Increased connectivity, digitization, and application of the Industrial Internet of Things (IIoT) can make companies more vulnerable to new types of attacks.
Brenner offered three security recommendations for manufacturers:
1. Key operations technology (OT) controls must be isolated from public networks if they are to be reasonably secure.
Not all networks need to be segregated, only key aspects of OT controls, he said. He admitted there are differences of opinion about appropriate degrees of separation. “Taking control off the Internet does not mean taking it away from digital,” he said. “Not all functions need to be facing the public Internet. Some functions need to be locked up. There are lots of ways to figure out how to isolate.”
2. Governments should support a market for simpler, safer control technology.
In this world, complexity is the enemy and malware is easy to insert into the millions of lines of code. In addition, he said, general-purpose microchips and general purpose controls are unsuitable for controlling sensitive OT. “If we are going to have simpler controls, there has to be a market for them—and it needs support from governments across the world,” he said.
3. Market incentives must be realigned for cybersecurity.
Retirement of legacy systems should be a priority. Brenner said governments should create tax incentives to accelerate the retirement of legacy systems. When it all comes down to it, he said, “The most difficult cybersecurity challenges are economic and political—not technological.”
He believes the main challenge in doing security research is to quantify network risk. There needs to be more facts and figures; the inability to quantify risk impedes security.
“The biggest issue of risk is not the silicon-based element in the computers, it is the carbon-based unit in the chair,” Brenner said.
The industry has been working on security issues for 20 years and Brenner doesn’t feel there has been any real difference in risk.
“We have been facing the consequences of 20 years of wishful thinking,” he said.
“Cybersecurity is not getting any better. We have been walking backwards on cybersecurity for 20 years. Your security may be better, but we are not more secure. We have got to understand the fundamental problems are political and connected to national will. Now is the time to be clear-headed and honest with ourselves on the depth of the problem.”
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See related stories from ISSSource linked below.