For decades, industrial equipment and systems were, in a word, safe. They were manually monitored and managed by people and had no connection to the outside world or network. The only way to hack or sabotage the systems was to gain physical access to them.
The ever-accelerating pace of industrial digitalization is changing that. The worlds of IT and OT are converging, and as industrial equipment and systems connect to the internet, they also expose themselves to attacks.
“The world is changing,” said Siv Hilde Houmb, a senior advisor in digital security for the Norwegian grid operator Statnett. “From our perspective, that means that we might have to change the way that we’re identifying and prioritizing risk as well.”
One of the characteristics of the Fourth Industrial Revolution is the introduction of all sorts of new network-connected devices, also known as the Industrial Internet of Things (IIoT). Examples range from simple Bluetooth beacons that can be used to track locations to advanced robots.
The potential of this technology is immense. Imagine an industry where everything — from the largest installation down to the smallest component — feeds data to a central source, creating an opportunity to monitor and run operations from anywhere at any time.
For many people working in industry, such a highly digitalized future may sound like a dream — unless, of course, you work in cybersecurity.
More network-connected devices doesn’t just mean more opportunities. It also means more data to monitor for signs of suspicious activity and more potential vulnerabilities for malicious actors to exploit. And the consequences of a cyberattack that knocks out operational technology — the control system in a nuclear power plant, for example — could be fatal.
“Critical sectors such as energy are particularly vulnerable to such large-scale, high-impact cyberattacks,” said Georges DeMoura, who oversees the industry cybersecurity portfolio at the World Economic Forum. “A cyberattack on the electricity sector could generate devastating, cascading effects resulting in economic costs of large magnitude, industrial destruction, and potentially other severe consequences.”
How can industrial companies stay ahead in this changing landscape? Read on to learn what the experts have to say:
1: AI and ML
The good news is that emerging technology isn’t just giving cybersecurity experts more potential fires to put out. It’s also giving them new tools that could make their work more efficient and data-driven.
“AI — particularly machine learning — has a lot to offer,” said Andrew Kling, who leads the Industry Automation business unit in cybersecurity and system architecture at Schneider Electric. “With artificial intelligence, the ability to see patterns in this large amount of data, to be able to grab hold of it and see things in it that is very difficult for single humans to recognize represents potentially great advancements in how we interpret a lot of data down to how we even make individual decisions.”
Other experts, such as Khalid Al-Harbi, Chief Information Security Officer at Saudi Aramco, also pinpointed machine learning as one of the technologies they are exploring.
“With so much transaction and so much connectivity, it’s extremely difficult to look through all of this data generated to identify what constitutes malicious activity,” Al-Harbi said. “Fourth Industrial Revolution technologies such as machine learning and artificial intelligence to enhance the ability to detect and respond … are actually valuable for any organization that is pursuing transformation.”
A machine learning-powered cybersecurity tool could for example monitor patterns in the data, detect signs of malicious activity, and recommend actions based on how cybersecurity teams have handled similar situations in the past.
“I can see AI taking on those kind of roles in the future — not replacing, but assistants to humans to help make more intelligent decisions,” Kling said. He mentioned speeding up decision-making processes and onboarding new hires as two areas where machine learning may be able to help.
Read more: Data management (r)evolution in the age of AI and the citizen data scientist
2: Proactive investments
New threats require new solutions. In the realm of OT security, for example, a grid operator such as Statnett might need solutions that provide situational awareness that spans everything from sensors to substations.
“It’s a challenging picture,” Houmb said. “It would require tools and components that we don’t have today.”
Houmb said Statnett is in regular contact with vendors to discuss each other’s abilities and needs. This is an important point: As Industry 4.0 continues to come into focus, companies have an opportunity to shape technological development and ensure that security is baked into products and solutions from Day One.
Saudi Aramco, for example, is taking a proactive approach to Industry 4.0 technology with Saudi Aramco Energy Ventures, the company’s corporate venturing subsidiary. Al-Harbi said SAEV is actively looking to invest in companies that develop technologies that address across different domains, for example cybersecurity. Those technologies might include artificial intelligence or blockchain, he said.
Note: There is a difference between investing in and simply buying. Ron Brash, Director of Cyber Security Insights at Verve Industrial, said 2020 has created a rush of technology companies hoping to capitalize on the sudden need for remote operations. He encouraged industrial companies to select their technology providers with care to avoid a situation in which products are no longer receiving regular patches to fix vulnerabilities.
“Everyone and their grandmother is joining the market for industrial IoT-type devices,” Brash said. “Who knows if that company is going to be around in two years? … There’s a new set of emerging threats that’s being supercharged on the vulnerability front in a commoditized package that I think is going to become a new risk and a new threat to organizations sooner than later, if not the moment they bought that product.”
3: New business practices
The effects of Industry 4.0 on cybersecurity will be felt broadly, both through the new technology becoming available to industrial companies and through the opportunities and responsibilities presenting themselves to subject-matter experts.
“We’re still in the early days of the Fourth Industrial Revolution, and we still stand at a critical juncture to make decisions in putting place policies, governance architectures to enable the digital age and deliver and unlock its full potential for humankind globally,” DeMoura said. “The positive scenario for technology in a sustainable future for all will not emerge unguided. Purposeful and decisive action, collaboration and cooperation by organizations, investors, and governments alike will be critical.”
It can be difficult for companies to decide where to draw the line between encouraging free exploration of emerging technology and reining it in in the name of security. To maintain a strong focus on cybersecurity, some forward-looking companies are rethinking how they work.
In an attempt to get ahead of potential security issues, Saudi Aramco has developed a special framework for securing emerging technology. The framework involves evaluating the security implications of new technology at the use case development stage. If the solution ends up being scaled widely, the Saudi Aramco’s cybersecurity team will have already identified potential risks and ways to mitigate them.
“Right now with emerging technologies, organizations are not going to wait until the technology matures,” Al-Harbi said. “This [framework] will help us prepare if the solution becomes mass-deployed.”
Technology providers, too, are facing pressure to change how they operate. For some companies, the convergence of the IT and OT worlds represent an opportunity to rethink their business models and shift toward more performance-based services.
“It doesn’t end with an OEM like [Schneider] developing products or systems,” Kling said. “You have to deliver them, and you have to continuously maintain them in the field. And cybersecurity, I'm sorry, is not a destination — it’s a journey, and we’ll be on the journey forever.”