Auto companies are quick to implement IIoT but slow to secure it, new study shows

By | 7 minute read | September 17, 2018

According to a recent IBM Institute for Business Value survey, 87% of automotive companies are implementing Industrial Internet of Things (IIoT) technologies into plants and assembly lines without fully evaluating risk or preparing effective responses. To learn more, Industrious spoke with study authors Ben Stanley, Giuseppe Serio, and Lisa-Giane Fisher.

Your study shows that auto companies are quick to implement IIoT in manufacturing facilities, but slow to implement effectively on the cybersecurity front. Why is that?

Ben Stanley, Automotive Research Leader, IBM IBV: Auto companies want their plants to be intelligent. They are installing smart devices that collect tons of data to see how the machines are running, inspecting how parts are being built, and helping manage the complexities of their plants. What typically lags behind is the security. There may be a “it won’t happen to us!” mentality. Taking that extra step to make things secure sometimes gets lost in the process of getting things up and going.

Giuseppe Serio, IBM Global Solution Leader for Cybersecurity: What is specific to the auto industry is that the product they are delivering is dramatically changing. And it’s not just the connectivity, services, electrification, usage, and business model that are changing. It’s also a dramatic shift in the notion of what a car is and what it does. That puts a lot of burden on manufacturing processes, which have been the same for the last 20 years. It takes a long time to design and deliver a car—approximately between three and four years.

Ben Stanley: Companies are being extremely challenged by changing product requirements, R&D, consumer requirements that can’t wait, shareholders that want growth and investment. The approach becomes: “we need to get it up and running, but do we really need to secure it at this time?”

What are the risks of having ineffective cybersecurity for the IIoT in automotive plants?

Lisa-Giane Fisher, Benchmarking Leader, Middle East and Africa, IBM IBV: When you deploy IoT technologies in industrial environments, the result is cyber-physical systems; a convergence of IT and OT (operational technology). Cyber-physical systems are a combination of advanced manufacturing technologies and advanced computing technologies in a digital representation. This enables better modeling of interactions and outcomes and yields better insights so people and the machines they work with can drive operational improvements.

That’s why this is such a big risk: these are physical environments and a successful breach can have physical consequences. The potential for destruction or failure of equipment is significant, as is the risk of injured workers. And it’s not just the company that is at risk. These online, interconnected environments can encompass suppliers, partners, and end customers. You’re putting an entire ecosystem at risk if you don’t secure the IoT environments properly.

IoT technologies can improve operational efficiencies, but organizations need to be mindful of the risks. It’s important to focus on managing these risks on an enterprise level, and have a clear strategy for IoT security. Companies can, for example, look at what we’ve identified top performers are doing, and use it as a template for how to proceed with their IoT security efforts.

In automotive, the greatest IoT-related risks are exposure of sensitive and confidential data,  supplier and partner contracts and IP, proprietary manufacturing processes, and advanced engineering designs. These are sources of future growth for the company. In the hands of malicious actors, they represent a threat to the future of the business.

There are also concerns around regulatory requirements and environmental harm. GDPR deals with sensitive and confidential data of not just the clients but the organization and its employees. And there are other regulations that need to be complied with. A potential breach may cause damage to the environment and result in non-compliance with an environmental regulation. The reputational risks are significant, as well as the risks for potential future investment.

So the scope of the threat is significant.

Lisa-Giane Fisher: The scope is the entire supply chain and beyond. A breach of the operational system that controls a physical process can result in injured employees, damage to equipment, production stoppages or the production of faulty products. From the broader ecosystem perspective, if supplier IP is exposed as a result of a breach, the company can lose contracts and future business. The scope keeps getting broader and broader.

You write that cybersecurity capabilities for these plants need to be contextual and adaptive. What does that mean?

Giuseppe Serio: As with IT security, once you’ve identified a breach, you want to understand how long the breach has been around. There’s a very long potential period of time where you’ve been hacked but don’t know it. It’s difficult to know the degree of infection, how much data you’ve lost or even what has been exploited. It takes a very long time until you eventually realize you’re out of control of your own systems.

When you say a very long time, what does that mean?

Giuseppe Serio: The average time to detect a data breach in the IT industry is 191 days, and then 66 to contain it. That’s a total of 257 days to fix things up. Many things happen in a plant. When we say a company is a leader, or advanced in handling cyber security, they have the ability to understand what defines a normal use case. And then this use case, put into context, will give indication of compromise, a sense of abnormal behavior. That contextualizing will give you early signs of detecting a breach.

Ben Stanley: A breach can be as simple as someone going in and looking around. You may not be able to tell something happened to you. Or that someone went in and planted something that will activate at a later date.Using manual or traditional methods to look for those things is not going to work well in the future. You’ll need AI capabilities to look for those things and notice them earlier. Maybe they’re normal things, but put into context you can pick them out and determine that maybe there’s an issue there.

And where does the adaptive part come in?

Lisa-Giane Fisher: Machine learning systems can analyze IIoT data streams and automate building adaptive models of what is “normal,” and tracking this “normal” behavior to constantly try and spot deviations that may signal potential threats. Adaptive means that the systems in place can continuously learn from and adapt responses to known and newly emerging threats.

Ben Stanley: When hacking first began, a hack would happen, and a company like McAfee would react and push out a fix for it. Now we’re trying to get ahead of it. How can we find things—even little indications? The stakes are quite high. If somebody hacks your computer at home, that’s bad, maybe you didn’t back up your data. If someone hacks a vehicle that’s driving down the road, or a machine that’s in a plant, physical injuries can happen. The more you can get ahead of the game, the better.

Though your focus is on the manufacturing side of things, where does the consumer come in?

Ben Stanley: As a consumer, awareness is a factor. If people knew a plant where the systems responsible for building their car was hacked, with the potential of their personal data being exposed, they would be concerned. Or, the potential of the plant in their neighborhood being compromised and hazardous material exposed to the environment. We didn’t study this, but there is an indirect relationship based on sensitive data, environmental data—especially for shareholders.

What can manufacturers do to be more secure?

Giuseppe Serio: One of our major findings is consistent with what we know about security in general. It’s not about one specific tool or skill. Security is about people, technology, AND processes. All need to be well-orchestrated in order to work properly. It’s a multi-discipline domain. No company can tackle everything alone. It’s an effort of the entire ecosystem: the equipment providers, the clients, the security vendors.

Ben Stanley: When we looked at what companies had a formal security program—not piecemealing—only 47 percent of the top performers did. With the auto companies that aren’t part of that top performer group, only one in 10 companies has a program. If you don’t have a vision in place, how can you adequately protect yourself?