InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
The Internet of Things (IoT) – currently the source of so much hype in the world of IT – is now also impacting businesses and energy suppliers. Nonetheless, today’s cyber threats constitute a major challenge for IoT projects. Furthermore, the various solutions and components involved require quite different levels of protection. It therefore makes sense to get informed about the different risks and critical vulnerabilities. Read on to find out what specific action you can take ...
The energy supply industry is in many ways a model of good practice with regard to safety and system availability. With the Internet of Things, however, industry solutions are moving – in all sorts of areas – towards an “operational technology” (OT) scenario, one in which critical systems are no longer adequately insulated from each other. While IoT is not new, the possibilities it now offers are more tempting than ever and offer opportunities for future business success. This is clearly demonstrated by some IoT projects that have already been implemented here in Switzerland. In one such project, for example, intelligent systems control a suite of hot-water boilers for the supply of balancing energy. In this case, systems are used to automate entire meter-to-cash processes, while complex smart grid components take over critical functions in the power grid. In such instances it’s important to protect not just the integrity and availability of individual systems but also the data. For some time now, the business case for IoT systems has derived not only from the ability to automate processes but also from the opportunities they bring for customising and personalising energy products and associated services. However, if suppliers are to retain consumers’ confidence, they will need to take the protection of their personal data seriously. This is all the more true because of the way in which data is processed in the cloud and transferred, via unreliable networks between objects, people and services. The security requirements of IoT project therefore involve competencies from the worlds of both IT and OT.
At which stage of development and in respect of which activities should these security requirements be tackled in IoT systems? While IoT projects no longer involve complex science, they do display certain special features. For example, security by design is the current mantra in the security industry. In reality, however, from an innovation point of view, it's a principle that can only be applied in respect of critical projects or IoT-specific requirements. In order to assess the security requirements of an IoT project, the first step is to undertake an appropriate risk analysis. This will involve considering the impacts of potential incidents in the context of IoT system deployment and use cases. The following questions should be considered:
On this basis, you can undertake an initial assessment of how critical the impacts would be and identify an appropriate way forward. This could mean that security by design is indeed an absolute necessity or alternatively could require individual security measures to be implemented first of all. In IoT projects involving a heightened need for security, the next phase should be to identify the likelihood of incidents and define the resulting priorities. This can be done by evaluating the potential organisational and technical vulnerabilities both in the overall system and in respect of the individual components.
In the next stage, you should investigate and test both your IT security set-up and the physical robustness of the components in use. Additionally, however, you should consider the communication between those components, the central data processing systems, and the interaction between users and operators. Also important is the need to test the overall structure in conjunction with the related processes.
For these tests, a variety of methods can be used depending on the issues involved, including:
In practice, applications are often an easy target for attackers. The majority of IoT applications rely on open source software, third-party components and software developed in house. In addition, they are often exposed, making the applications particularly vulnerable. An application test based on the OWASP IoT Top 10 vulnerability categories can be a useful tool for identifying vulnerable areas. Security testing can and should be carried out in every phase of IoT solution development. In this context it can be helpful to work with test automations. These can help you avoid new or recurrent errors as you continue to develop your applicationn.
To fulfil the specific security requirements of IoT projects, we would recommend an analysis based on realistic risk scenarios. These will help you to gain a better understanding to inform your security efforts and to create conditions of transparency and trust. In addition, you can use these scenarios later on for the modelling of threats during testing. This will build greater awareness in the project and help you to continually tackle vulnerabilities. To eradicate these, it’s also vital to design a stable, encrypted and authenticated update system.
Our specialists are convinced: It needs a systematic approach and a holistic approach to establishing cybersecurity in the rapidly growing Internet of Things and Industry 4.0. We will show you how to do this successfully in our free whitepaper with 5 simple steps. We have developed the ultimate IoT & Industry 4.0 Security Barometer specifically for you. Are you ready? Download now and receive free valuable expert tips!
The article appeared in the 2-2016 edition of EnergieRundschau magazine. Read the entire article here!