As we move further into the era of Internet of Things (IoT) and hyperconnectivity, the potential that technology offers is becoming clearer—whether it’s by adding a level of convenience or the opportunities presented to develop smarter, more streamlined processes for a variety of tasks.
Lying under the surface, though, is an issue that does not yet have an answer—how to protect hyperconnected IoT devices and the information they hold, particularly from those with the skills to leverage that information. These devices are linked to one another via a network connection—allowing them to communicate with one another, so an attacker could enter via one device and access others—and are easy for humans to interface with.
The ramifications of what a skilled attacker could disrupt by targeting, for instance, a hyperconnected IoT machine that is a part of a manufacturing facility highlights that danger.
“Think about automation. People are being put off and…robots are taking over. It’s code. You can re-code anything,” says Maurice Dawson, assistant professor of information technology and management in Illinois Tech’s School of Applied Technology. “It’s very frightening.”
Dawson, the director of Illinois Tech’s Center for Cyber Security and Forensics Education, has long researched cybersecurity issues, particularly in IoT. Recently, he looked at the security issues facing manufacturers as they enter what is referred to as Industry 4.0, or utilizing an automated, hyperconnected system to more efficiently produce goods.
His paper “Cyber Security in Industry 4.0: The Pitfalls of Having Hyperconnected Systems” showcases the potential issues manufacturers face by working in an environment where, on one hand, they can quickly and efficiently produce goods while, on the other, leave themselves open to a variety of potential threats.
“The manufacturing floor could serve as a place that allows an attacker not only to gather critical data from devices but inflict damage of any of the products being produced,” Dawson writes in the paper, featured in the Journal of Strategic Management Studies.
Among other concerns, Dawson says, is that some manufacturers are utilizing operating systems that are generations out of date (for example, Windows 98) and haven’t been updated, making them more susceptible to victimization. Piling on to that, he says, is that many of these manufacturers don’t have the staff to help guard against attacks.
“You are exploiting the network of a large organization. It’s things like that that become a big issue,” Dawson says. “We don’t think of things like that. We have faith that the organization is going to do its best.”
Data supports that manufacturers are at risk. An article published in a special report in February for London’s The Times and The Sunday Times, “Manufacturing cyberattacks could cripple the UK,” said that a report from the United Kingdom’s manufacturers’ association and insurer AIG found nearly 50 percent of that country’s manufacturers had dealt with cyberattacks. Of those attacks, a quarter resulted in financial or business losses. Furthermore, 45 percent of those manufacturers said they were not confident they had the tools to protect themselves.
In the same article, Dawson explained how those attacks, when carried out in a hyperconnected system, drive home just how widespread the fallout could be.
“Imagine a large [organization] like Monsanto. A determined hacker has the ability to go in and change the makeup of the seed,” he says in the Times article. “They could make the seed life shorter. If you’re planning for a harvest, the seeds fail. Now we have an issue of a food shortage. Or alternatively, the hacker can insert additives or ingredients to spark allergies or create reactions.”
In his paper, Dawson discusses the need to develop a certified and accredited process for manufacturers to protect these hyperconnected systems to ensure they are “routinely checked and meet stringent initial cyber security controls.” He suggests using the National Institute of Standards and Technology’s Risk Management Framework—a set of guidelines for how to secure data systems—as its baseline.
“The process should include annual security checks to review compliance and reporting to a third party for compliance that does not have ties to the organization,” Dawson writes.
But, if nothing is done, Dawson remains steadfast in the dangers that await. Take, for instance, his example of an attacker, a nation-state or otherwise, that targets a seed in development. A food shortage is one outcome; another is that the attacker could make the victim nation-state reliant on them for food or supplies, altering how well its government functions.
“You don’t need nuclear bombs anymore,” he says. “If I can hit you financially, you need me.”