Securing Industry 4.0 presented at ISC2SecureSummit 2019

by Geoffrey Gates,

Summary : Today's cyber security frameworks mainly focus on risk of attack as it applies to Confidentiality, Integrity, and Availability of information. As it is, many cyber security programs are only just maturing to adequately identify, measure and monitor cyber security risk factors. For those that have matured, they often have not considered the additional layer of complexity introduced by cyber-physical and operational technology. While the Industrial Internet of Things will enable data collection and awareness, this data will be leveraged to increase operational efficiency and insight into industrial control systems, tightening the feedback loop. At this point, systems and human safety considerations must be incorporated into this "CIA Triad" model. For Industry 4.0 system safety appears as a 4th component relating to the CIA triad. To address safety challenges, an industry framework of assessing, controlling, and isolating IIoT endpoints is key. Unfortunately, with the rapid adoption of IIoT, equipment is often procured without consideration of how it will be integrated. As manufacturing engineers and maintainers bring these devices on line, the time of connection to the enterprise is usually too late to make a consolidated decision. For information security professionals, we must start to embrace this shift to IIoT now. A multi-faceted approach must be deployed to influence IIoT suppliers, incorporating evaluations into the procurement phase for any "IP connected" device, evaluating the impact on human safety, and lastly an architecture that allows for deployment of these technologies into the appropriate enclave.