The big picture: Smart devices have become ubiquitous throughout society, providing greater convenience and efficiency to consumers and businesses.
- Unfortunately, the occurrence of criminals exploiting device vulnerabilities to steal data, install ransomware and stage costly cyber attacks has become equally pervasive.
Why it matters: Cyber attacks can have severe consequences for manufacturers — among them, loss of IP, increased health and safety risks, data leakage, malware distribution, and impacts to service delivery.
Take the next step: Manufacturers of smart devices face significant cyber risk exposure on two fronts – the products they make and the technologies used in the production process. By performing pen tests on products and identifying weaknesses in IoT systems, manufacturers will understand their current cybersecurity threat status and identify the steps needed to shore up their defenses.
In just a few short years, smart devices have become ubiquitous throughout society, providing greater convenience and efficiency to consumers and businesses alike. Unfortunately, the occurrence of criminals exploiting device vulnerabilities to steal data, install ransomware and stage other costly cyber attacks has become equally pervasive. While these dangers threaten virtually every person and organization that avail themselves of the Internet of Things (IoT), manufacturers arguably confront twice the level of risk.
First, manufacturers have to ensure that smart devices they produce are secure — for example, thermostats, wireless speakers, electronic door locks, insulin pumps or other goods. Second, they must mitigate cyber threats to the production process and, therefore, to the broader organization. That’s because manufacturers increasingly are adding IoT devices — sensors, robots, cameras and more — to the factory floor as they move away from systems that isolate communication between machines and other instruments and move toward greater connectivity in the manufacturing and production process.
The use of IoT devices in manufacturing is growing exponentially. According to research from Prescient & Strategic Intelligence, the IoT market in manufacturing was valued at $62.1 billion in 2021 and is expected to balloon to $200.3 billion by 2030. This research is consistent with a broad digital transformation trend that continues as companies seek to improve productivity and efficiency.
Successful cyber attacks on either the product or the process to make it can have severe consequences for manufacturers, including but not limited to loss of intellectual property (IP), increased health and safety risks, impacts to service delivery, leakage of sensitive data, widespread malware distribution, loss of control over devices, and negative publicity.
Mitigating the threat
But manufacturers can improve their digital defenses with minimal pain. Conducting penetration, or pen, tests can help ensure the security of the products that they make. In addition, assessing all aspects of the technology and security protocols used on the factory floor can help guard against companywide risk.
Here are a few basic pen tests that manufacturers should perform frequently on the smart products they are making:
Device security assessment
This baseline test involves breaking down a device to analyze and ensure a full understanding of IP or sensitive information in products and its interaction with other devices or data. The assessment includes determining how hackers might be able to reverse-engineer devices to extract IP.
Protocol security assessment
This pen test evaluates physical and/or wireless communication protocols to determine whether malicious actors can manipulate IoT device interactions or exfiltrate sensitive data via those protocols. Part of this assessment includes verifying that the manufacturer is following secure end-to-end design, development and deployment best practices.
Platform security assessment
Because IoT devices rarely exist in a vacuum, manufacturers need to examine each product’s end-to-end ecosystem, from firmware upgrade procedures to how the device manages various mobile and web applications through its application programming interface. This step includes simulating real-world threat scenarios related not only to the device and its infrastructure but also to the facility in which it was produced.
Firmware reverse engineering
Firmware often can be extracted by malicious actors, from external hackers to disgruntled employees. Manufacturers should perform an exercise to reverse-engineer an IoT device’s source code using the firmware’s image. This effort will help determine what bad actors could do with the information, whether any data could be recovered and the risks of losing IP.
Advance hardware attacks
This test reveals whether bad actors with physical access to a device can extract sensitive data, typically through trusted platform modules where information is stored. These attacks can introduce power glitches or other bugs into the hardware that could render a device unusable.
New technology security review
Manufacturers should undertake evaluations of the security implications of emerging technologies to give product development teams a detailed overview and understanding of the related cybersecurity controls and vulnerabilities.
Regulation risk may be increasing
While implementing and performing a deep assessment of product security is already important, it could become even more so soon. In the United States, the Biden administration announced a cybersecurity certification and labeling program for smart devices. As noted in the White House’s announcement, this program would raise the bar for cybersecurity across a wide range of common devices, including but not limited to smart refrigerators, smart microwaves, smart televisions, smart climate control systems and smart fitness trackers.
Of note, the Federal Communications Commission (FCC) plans to implement the use of a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about their smart products. While the long-term impact remains unknown, if protocols wind up mirroring nutrition labeling, manufacturers that fall short of the requirements could face financial penalties and regulatory action in the form of recalls, delayed shipments, lost credibility, fines and litigation. Food companies, for example, incur an average cost of $10 million to recall a product.
Focusing on the factory
Historically, manufacturers have avoided cyber threats because the factory floor lacked any connection to the outside world. But the implementation of IoT devices in manufacturing plants amid Industry 4.0 digital transformations is introducing new risks.
Cybersecurity breaches in corporate environments are associated with viruses, ransomware attacks and stolen data. While these are serious issues, the risks are elevated on manufacturing floors, where such intrusions may cause harm to human life as well as damage to equipment and facilities. For manufacturers that have added IoT devices over the last few years and are unsure of the strength of their security footprint, here are a few questions they need to consider:
- Have you benchmarked your current IoT implementation security standards against industry standards?
- How secure is your IoT ecosystem? Do you know how many devices you have connected to your network?
- Are you designing IoT hardware? Have you evaluated security and compliance with industry standards before the build?
- What is your risk exposure through your connected devices? How confident are you in their security?
- Do you have an actionable roadmap for your IoT solution? Do you have clear goals and metrics defined?
Take the next step
While IoT devices have become a critical part of the manufacturing process, manufacturers of smart devices face significant cyber risk exposure on two fronts – the products they make and the technologies used in the production process. By performing pen tests on products and identifying weaknesses in IoT systems on the factory floor, manufacturers will begin to better understand their current cybersecurity threat status and identify the steps needed to shore up their defenses.