Lloyd’s Register Foundation today launches its new report - Foresight review of
cyber security for the Industrial Internet of Things - highlighting an impending threat to critical infrastructure from cyberattacks, given the growing reliance on the Internet of Things (IoT).
The report specifically focuses on the inherent risks for Industrial IoT (IIoT), fast becoming a core part of critical global infrastructures, across sectors including energy, transport, the built environment and physical infrastructure, and manufacturing. Safety is particularly critical in IIoT environments, and so it is essential to understand how to deliver secure and resilient infrastructures. The IIoT also exacerbates security challenges that already exist. The report aims to prioritise action by identifying key emerging risks, and gaps in capability for which the current pace of change in operational cyber security will not be sufficient. In these environments, the consequences of failure can be systemic, and the report calls for the urgent adoption from the IIoT community of guiding principles to increase resilience to cyberattacks.
The report notes the differing perspectives of those responsible for managing risk within industry, which includes operations and board members, companies and regulators, procurement and cyber security teams, and provides a useful overview to increase cyber awareness for all.
The core finding of the report is that the current pace of change will not match the fast emergence of new security threats to IIoT environments. Current capabilities, the report points out, either do not scale, have not been tested or simply do not yet exist. The report additionally points to the approaching tipping point for recovering from cyberattacks, and the challenges for mindset, regulation and insurance that can build preventative security practices.
Whilst regulation, the requirements of cyber-insurance providers, and the adoption of a cyber security mindset within organisations could drive progress towards bridging operational capability gaps and developing risk controls that translate effectively into the IIoT, there are new, pressing challenges to confront.
The management of cyber security risk for traditional systems already faces many challenges. These include the sheer difficulty of trying to map the complicated relationships between technical and human systems, and the challenges of communication between different communities where the frameworks for understanding risk are fundamentally different. Many of these existing challenges will remain and be exacerbated, and new ones will arise, as risk-management approaches are translated into the IIoT, creating key capability gaps.
In addition to exploring these challenges as IIoT expands, the report expands on actionable findings including:
- Always consider harm consequences when planning how to manage risks
- Consider how security controls may fail as you increase use of IoT devices
- Use techniques that can provide you with a continuous assessment of your position (near real-time) as opposed to periodic assessments
- Consider how your supply-chains are using IoT: consider their failure to maintain cyber security as risk to your security risk management plans
- Invest in forensic readiness processes
- Include a consideration of future scenarios in your risk assessments
- Invest in training for staff on IoT standards and good practice
- Collaborate to establish a device interface protocol for sharing security monitoring information
Robert Hannigan, Executive Chairman International, BlueVoyant, and co-author of the report, said, “Over the last few years we have seen a rise in deliberate attacks aimed at critical infrastructures across the globe. As adoption of IoT in the industrial sector continues to grow, clear action and guidance is needed. Our report frames the context of IIoT, the imminent problems facing key infrastructure as they increasingly rely on connected systems, and possible solutions to safeguard against cyber incidents.”
Sadie Creese, Professor of Cyber security, Department of Computer Science, University of Oxford and co-author, added, “We need to build resilient infrastructures that guarantee security to the ever-expanding connected network of ‘things’. There is clearly an urgent need for further research to understand and evidence risk control performance; to explore liability models, practicalities and implications for IoT markets; and to develop international cooperation to build trust in the IIoT supply chain.”
Report authors
- Sadie Creese Professor of Cyber security, Department of Computer Science, University of Oxford.
- Robert Hannigan Chairman, BlueVoyant; Director of GCHQ 2014-17.
- Ali El Kaafarani Founder/CEO of PQShield.
- Louise Axon Post-Doctoral Research Associate, University of Oxford.
- Katherine Fletcher Project Manager, and Coordinator of Cyber Security Oxford network, University of Oxford.
- Arianna Schuler Scott Doctoral Researcher, University of Oxford.
- Marcel Stolz Doctoral Researcher, University of Oxford.
