In previous articles on the Modern Equipment Manufacturer, I dove head-first into the issue of IIoT security. I talked about why malicious actors would possibly want to hack an IIoT device and looked at the increasing sophistication and cooperation that we’re seeing from the cyberthreat ecosystem. Then, I talked about why that’s a problem for equipment manufacturers, in particular, and how new legislation could put pressure on them to address that challenge sooner rather than later.
While I suggest that you go back and read those IIoT security articles, what I effectively detailed was a convergence of factors that make the hacking of industrial and commercial equipment increasingly profitable to cybercriminals, resulting in an increased need to take the security of those devices more seriously. I then explained that equipment manufacturers are more focused and equipped to make an effective device than a secure one.
And I wasn’t taking a shot at the hard-working equipment manufacturers and OEMs making incredible boilers, elevators and other industrial and commercial devices – I was simply speaking the truth. When someone’s experience and expertise is making a boiler that’s better than any other at heating water, they’re most likely not an experienced cyberwarrior as well.
So, how can these equipment manufacturers – the incredible boilermakers, and elevator builders, and commercial refrigerator manufacturers – make their devices more secure when they’re not cybersecurity professionals?
Let’s first talk about how these IIoT security vulnerabilities are coming into being, and then we can look at how one of the tools creating these vulnerabilities can also help to eliminate them.
From individual device to susceptible system
Connecting commercial and industrial equipment isn’t a new concept. There has been a movement to make individual devices more connected and to make them work together as a system instead of dedicated, individual machines since the late 80s and early 90s.
However, the early, connected devices were just connected locally, within one physical location. This made them relatively low security risks since you’d have to physically be onsite and interacting with the device directly to make changes or cause problems.
That’s not the case anymore. As my associates have discussed extensively on this very publication, it’s no longer enough to simply have devices connected locally. Today, equipment owners want equipment manufacturers to connect devices to the cloud.
By connecting devices to each other and to the cloud, the equipment owners gains new and incredible capability and functionality.
Now, they can monitor the device or system of devices from anywhere. They can make changes to the settings on the devices or systems from anywhere. Now, a problem with a piece of equipment is no longer a surprise since the device was being monitored for red flags. A piece of equipment that needs to have a setting changed or optimized no longer requires a dedicated trip to the worksite, plant or factory. And the manufacturer can play a larger role in helping to optimize their installed equipment and provide proactive maintenance since they can monitor their installed devices remotely.
It’s this cloud connectivity that’s opening the door to these advanced capabilities. But while the cloud connectivity is holding that door open, it’s a security vulnerability that malicious actors can sneak through, undetected.
To make these devices more connected in the first place, equipment manufacturers have traditionally turned to a particular tool – gateways. These gateways are platforms that can be integrated into devices – new and old – to make them talk to each other via a number of different protocols – the most widely known of which is BACnet.
Utilizing these gateways kept device manufacturers from having to bake connectivity into their devices – saving them time and money by effectively outsourcing something that wasn’t core to their business and expertise. And now, they’re turning to a new generation of these gateways to deliver cloud connectivity, as well. This makes the gateway the source of their security vulnerability, but it doesn’t have to be.
Not just a standard gateway – a secure gateway
As gateway providers are increasingly incorporating cloud connectivity into their solutions, some are starting to wake up to the vulnerabilities that they’re creating for their customers. Smart gateway providers are starting to take security seriously and work to ensure that the gateways that they provide – and the device cloud solutions that they offer – are secure.
It’s smart that equipment manufacturers turn to gateways and gateway providers to make their devices more connected. It outsources something that’s not in their wheelhouse. But introducing the cloud into the equation means that there’s now something else that manufacturers need to look for when they’re identifying WHICH gateway solution to utilize.
Equipment manufacturers need to take the time in the vetting and due diligence phase when choosing a gateway provider to ensure that security – and not just connectivity – is baked in. They need to know if they’re choosing a secure gateway – one with cybersecurity certifications and considerations incorporated – or if they’re choosing just some standard gateway solution.
To make that happen, here are three things that equipment manufacturers should be asking of gateway providers when doing discovery and due diligence:
- Do they view security as an add-on, or as a core part of their solution?
- Have they worked to get the proper security certifications for their products and solutions?
- Have they worked to engage with testing firms and organizations that test equipment for cyber vulnerabilities to ensure that their devices are, in fact, secure?
If a gateway provider can answer confidently that security is baked into their solution, that they’ve pursued the proper cybersecurity certifications and that they’ve independently worked to have their solutions tested and approved by organizations that exist to find vulnerabilities in devices and applications, then an equipment manufacturer can feel good about implementing their solution. In that instance, they’re effectively outsourcing both the connectivity AND THE SECURITY of their devices to a company that is more qualified to handle it.
If they can’t answer those questions confidently, then there’s a good chance that their solution will serve to outsource the connectivity part of an equipment manufacturers cloud conundrum – but will only function to create cybersecurity vulnerabilities for their customers in the future.
The threat of malicious actors hacking commercial and industrial equipment isn’t an imagined one. The future could very well see factories, office buildings and other workplaces physically shut down and held for ransom if equipment manufacturers don’t start to take security seriously. Luckily, if manufacturers choose the correct gateway provider, they can effectively outsource connectivity and security, and ensure that their products are secure for their customers.