The takedown of one quarter of the Ukraine's power grid in December 2015 is still a recent memory. At least 30 of the country's 135 power substations were knocked out for nearly six hours, and cybersecurity firms reported that the attack occurred in two stages. Initially, hackers used malware to direct utilities' industrial control computers to disconnect the substations. Next, they inserted a wiper virus that made the computers inoperable. This is everybody's nightmare, because cyber attacks that can disrupt power grids can also wreak havoc on manufacturing plants and electronics in homes, hospitals, and businesses.
Gartner’s has projected that 26 billion Internet of Things (IoT) devices will be installed by 2020, and in the consumer community, security firms like Kaspersky already report hacks of smart homes and carwashes. Meanwhile, Wind River, a producer of embedded software for intelligent connected systems warns that there is no consensus on how to implement security in IoT on a device. This is a risk that electronics companies must face.
The risk is further heightened because many of these IoT devices, and other “smart” sensors that are connected to freight containers, facility alarms, data centers, HVAC environmental monitoring equipment, hospital operating rooms, etc., contain embedded software, which is not consistently tested or upgraded, and which certainly needs more work done if it is to become more resistant to hacks and other security threats.
In both the consumer and the business markets, if a hack or other security breach occurs with IoT and it results in damages that bring a lawsuit, the lawsuit could be filed against the electronics retailer, the electronics manufacturer and/or the suppliers of the manufacturer if a vulnerable sub-component from a supplier is involved. In short, everyone in the transaction's chain of commerce is potentially liable. This is risk that insurance liability companies are also aware of, and that could boost liability insurance premiums for electronics companies.
On the inside of electronics manufacturing operations, there are also risks of hacks that disrupt production in the same way that 25% percent of the Ukraine's power grid was brought down. These risks threaten profitability and operational and employee safety
What steps can electronics companies take to prepare for or to mitigate these IoT security risks?
- Step #1: Plan for liability insurance premium increases. IoT is a great profit opportunity, but it will also bring increases in operating expenses. The liability insurance premiums that you factor into your overhead will be one of these areas of increase, so premium costs shouldn't be overlooked when you plan your budget.
- Step #2 : Meet with your insurer to discuss best practices. Insurance companies don't want to see their losses go up, so they spend dollars and time on research to develop best practices that they can pass on to their clients. The hope is that clients will implement some of these suggestions, thereby reducing their risk of loss. A sit-down meeting with your insurer to discuss methods they recommend for preventing and mitigating IoT security risks is worth pursuing.
- Step #3 : Identify your IoT exposure points for hacks and breaches. Whether your primary exposures are in the smart products that you sell to others or within the robotics and machine entry points in your own plants, it makes sense to either perform an internal audit or to seek outside audit help to identify the most likely spots for IoT break-ins—and then plug them up.
- Step #4 : Beef up your facility monitoring and alert systems. Whether it's sensors on doors, cameras and alarm systems or environmental systems throughout the plant, IoT devices should be regularly inspected on a physical basis and they should continuously be monitored and logged.
- Step #5: Establish and practice failover procedures. Disaster recovery and mitigation plans should be updated so they address the IoT security threat. Make sure to test the plan and train those involved about their roles. The best plan is only as good as its implementation.
- Step #6 : Screen your people. Social engineering audits, a form of testing and reviewing corporate security practices along with employee conformance to them, is absolutely booming. Why? Because employee sabotage is growing. There is no reason to believe that inside incidents won't occur with IoT as much as they already do with systems and data.
Let us know how your organization is contending with the looming security issues presented by IoT in the comments section below.