“The mass production car of today is available with lane assist and all the other great gadgets that we have. Many of these components that go into the production line will come with more lines of code than would have existed 10 years ago on the largest and most complex of e-commerce platforms.” – Charles White, IRM’s CEO
This brief quote from Charles White speaks volumes. Everyday products in Industry 4.0 have become so complex that there is no real testing or cyber security reference to those lines of code. This is because they are embedded in a product on a bill of material that goes straight into a production plant. Compared to 20 years ago, there are considerably more elements that need to be considered when engineering new products.
Sticking with the automotive theme, the most complex connected car built today will demand various cyber security decisions. Where is all the data stored? Is digitally-stored design intellectual property protected? Could the car’s safety be compromised? Recently, Huawei hit the headlines for claims of intellectual property theft from a 4G technology competitor. This is just one example highlighting the value of assets such as corporate technology and designs. Despite this, many engineers still struggle to apprehend the importance of such assets.
What are the consequences of cyber security threats?
Another important question to raise is the physical safety of modern engineering practices. Let’s consider a manufacturing plant using robotics to achieve production efficiency. What is the threat to worker safety? Imagine one of the systems used in production hasn’t been updated properly. This oversight leads to the production line being hacked and puts the workers at risk of getting injured. These types of incident genuinely occur. A cyber-attack on a petrochemical company in Saudi Arabiaattempting to trigger an explosion is just one example from 2018.
So that’s engineering cyber security at an organisational-level, but now let’s look at the product-end of the spectrum, the “Internet of Things” (IOT). Your child’s ‘smart toy’ connected to Bluetooth or wi-fi can be hacked. The hacker could take over the voice control of the toy, potentially allowing a stranger to talk to your child. There are many IoT products available in the market including smart watches, webcams and baby monitors. The issue is that they have been rushed to market to meet customer demand without security consideration.
Is security a priority for manufacturers?
Maybe. Perhaps if we add in the impact on efficiency and production. If somebody hacks the production line and the process gets halted, products stop getting made. Sales are hindered whilst the issue is fixed. Your organisation’s reputation is damaged and your customer’s lose confidence in your products and services. The prospect of losing brand reputation and production efficiency – in addition to the safety concerns around connected products and operational technology – should be enough to make engineers prioritise cyber security.
How do engineering and cyber security approaches differ?
The typical engineering approach to operational technology is safety, then availability, integrity and security. In contrast, a cyber security consultant will approach matters with the CIA model (confidentiality, integrity and availability), with an overall consideration for safety.
Despite the differences, things are changing. There have been several regulation, legislation and security models introduced to the engineering realm to tackle threats. The most recent addition is a Code of Practice from the Department for Digital, Culture, Media & Sport. The guide advises IoT manufacturers on how to improve security. Why was the Code of Practice created? With over half of UK manufacturers reporting security incidents and 420 million IoT devices estimated to be in use by 2020, the guide is designed to ensure businesses strengthen cyber security at the design stage of their products.
The convergence of IT and OT is increasingly complex. The concept of introducing cyber security best practice into the operational technology realm is still being tested. We can, however, accelerate efforts to successfully combine the two. This will help to improve various elements of the security model and ultimately create a safer society.
If you’re interested in learning more about this topic, we invite you to join our 30-minute live webinar on Thursday 22nd November 2018 at 3:00pm (GMT). IRM’s Sales Director, Sean Arrowsmith, will be hosting the webinar which will delve into “Cyber Security Meets Engineering”. You can register for the webinar here.