Industrial control systems could become more vulnerable to cyberattack as they become more connected through the industrial internet of things

The IoT brings industry revolution and risk at the same time

Industrial control systems could become more vulnerable to cyberattack as they become more connected through the industrial internet of things
Industrial control systems could become more vulnerable to cyberattack as they become more connected through the industrial internet of things

The internet of things is enabling industry to connect individual robotic and automated work cells with other similar cells to create multicellular organisms within what could now be referred to as “smart factories”, particularly as the factory building itself can be connected to those multicellular organisms operating within its walls. 

Not only that, those smart factories can themselves be connected to other smart factories within the body of the industrial company’s entire estate, which itself is all wired up to what could be called a central nervous system.

Yes, industrial control systems are going through an evolutionary phase the like of which has never been seen before in industry, all brought about by the IoT. 

Some people call this new industrial revolution “Industry 4.0”, to denote the distinction between earlier industrial revolutions, starting with the one back in the 1700s. And revolutions usually bring risk. In the 1800s, it was the Luddites who vandalised the machines that put them out of work. Nowadays, it’s hackers who are the threat.

For along with this new, ubiquitous IoT connectivity across an entire company’s infrastructure comes the worries about security. If everything is connected to everything else, it can become difficult to prevent or detect external entities – cybercriminals – hacking their way into the network and manipulating or destroying something somewhere.

It’s a potential nightmare, and one that could have devastating consequences for companies which are hacked.

Who you gonna call? 

Prevention is better than cure, as they say. And whereas before, the security of an industrial estate might have involved security guards at the perimeter gates, now, security guards are needed on the information technology perimeter as well.

In this exclusive interview, we speak to Jalal Bouhdada, founder and principal industrial control systems security consultant at Applied Risk, which provides industry-standard engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of critical asset requirements.

Bouhdada has over 15 years’ experience in ICS security assessment, design and deployment with a focus on process control domain and industrial IT security. 

He has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro-chemical plants and oil refineries.

He holds a BSc degree in security assurance from Amsterdam University of Applied Sciences and is an active member of ISA99, CIGRE and other professional societies. 

Jala Bouhdada, Applied Risk
Jala Bouhdada, industrial control systems security consultant, Applied Risk

Question: Can you explain how Applied Risk works with software such as Copa-Data or NI? 

Jalal Bouhdada: Applied Risk works with a wide range of major suppliers in the market, and while we are familiar with NI software and other products, our main focus is on the cyber security of industrial control systems (ICS).

Our main focus is the early phase of a project’s development to help customers build a security system in the planning and design stages – we outline this process as define, design and execute.

Our offering consists of a wealth of security assurance services backed up many years of experience in operational technology environments.

As well as the security and compliance (IEC 62443) assessment and remediation services, Applied Risk’s labs provide a platform for vendors and asset owners to test and fix unknown vulnerabilities in their systems before they are discovered by malicious actors.

How does the industrial internet of things play into this and what is the difference in your work now that the IIoT is being integrated?

In order to unleash the power of IIoT, organisations need to ensure their infrastructure is ready for the transition.

The security aspect is key in this equation, as if this is not done properly, the availability and integrity of the asset can easily jeopardised.

Applied Risk helps customers understand how their business objectives can be achieved, while simultaneously maintaining the highest level of security and resilience.

Our risk and vulnerability assessment, embedded security and threat modelling services are now integrated in the selection process of many facilities in the choices of the protocols and technologies that they plan to deploy. 

Following Applied Risk’s visit to IoT Asia, what is the current state of IIoT in that part of the world?

The event was an excellent opportunity to discuss the trends in Asia, but most importantly to discover that IIoT is no longer a buzzword – it is an absolute reality.

It was evident at this event that companies unable to harness the power of IIoT and modify their business model will be left behind and will lose their market position in the near future.      

We had the chance to ask a number of vendors at the IoT Asia about the role of security in their product development and we were surprised to discover security was not taken into consideration as part of their products roadmap.

Overall, the industry is still focussing solely on the business benefits of IIoT, with security considerations inadequately addressed by the majority of suppliers. 

What are the risks behind unsecured IIoT systems, both for standard manufacturing and infrastructure?

Unfortunately, IIoT product security is still immature and requires significant attention.

The risks associated with IIoT will be unique as we move from isolated, insecure, air-gapped systems, to a more interconnected, insecure, and open infrastructure which leaves these systems exposed to various internal and external threat actors.

As a result of these risks, without significant investment in IIoT security, the reliability and safety of manufacturing and industrial facilities will be negatively affected.

Cybercrime as a service is becoming more accessible through the dark web – how is this affecting the importance of security within industrial areas?

This is a serious issue that we predict will increasingly affect industrial facilities.

Recently, the industry has already witnessed a number of incidents affecting industrial assets, such as hospitals and water treatment facilities, fall victim to attacks. 

The financial aspect, through increasing utilisation of ransomware, is becoming more attractive for criminals looking to maliciously acquire data from these facilities or aiming to achieve disruption of production.

It is just a matter of time until the hackers behind cyber-crime as a service will expand their offering to-day exploits dedicated to IIoT.