With the world becoming more connected thanks to the rollout of the Internet of Things (IoT), the need to ensure the security of this new smart landscape is paramount.
This is especially true in the rapidly-growing area of the Industrial IoT, or IIoT, where manufacturers, utility companies and other industrial entities look to embrace the benefits of digital technology in the so-called Industry 4.0.
However these businesses, many of whom are huge corporations that have been in operation for decades are often laden down with aging legacy infrastructure that is both outdated and essential at the same time – so how do we go about securing this?
- Trend Micro: IoT brings innovation, but also threats
- Why IoT security should be top of your list
- Trend Micro Antivirus+ Security review
“The problem is that the stuff that you buy for those kind of environments is supposed to last you 30 years or so,” Rik Ferguson, VP Security research at Trend Micro, told TechRadar Pro at the recent InfoSecurity London event.
“It's not high turnover equipment…there's a lot of stuff that's old, but still relevant,” he adds, noting that factories especially don't usually have the kit IT departments are used to dealing with.
Trend Micro has just formed a new joint venture called CX One looking at addressing the issues around IIoT, lending its expertise to businesses across many sectors.
"What really struck me when I was talking to customers about (IIoT security)…was actually how big that market is, and how many enterprises and industries have connected IoT devices and industrial devices,” Ferguson says.
He adds that the IIoT environment may end up being like the growing security worries surrounding smart homes, noting that, “the scale of the problem is huge.”
“Manufacturers for IIoT equipment are also now very aware that security is a very important factor. For buyers, it’s now part of their buying decision,” he says.
“But there is effectively a toxic legacy of decades old products, some of which will remain on the factory floor and in production for a very long time…And that's the security challenges – how do you secure this production or domestic production environment knowing full well, that the things that you are securing have no means of securing themselves?"
Influenced by the number of large scale attacks harming big businesses (with the Norsk Hydro ransomware attack gaining headlines across the word) alongside the advent of GDPR, Ferguson believes many more firms are waking up to the dangers of failing to invest properly in cybersecurity.
“What really strikes me is that many more businesses, particularly smaller businesses, are now more security aware,” he says, referencing an example of his estate agent knowing about GDPR.
“The awareness is there…anyone who is running a business will now know that GDPR exists and have an idea of what it covers.”
This need to be aware is particularly relevant as a number of “classic” style cyber threats come back into fashion as better-funded attackers widen their attack vectors.
“The players that are still in the game are the ones with the highest skills, better financing, better budgets, and they're able to invest more time in each individual attack rather than the spray and pray,” he says.
“It is highly professionalised – but that doesn't stop it becoming even more so.”
The increasing professionalism of cybercriminals, with more funding, intelligence and work going in to attacks, should be a major worry for businesses of all sizes, Ferguson says.
But although old-school methods such as phishing are still paying off, the security industry is also evolving and upping its game too, he notes.
“As security tools improve, obviously, the attackers have to up their game as well,” he says. “And that means not only in terms of toolkits they use but also the skills that they have to deploy them and to use them”
“We have to think of new ways to (protect)” he concludes. “So the advent of new technologies and new ways of doing things has an inescapable back propagation effects, in terms of all the things we've already done, we have to change how we do them.”
- Best internet security suites of 2019