‘Hijacking a device for adding to a botnet is a very serious threat’
Wijay Godbole, Vice President – Projects, Process Automation.
The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
It is a serious threat. Comparing the social networking platforms with an IoT network, the ills of social network do also apply to IoT. IoT network has its equivalent of trolls, dormant profiles, observers, privileged communications et al. All this when devices get affected by malware. Hijacking a device for adding to a botnet is a very serious threat and has materialised multiple times all over the world. In recent past DDOS attacks have been launched through hijacked IoT devices’ botnets. CCTV botnets, home router botnet, compromised web servers are examples of seriousness of this threat. Going forward, we may also hear of SmartTV botnet, connected refrigerator botnet, etc., being used for such attacks.
How can organisations address the issue of cyber attacks and IT Security in the age of connected plants?
Endpoint encryption, secure communication between dissimilar devices are some of the strategies that shall be implemented through a well-thought out plan. Within a plant, there are numerous entry points or vulnerabilities. These are in package PLCs, control systems, skids, instrument shelters etc. Each must be meticulously identified and plugged. Open WiFi communications, unused ports on switches, unused ports on devices are examples of entry points. Each unit of a connected plant should be separately examined for vulnerability and the connected plant itself should be treated as a monolith that is to be secured. Whitelisting, blacklisting, check gates are some more implements that can strengthen the IT security.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
Along with the growing population of IIoT devices, the vulnerability index of the network under consideration also increases. The tendency to incorporate/implement multiple functions in one device is also detrimental to the world of IIoT. When a user decides to implement an IIoT/Industry4.0 solution in their works, the most important parameters for evaluation must be “Secure by design” and “Objective of design”. A device which is created with the idea of making it multi-functional requires supporting multiple interfaces and will be prone to attacks due to its openness. A device which is designed to perform specific tasks does not have to carry overheads of unrelated and un-required goals/objectives in its design. The design will then have limited interfaces. This objective of design approach helps make the device secure by design. This approach will help make the world of Cloud secure and keep the IIoT devices immune from exploitation. Users shall demand devices and Cloud services that are focused on specific domains instead of them being all-encompassing. A little extra money put in such services will save a lot of money going forward. When focusing on a limited number of communication wants, it is easy to make that communication secure and reliable.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
USB device is a vulnerability which can be exploited by even the rookies. There are other more subtle and not too advertised ways like e-mail attachments, phishing, pharming sites, social networks etc. All of these target individuals and try to exploit the human weaknesses. Employee training is an important activity to make employees aware of keeping themselves and the company safe. Any organisation that has a computer connected to internet should take care of vulnerabilities on their end. If they don’t have the capability in-house, it must be outsourced to a reliable security partner. Remember, if you are not the target of an attack, you might well be an unwilling but completely unaware accomplice. You may realise it only when the sleuths are standing at your doorstep.
Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
Risk taking is considered to be the prime-mover of a business. Many successful businessmen will vouch for it. As far as cyber security is concerned, risk taking is tantamount to suicide. It is very simple to understand. If you don’t spend on vaccination of a new born, you are risking their well-being and in many cases, their life. The same applies to IIoT implementation in your works. I suggest that those thirsty for risk shall take it in the same way like bungee jumping. The highest risk is, your weight is calculated less than actual and you hit the floor below or the rope snaps. But you don’t jump without harness to enjoy the thrill of flying!
Is there an ideal solution that reaches a fine balance?
Consistent watchfulness, periodic recalibration of measures taken, keeping the antivirus up to date and the Operating Systems properly patched with due diligence are the important measures where there must be no compromise. Cyber-security must never be a subject of cost-reduction. The degree of severity and depth of implementation may vary based on an organisation’s exposure. Cyber security must be treated as a life saving measure and not as a ‘compliance tick mark’.
Wijay Godbole has about 30 years of industrial experience in various fields. His experience covers Process Automation (Oil & Gas, Petrochemicals, Power, Metals, Minerals), Factory Automation and Electronics manufacturing. His domain of expertise is Project Implementation and After-market Services. He has exhibited various skills in this domain to achieve total customer satisfaction. His specialisations include: Liaising the design team and end user for product requirements and enhancements; Gainful interactions with all levels of hierarchy in EPC, Vendor and End User organisation; Training Centre management, Site management, Vendor management and development; Site management to ensure successful, timely completion of contracts; and Cyber-secure designs for DCS & Safety Systems.