IT alone cannot secure the industry- the industry needs to secure itself
When it comes to IT security, there is no such thing as a small detail
Details is precisely where the bad guys find their way: through those small things you did not care to check and secure. There are so many of those n industrial products. Too often, IT features & services are installed for convenience, but the IT security aspects were rarely considered. As a result, it is not unusual to find embedded websites, with a version dating over 10 years ago, never patched, or remote service capabilities implemented in an overly simplistic way.
What is a detail for some, is the golden key for others
Ignorance, incompetence, you judge for yourself, but don’t judge too hastily and care for the context and the details again. It took decades for IT to reach the level of awareness we have today and yet, successful attacks on pure IT architectures keep happening regularly.
The industry only adopted IT on the production floor some 15, not even 20, years ago. Under the marketing pressure of major manufacturers, factories migrated, from multiple and unconnected serial “networks”, towards integrated IT architectures. Under the promise of numerous benefits, the industry 4.0 modernization process unleashed. Industrial machines, and their components, inevitably became “connected”.
OT context is quite different in the sense that, if we know the advantages of buying something new, we also know the benefits of staff experience and the rewards of repairing. In the industry, we are very proud to show systems, machines & controllers that still deliver, day after day, with little or no maintenance, for 10, 15, 20 or even 30 years, after the initial investment is paid back. In the industry, things are reliably built to last.
The illusion of a cyber-fence
It is very tempting to think that, if the problem comes from the IT connectivity, IT will fix that and build, around the factory network, a secure perimeter, where OT can continue to use unsecure protocols and obsolete platforms. Unfortunately, that is not the way it works: cyber threats can be imported, like when clicking on a link in an email, and production needs external connections e.g. for the remote support & services of suppliers. History showed that the concept of an IT island, isolated from the outside world, is an illusion and we need to think differently. Since IT alone cannot secure the industry; the industry needs to secure itself. IT/OT integration should also be understood as IT security integration into OT workflows: IT security needs to become part of OT procedures and infuse OT workflows.
If it works, don’t fix it… Really ?
That is no longer acceptable, of course, in a connected factory, running integrated Industry 4.0 production, but the gap is huge, between large organizations who already integrated IT maintenance of their OT systems in their common practices and all the others, using sometimes legacy and very insecure equipment.
IT security is thus noy just about OT acquiring new competences, it is a complete change of paradigm: the way machines & components were acquired in the past, as a onetime investment, is no longer appropriate. They now come with a long term IT service & maintenance assignment.
It doesn’t necessarily cost more to do the things right
For an industry supplier, developing secure products & solutions does not necessarily cost more, but it surely calls for adopting a different mindset, from the very start of the R&D process. It imposes the developers and the product managers to adopt an IT security mindset and to be aware of the impact of each R&D choice on the security of the future operator workflow.
Whether is it to secure legacy equipment, to secure the suppliers’ remote support & maintenance or industrial IoT services, we believe that, with our experience as long-time suppliers of the industry, we have an important role to play. We know the OT use cases, we have the experience of adjusting to the operators workflows. That is precisely our specialty and the added value that we generate when we integrate IT security in our OT solutions.
At MB connect line, we see IT security first as a process, all through the product lifetime, and a structure, in the company. Only then, we see it as features in the product.
It is a process because it starts with the project of a new product, even before R&D kicks in, and it continues, with patches & updates, long after the product commercial end of life.
It is a structure, with our security response team and with our ecosystem of IT security partners, who help us in our product design & maintenance processes.
Finally, it is visible and invisible features in our products, many of them following the recommendations of cybersecurity agencies worldwide, like those you will discover in this new series day after day…
Find your sales partner
Find your personal contact person in your area.
Start your remote services
Are you looking for an all-in-one solution? Try our web-based remote access portal today.
We are here to help you
Questions? We can help you. For direct support, you can also call us.
Subscribe here to get updates on IoT and remote access solutions, products and features and get the latest cybersecurity updates.