Many experts consider the rise of the Industrial Internet of Things (IIoT) and its close relationship with Operational Technology (OT) to be one of the most important business trends of the early 21st century. At first glance, this is easy to understand: Connecting a multitude of devices, sensors and equipment to the internet - and combining this with machine-to-machine (M2M) communication and automation required for industrial processes sounds like the next big industrial upheaval.

In Germany, Europe's largest industrial economy, the use of IIoT for digital automation has developed to such an extent that it can be described as the fourth industrial revolution, the so-called "Industry 4.0" strategic initiative, which is also being promoted by the German government.

The prospect of integrated supply chains, real-time feedback on processes, problems that occur and available stock, where even the smallest elements of an industrial process would be interconnected, is extremely promising. Efficiency is thus significantly increased, problems and error messages reduced, because the systems could ultimately take care of themselves without the need for expensive human intervention and management measures. The IIoT thus becomes the platform for those industries on which the digital economy ultimately depends.

However, a more pessimistic view - you could also call it realistic - also sees the widespread use of IIoT and OT as a new area of digital security risks. These could be underestimated in a similar way to the risks of consumer-oriented IoT in the early years.

Potential number of attackers increases
It should not only be clear to security sceptics: the more devices, equipment, sensors and applications are connected, the greater the interdependence and sensitivity to incidents. The development of cybercrime over the last 20 years shows that the potential number of attackers increases in line with the number of IIoT and OT users. However, as Industry 4.0 and IIoT are still being developed and many technologies and standards have not yet been finally implemented, potential vulnerabilities for cyber attacks are not always obvious.

However, recent cyberattacks on manufacturing facilities show that there is cause for concern. According to Verizon's latest Data Breach Investigations Report (DBIR), which analyzed 2017 figures, the manufacturing sector had 42 known breaches and 389 cyber incidents of various kinds. This puts it just behind sectors such as healthcare, finance and retail. Around 90 percent of these are from external hacking rather than an internal compromise or misconfiguration. Verizon also points out that 86 percent were targeted attacks specifically designed to penetrate certain organizations.

"The vast majority of attacks highlight that criminals are targeting specific manufacturing sites with a very specific purpose," the report says. These figures do not yet detail how vulnerable IIoT and OT could be to cyberattacks, but they do highlight that they are already being targeted across the board with a range of intentions, including geopolitical advantage and financial gain.

How might attacks develop?
Cyber attacks are based on a combination of technical means - the vulnerability that is exploited to penetrate a target network - and the criminal intent to do so regardless of risk and cost. Recent incidents show that the most common method of attack is probably targeted cyber-extortion.

A cautionary example of how dangerous this can become was provided by the incident in the city of Atlanta in March 2018. Like almost every major city in the world, Atlanta and its citizens rely on online services to provide simple applications such as parking, bill payments, court summonses and a variety of local government functions.

© Airbus Cyber Security

Using a hacking-to-ransomware platform called SamSam, attackers infiltrated the city's network to encrypt a number of applications. Although the ransom demand of 51,000 dollars (around 45,000 euros) was apparently not met, the attack ultimately cost 2.6 million dollars to clean up. SamSam was also blamed for other attacks in 2018, including the city of Newark, the Colorado Department of Transportation, the University of Calgary and, perhaps most worryingly from an industrial perspective, the ports of Barcelona and San Diego.

This highlighted that these incidents can happen in any institution, organization or critical infrastructure, including factories, industrial processes or supply chains. Here, even a few hours of downtime can have a devastating impact. Size and importance no longer seem to be a defense; on the contrary, if an institution is valuable and vulnerable enough, it becomes a worthwhile target.

No efficient security strategies or models
An additional risk is that IIoT systems still often do not have efficient security strategies or mature security models. In the past, errors in security design have too often led to a wide range of penetration opportunities. In addition, industrial networks that support IIoT are usually not built from scratch, but depend on an organization's established network security and protocols.

A fundamental problem here is that IIoT and OT inherently increase the number of devices communicating via internet protocols, thus increasing the attack surface. Attackers then only need to find a weak point or protocol - Remote Desktop Protocol (RDP) was SamSam's preferred method of entry - from which they can build a deeper breach into the target network. By the time an affected institution realizes that an attacker is on the network, it is usually too late.

In future, any planning for the implementation of IIoT and OT must include security aspects centrally and in advance. The many new risks pose major challenges for experts. The defense of Industry 4.0 systems must be fundamentally and highly professionally repositioned if the next wave of this industrial technology is to fulfill its promise. as