Article source: IMechE
The public is often at more risk from industrial Internet of Things (IoT) issues than consumer devices, an expert has said, after the government announced new security measures.
Industrial regulations encouraging better cyber-security would be “great” to see after a review set out measures for so-called smart devices such as televisions, toys and speakers, said Graeme Wright, CTO for manufacturing, utilities and services at Fujitsu UK.
Steps outlined in the government policy paper include unique passwords for all new devices – not factory defaults such as ‘admin’ – automatic software updates and back-up plans for system outages. The measures are designed to protect against large-scale cyber-attacks.
Despite smart consumer devices’ place in the home, Wright told Professional Engineering that threats to industrial IoT devices such as automated factory machinery could pose a bigger security risk.
“Because the ‘things’ that industrial IoT devices are connected to, or are monitoring, are part of the Critical National Infrastructure or part of the supply chain for consumers and the general public, the risk of industrial IoT can often be higher,” he said.
“As this can increase the risk to both customers, consumers and businesses, it would be great to see regulations put in place which encourage organisations to take ownership over security.”
The IoT can bring “significant” productivity increases for businesses, he added, by enabling decisions informed by vast amounts of collected data. However, he said organisations must ensure this happens securely by considering entire systems to see how they can be attacked and manipulated, “for the good of their business and the nation.”
Several high-profile hacks and vulnerabilities threw industrial cyber-security into the spotlight last year. Potential risks include loss of production and injuries to workers, while the public face disruption to services and utilities.
The government’s new measures for consumer devices, developed in collaboration with the National Cyber Security Centre and manufacturers and contained in the Secure by Design review, aim to embed security during the design process rather than “bolt it on” as an afterthought.
Other steps include encrypting all sensitive data, making installation and maintenance easy, and introducing a “vulnerability policy” and public point of contact so security researchers and others can report and act on issues immediately.
Security experts would likely welcome similar measures for manufacturers, as some have previously criticised how companies’ slow approach to upgrading operating systems or replacing vulnerable equipment.
PE contacted the National Cyber Security Centre for comment on industrial IoT regulations.