Critical infrastructure globally across sectors are at a particularly vulnerable state due to the continued heightened pace of cyberattacks on the Industrial Internet of Things (IIoT), according to a report from Lloyd’s Register Foundation, the U.K.-based global safety charity. Lloyd’s suggests a series of measures to meet the increasing IIoT risks to energy, transport, built and physical infrastructure, as well as manufacturing, since the Covid-19 pandemic engulfed the world earlier this year.
The core finding of the report is that the current pace of change will not match the fast emergence of new security threats to IIoT environments. Current capabilities do not scale, have not been tested or simply do not yet exist, believes Lloyd’s.
The study also suggests that many complacent organizations may not be able to recover from a catastrophic cyberattack, and therefore each needs to prepare for such a mindset through regulation and insurance that can build preventative security practices.
The report, co-written principally by Robert Hannigan, executive international chairman of BlueVoyant, and Oxford University cybersecurity professor Sadie Creese, aims to prioritize action by identifying key emerging risks, and gaps in capability for which the current pace of change in operational cybersecurity will not be sufficient. In these environments, the consequences of failure can be systemic, and the report calls for international cooperation and the urgent adoption from the IIoT community of guiding principles to increase resilience to cyberattacks.
Lloyd’s noted the differing perspectives of those responsible for managing risk within industry, which includes operations executives and board members, companies and regulators, procurement and cybersecurity teams, and urges increased cyber awareness for all.
Managing cybersecurity risks already faces many challenges, including the sheer difficulty of trying to map the complicated relationships between technical and human systems, and the challenges of communication between different communities where the frameworks for understanding risk are fundamentally different.
Throw IIoT into the mix and these existing challenges become even more exacerbated, creating key capability gaps that Lloyd’s suggests organizations should address by:
- Always consider harm consequences when planning how to manage risks
- Consider how security controls may fail as you increase use of IoT devices
- Use techniques that can provide you with a continuous assessment of your position (near real-time) as opposed to periodic assessments
- Consider how your supply-chains are using IoT: consider their failure to maintain cyber security as risk to your security risk management plans
- Invest in forensic readiness processes
- Include a consideration of future scenarios in your risk assessments
- Invest in training for staff on IoT standards and good practice
- Collaborate to establish a device interface protocol for sharing security monitoring information