ARC Advisory Group’s 19th Annual Industry Forum ended today. There were approximately 300 executives in attendance. Key themes were the Industrial Internet of Things (IIoT) and Cybersecurity. These are interrelated themes because cybersecurity tops the list when it comes to challenges for IIoT. When one thinks of a hacker getting into a system and shutting down a utility, for example, it is obvious that the consequences of an Industrial Internet of Things security breach could be dire. And the IIoT makes this problem so much greater. Hackers need only a tiny tear in the security fabric and they can get in and cause harm. And as those connected devices grow exponentially, so do the entry points.
What follows are some of my takeaways when it comes to cybersecurity. Because this is a sensitive topic, I won’t name any of the speakers from industry or the companies they work for.
MIT has active research in the area of cybersecurity. Michael Siegel, a Principal Research Scientist at the MIT Sloan School of Management shared some alarming statistics: Over 80 percent of breaches involved systems where security patches had been available for at least one year; 75 percent of breaches go undiscovered for weeks or months; 67 percent of breaches were aided by significant errors from employees of the victimized firm.
But Michael made the point that these statistics represent averages. “Distributed” software – software that resides on site at a company – is far more vulnerable than “platform” software (public or private clouds). That is because Cloud software providers can do security patching on an ongoing basis. And yet, the perception is that Cloud software is less secure than traditional software.
There were several IT folks in charge of security at the conference. They mostly felt they needed greater resources to improve cybersecurity. But they bemoaned the fact that it was difficult to get resources for events that were very unlikely to occur, but if they did occur would be devastating in their impact – so called Black Swan events. An example would be the recent Sony cyberattacks that brought the company to its knees.
One expert whose job is to help secure his company’s industrial automation systems admitted that Stuxtnet was an eye opener. “I never dreamed that a zero day attack of this kind could happen, the knowledge to exploit these types of systems is so obscure.” A zero-day (or zero-hour or day zero) attack is an attack that exploits a previously unknown vulnerability in a computer application that developers have not had time to address and for which no patch is available. It is called a “zero-day” because the programmer has had zero days to fix the flaw.
On the other hand, not all operational executives were all that happy with the increasing focus on cybersecurity. One executive in this camp is in charge of implementing supply chain applications for a large company that wants to become demand driven. At the same time this company is endeavoring to use consumption data to drive production that is better matched to the actual demand, they are asking their key partners to monitor their inventory levels and build and supply raw materials to them on a Just in Time basis. They don’t want to pay for raw materials until they need them. Some of the systems they want to use to facilitate this VMI collaboration are Cloud based. This executive feels that his company’s cyber security team has put in place measures surrounding these Cloud applications that will make collaboration onerous for their key partners.
And finally, Qi Hommes, a lecturer at MIT, made the point that improving cybersecurity demands system thinking. You can’t attempt to improve security by looking at the different components in isolation. She said it was analogous to control theory. The ARC event attracts a high number of control engineers that use these principles to control their companies’ industrial automation systems. Our audience loved this point.
This article was written by Steve Banker from Forbes and was legally licensed through the NewsCred publisher network.