As we head into the Industry 4.0 era—where connected Internet of Things (IoT) devices and automation will reshape industries—our world is already highly connected. According to Statista, there are already more than 10 billion connected IoT devices and that number will increase by well over a billion new connections each year, exceeding 25 billion in 2030. Much of this growth will come from industrial connectivity and automation products, which improve energy efficiency, operating productivity, and safety at-scale, while also reducing costs and unnecessary downtime.
Yet, as we’ve witnessed over the past two years, increased connectivity creates increased risks. As networks of connected smart devices exchange critical data, they also open numerous vulnerabilities for exploitation by hackers. Given the inherent complexity of industrial-scale automated systems and the fact that malicious actors need only find a single vulnerability to access an entire network, it’s clear that organizations are facing an incredibly tough challenge. This challenge will only grow as IoT devices become ubiquitous in the Industry 4.0 era.
In February 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert acknowledging a year-long uptick in sophisticated ransomware incidents targeting critical infrastructure organizations across the globe. Only days later, the FBI and Secret Service warned that the resurging BlackByte ransomware gang successfully compromised multiple U.S. and foreign organizations. These attacks included “at least three critical infrastructure sectors” ranging from food and agriculture to financial institutions and government facilities. Unfortunately, mitigating the security issues that enable these attacks is easier in theory than in practice.
Complexity is security’s greatest enemy. Increased digitization of organizations and industries without adequate advance consideration of security risks has created insecure interconnections. In many cases, organizations have proved unable to maintain acceptable levels of security and, in some cases, exposed critical infrastructure elements to the internet for the first time. Since infrastructure failures can be catastrophic, cutting off food, water, electricity and oil supplies, these elements became desirable targets for profit-hungry cybercriminals. In fully connected ecosystems, including those that Industry 4.0 organizations are building, attacks on these sectors can spread to customers and supply chains, giving bad actors even greater leverage to demand payments.
At my company, UL, we believe that hardening security requires a proactive, tactical approach to both risk management and security, building protections upfront in the product development process. Moreover, meeting legislative and industry compliance requirements should be part of every company’s comprehensive product security program. This approach to reducing cybersecurity risks is known as security by design. This strategy enhances trust for all stakeholders across the product’s entire lifecycle and is implemented in several steps.
As attackers become more malicious in targeting industries through connected devices, organizations can no longer afford solely reactive approaches to cybersecurity. Sustainable and strong cybersecurity postures now depend on holistic approaches to governance and processes, starting with security by design and continuing with ongoing testing to meet evolving industry and regulatory standards.