In this spotlight edition* of The Security Ledger Podcast, Steve Hanna of Infineon joins us to talk about the growing risk of cyber attacks on industrial systems and critical infrastructure. “Industry 4.0” is poised to transform the global economy, Hanna said, but not if the issue of cyber risk can’t be managed. We talk about how that might be done and the need for strong identity and hardware based roots of trust!
Just like the Mirai botnet illustrated the danger posed by insecure, low value Internet of Things endpoints, the NotPetya wiper malware which appeared in June 2017 underscored the way software attacks could cripple hard infrastructure such as manufacturing lines, ports and logistic hubs and more. How do industrial networks and endpoints get targeted by malicious actors and why are they so vulnerable to software based attacks? Our guest this week has some thoughts on the risks to industrial systems and some ideas on what it will take to improve the security of manufacturing, critical infrastructure and other sectors with heavy investment in industrial control hardware and software.
Steve Hanna is a senior principal at the chip maker Infineon and the co-chair of the embedded systems, IoT and Industrial Work Groups at the Trusted Computing Group. In this spotlight conversation, Steve and I talk about the evolving cyber risks to industrial control systems. Steve tells us that industrial control environments face a wide range of challenges when it comes to cyber security, including both targeted and indiscriminate malware attacks that can targeted the outdated and insecure hardware and software common in industrial settings. Industrial firms often have difficulty implementing common security practices like patching, especially when continuity of service is paramount.
In this conversation, Steve and I talk about the state of industrial IOT security and what it will take to make the industrial IoT resilient to attack.”Industrial IoT or Industry 4.0 is happening now. It’s going to continue to happen. It’s our job as security people to tell people how they can do it safely,” Hanna told me.
You should also listen to: Podcast Episode 87: Vulnerability Reports Down the Memory Hole in China and the Groups Hacking ICS
But the Industrial IoT isn’t a candidate for, say, anti virus software. Rather, security will have to be built into industrial systems and controllers – ideally in hardware so that important data can’t be lost to cyber attacks. That isn’t to say that hardware based security is a cure all. “There are always bugs and vulnerabilities that need to be patched,” Hanna said. Industrial firms need tools to help them patch and update connected industrial control software, but that a strong identity foundation is paramount. “The hardware can help with that – to verify that the patches are in place and that the endpoints are trusted and trustworthy.”
For those interested in making industrial systems secure, Hanna and I talk about established and emerging standards for industrial devices, including IEC 62443, which lays out different levels of device risk and the types of security needed for each. The Trusted Computing Group has also come up with a range of guidance for securing connected industrial systems, which is available here.
(*) The Trusted Computing Group is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.