Cyber Physical Systems Everywhere
Published by : Industrial Automation
With the adoption of automated products and connected systems cybersecurity must be continuously defined, monitored, and improved, says Ravi Ramarao.
A few years back, pervasive computing was considered by many as a futuristic notion. However, things have changed quite quickly and the recent happenings like the pandemic is only accelerating the journey of digital and connected systems.
Fiction writers and the famous Japanese cartoon film makers had a wonderful time in dreaming about innovative systems that detect, self-diagnose and make intelligent choices. No longer are they worth a dream in serials and books, the authors have to find newer ideas.
In the emerging vision of a hyper-connected world, there is interactive intelligence all around us. Physical products and infrastructure are no longer mere objects. They are sensible things that can in many cases understand – and even anticipate – our human intentions and adjust accordingly.
Self -driving cars, Intelligent Homes and Smart Cities are becoming an acceptable way of living and quite possibly a de-facto standard soon. On a day-to-day basis, we have started using systems like coffee makers, smart refrigerators that automatically schedule service and supply, irrigation systems that adjust watering dynamically based on soil and weather conditions – all based on strong data points and intelligent systems.
Today, the above real life scenarios are relatively mature examples of connected products – backed by successful business models. This is why companies all around the world are starting to prepare for a future in which cyber-physical systems are commonplace
Intelligent systems require intelligent protection
All these are made possible by inter connected systems and global networks. Data generation and the necessity to share information across the systems is mandatory for such systems and increasingly they are transferred over the internet. A growing number of edge components send their data to enterprise networks and servers over the cyberspace, where digital intruders and hackers loom, eagerly waiting to catch priceless information
End-to-end cyber & data Security: The need
A comprehensive cybersecurity cover for the enterprise has become a fundamental need. Why?
Each new service and capability introduces additional risks. Hackers constantly look for points of entry for potential privacy breaches. The number and usage of connected systems and smart mobility services shall only increase, inevitable. So, we should be prepared to face a growing number of cyber, fraud, and data-breach incidents. If un-prepared, it shall cause damage to both companies and consumers.
The best way to face this is to accept the fact that ‘Risks’ won’t become ‘Zero’. Impossible. Our focus has to work on minimising the risks. First we have to understand the potential weak entry points in a systematic manner and assess how someone can exploit. It’s a ‘war’ in cyberspace. Real war, not a game!
Next, work towards solutions that can be implemented to lower the risks. Always, constantly reminding ourselves, this is a continuous process. Not a ‘one time’ event.
Threat is real
Generally, sensational news hits the headlines and afterwards it begins to fade away. If we recall, in 2010, a 20-year-old managed to manipulate over 100 cars via remote control, such that they would no longer start. An even more critical situation arose in 2015, when hackers managed to take remote control of a Jeep via the SUV’s entertainment system, they gained access to its multimedia systems, windshield wipers, and air-conditioning system and controlled the brakes and the speed of the vehicle. They stopped the car in the middle of the highway. To do this, they used the vehicle’s internet connection and all done from a remote location. As a result, the OEM had to recall and patch around 1.4 million vehicles. Grand welcome to cyberspace!
Type of hackers
White hat or Ethical hackers – These hackers are legal professionals that break into protected systems to test their security. Primarily to detect vulnerabilities in networks and systems to expose them before malicious hackers do.
Black hat or Criminal hackers – Black hat hackers maliciously break into computer networks and security protocols to spread malware, steal data, modify it, or destroy it.
Grey hat or Ransom hackers – Like white hat hackers, grey hat hackers expose vulnerabilities in systems and report issues to the owners. Grey hat hackers are illegal and often request a fee to fix the issues they find.
Some well-known vulnerabilities
One of the weakest links, in most cases, is due to outdated software. So, the software and firmware in the entire system has to be up-to-date. It mitigates attack vectors caused by vulnerabilities a hacker can exploit. However, besides outdated software, statistical data on breaches indicate that the greatest threats are actually humans in the organisation. Social engineering is in fact the most common cause for breaching a system. Only then can the attacker start looking for outdated software!
Covering all major elements of the data security infrastructure
Data is often highly critical and sensitive. The objective is to achieve the highest standards in end-to-end data security. The recommendation is to adopt a scientific and comprehensive approach to maximise data security by simultaneously considering physical safety and cybersecurity.
Some key measures (not limited to this):
a. Assigning every component in the network an authentication key
b. Secure data by encrypting (advanced encryption standards) it at the hardware level, using a cryptographic key that is safely stored in a unique built-in Trusted Platform Module (TPM)
c. Manage user access rights ensuring that only authorised people have access to your data
d. Support only secured connections (https)
e. disabling the execution of 3rd party software and unsecure ports, such as universal plug and play
f. Firmware updates only via authenticated/signed firmware files
g. Regular security patch updates and password management
h. Stringent security measures while supporting 3rd party Public Key Infrastructure (PKI) solutions and customer specific certificates
i. Strictly following the security requirements wave of new standards and regulations; first, that which sets standards at the process level; and second, the activities which will make cybersecurity a prerequisite for the type approval (industry specific).
The manufacturers, (perhaps customers too) will have to identify and secure critical elements for the entire platform – all the way through to phase-out. This means life cycle management will be a decisive topic in the future. In other words, how do you provide adequate risk-based protection after start of production for connected systems? They are in the cyber space and face many years of exposure to a constantly changing threat landscape.
As an OEM or supplier or a consumer all should be aware of these facts and to achieve the security level identified in this way, we need to involve all participants: from development and production through quality assurance to sales and customer communication. Throughout the supply chain, the roles and responsibilities must be clearly defined. A demanding exercise but essential.
Enterprise security has to be carried with military rigour. No compromises and deviations allowed. Standard and highly structured assessment procedures should become the basic hygiene. Periodic gap analysis and preferably 3rd party agencies carrying out a SWOT is also highly recommended. It makes a lot of sense to get a security specialist on board.
Independent reputed and trusted external agencies bring in an outsider – in a global perspective. Combined with in-house industry specific know-how and native domain experience shall serve as an ideal complement to external expertise.
Building on your own strengths – ‘One Size Does not Fit All’
In conclusion, the disruption caused by digitalisation is phenomenal. Safety and business impacts of cyber risks have never been higher in the industry. With the adoption of automated products and connected systems cybersecurity must be continuously defined, monitored, and improved.
In the ‘end-to-end’ supply chain, OEMs, suppliers and other relevant eco-system entities should identify and leverage their existing cybersecurity strengths both independently and collectively to work as a safe ‘eco paradise’. This shall have the distinct advantage to set up compliant and best-in class cybersecurity management systems in the optimal time and cost.
The idea should be not to reinvent the wheel and optimise cybersecurity efficiency.
First, Enterprises should follow stringent information security policies. Secondly, benchmarks and targeted cybersecurity roadmaps along with outright dynamism in review of the policies and quick implementation is mandatory. Finally, implementing uncompromisingly in day today discipline is the best possible way to achieve continuous protection of cybersecurity.
In my thinking, dynamism and continuous rigour hold the keys to success.
“In a connected world, cyber security is as fundamental to your safety as the brakes”
-Ralph Speth, former CEO of Jaguar Land Rover (JLR)
Some important statistics:
a. 43 per cent of cyber-attacks are aimed at small businesses. (Small Business Trends)
b. 90% of hackers cover their tracks by using encryption. (Vanson Bourne)
c. It takes most companies over six months, or around 197 days to detect a data breach (ZD Net)
d. Windows is the most targeted platform by hackers; Android is number two (Computer World)
e. There were over 3 million crypto-jacking hits between January and May 2018 (Quick Heal)
f. The most expensive component of a cyberattack is information loss, which represents 43 percent of costs. (Accenture)
g. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (CyberSecurity Ventures).
Ravi Ramarao is International Business Leader with 29+ years of overall experience in Connected Manufacturing – Digital/IoT/Enterprise wide E2E Supply Chain Consultancy to Fortune 10/50/100 industrial manufacturing clients and large global program management. Among accolades, more recently, a special assignment as India National Expert for MSME – I4.0 Solutions, and has worked for Asian Productivity Organisation, Japan under the auspices of NPC, India.
Ravi is presently Chief Architect – Industrie 4.0/IIoT/Smart Mfg Platform Solutions at Robert Bosch Engineering and Business Solutions Pvt Ltd, handling technology, solutions and business models for Smart/IIoT embedded digital manufacturing; and co-creation and building strong partner ecosystem using multiple technology and unified platform: 1. E2E Digital Supply Chain; and 2. Domain Driven – Technology enabled inter operable systems.
Prior to this, Ravi was a Business Leader – Manufacturing IT & Plant Solutions @ Tata Consultancy Services during 2005-2015; and in Manufacturing – Design, Engineering, Build and Operate in Petrochemicals, Oil & Gas industries during 1991-2005.
Ravi believes Sensors, Software Solutions and Platform…is the way forward. Smart Manufacturing, Data Science, Algorithms and Predictive Analytics are the areas to invest – the life lines to remain in the market.