vulnerabilities that they’re not thinking about or prepared to handle. They’re just putting an Ethernet port on their controller and opening a cybersecurity black hole. But they’re not ready for the bad things that could come through it.
That’s about to become a real problem because the government is about to up the ante on IIoT security.
Legislation about device fortification
The federal government, particularly the military, is a major customer for device manufacturers. Just think about every piece of equipment that the government buys and installs in all of its federal office buildings, military bases and facilities.
It could soon become impossible for OEMs to sell their devices to this very important customer if 34they’re not taking their device security seriously.
Senate Bill 734, the Internet of Things Cybersecurity Improvement Act of 2019, was introduced in the Senate in March of this year. Its fate is still undetermined since the full Senate has yet to vote on it. However, there is companion legislation in the House of Representatives and both bills, the Senate and House bills, have bipartisan support.
This legislation would require the National Institutes of Standards and Technology to, “…develop recommendations for the appropriate use and management of IoT devices owned or controlled by the government, including minimum information security requirements for managing cybersecurity risks” by March of 2020. The legislation would also require the Office of Management and Budget to, “…issue guidelines for each agency that are consistent with such recommendations.”
The point of the legislation is to ultimately create cybersecurity standards that IoT device manufacturers must follow if they’re going to sell to the federal government. Common sense would dictate that those same rules would apply to other connected devices, including IIoT devices.
That means that a very lucrative and large market could close to the equipment manufacturers that make connected devices with no thought to their security. Lost opportunities to sell to the federal government are just one negative side effect of forsaking security considerations on connected IIoT devices. Starting in 2020, companies could become liable for damages in California if their insecure IIoT device results in harm to its owner or operator.
California Senate Bill No. 327, which was passed in August of 2018 and signed into law by Governor Jerry Brown, requires that all IoT device manufacturers, “…shall equip the device with a reasonable security feature or features.” That mandate will take effect on January 1, 2020.
While California may be the first state to pass such legislation, they aren’t likely to be the last. Privacy concerns have followed closely behind as “smart homes” and other connected devices have made their way into the living rooms of average Americans. These calls for privacy and security legislation have only been amplified as stories about devices eavesdropping on their owners have popped up in the news.
People and companies are increasingly understanding the importance of security. And they’re beginning to demand that the companies making smart and connected devices take their privacy and security seriously. In this environment, it’s only a matter of time before “securing smart devices” bills make their way into every statehouse across America. That’s when OEMs are going to really have to get their acts together on security.
In our next article, I’ll take a detailed look at some of the ways that device manufacturers can easily embrace a more secure approach to connected devices.