CYBERSECURITY UPDATE
In recent years, the Internet of Things (IoT) has made a massive influx into “consumer markets” as well as finding its way into the heart of industrial sites and infrastructures. Has this come with the risk of increased cyber-attacks? This is what a growing number of public and private-sector decision-makers are fearful of. Cybersecurity is becoming a priority for Executive Committees, which is a first for a topic previously confined behind the walls of IT and engineering departments.
Calling upon the services of companies - that are experts in both cyber risk and the challenges associated with the use of IoT - is becoming a must for analyzing the security and safety of IoT products and their associated systems, before checking that the appropriate measures have indeed been taken. This is where Bureau Veritas is uniquely placed in being able to offer its new-found know-how in cybersecurity combined with the proven expertise of both its IoT testing labs and its industrial risk auditors.
“In 2016, there were only a mere few thousand cyber-attacks that exploited the vulnerability of connected objects. Since 2016, the main observers of cybersecurity report a multiplication of these attacks by a factor of 3 to 7 according to the sources of measurement used, with + 50% increase in 2019 compared to 2018.” This is what Jean-Baptiste Gillet, (Strategy Director for Cybersecurity at Bureau Veritas) points out. He heads up the Task Force dedicated to cybersecurity at Bureau Veritas, and his message is clear: urgent action is needed.
In fact, with the boom in the number of devices connected to the Internet – in 2025, the figure will be close to the 40 billion mark – the “exposed area” (i.e. the area vulnerable to attacks) increases apace. To the point that 25% of cyber-attacks could come via these devices rather than computers. Whether it’s taking control of connected cars by cracking the Wi-Fi encryption, identifying vulnerabilities in connected locks or attacks on the ZigBee command system, examples of such attacks are numerous. Hackers are also finding more and more ways to exploit the flaws of connected objects to create a Botnet (a network of computer bots), for example, which could lead to large-scale attacks. This was the case for the 2016 Mirai Botnet, which infested several sites and services through vulnerable surveillance cameras.
That a hacker could take control of a connected toothbrush may seem relatively benign. However, for an organized team of cyber-attackers to succeed in accessing the command-control system of a chemical plant presents an altogether more troubling danger. What would happen if cyber-attackers managed to override the control system of a driverless car?
IS CYBERSECURITY UP TO THESE NEW CHALLENGES?
“To answer this question, it is first useful to draw a distinction between the two main groups of connected objects” says Philippe Sissoko (Director of Operations, LCIE Bureau Veritas). The first group includes short-range devices that work with Wi-Fi, Bluetooth, LoRa, ZigBee, etc. and that are widely available to the “general public” and parts of the industry. Examples include connected speakers, “wearables” or “smart-home” devices. It is against this group in particular that we are seeing an increase in attacks because their manufacturers are not accustomed to factoring in cybersecurity during the R&D phases. We then see these objects taken up very quickly, with consumers rarely aware of the risks posed by hacking. According to a recent study, more than 40% of Smart Home homes would be equipped with at least one vulnerable connected object.
The other main group includes long-range devices that use cellular technologies, such as smartphones whose protection is historically good thanks mainly to their more secure SIM cards.
Philippe Sissoko goes on to add that “we must also distinguish between the types of use and look beyond the mere use of the IoT by the general public to the Industrial IoT (IIoT). This technology is key in implementing Industry 4.0 with its ultra-connected plant. Manufacturing companies will have to overcome several challenges – and that includes cybersecurity – as the number of connected sensors used for surveillance, maintenance or remote operation purposes reaches the tens of thousands mark”.
Given the importance of these industrial dangers, the IIoT, particularly as it relates to “Operators of Essential Services (OES)” (Editor’s note: services such as energy and water suppliers as well as infrastructure and transport managers), is subject to very stringent and regulated protection protocols as derived from Military Planning Laws and now harmonized under the Network and Information System Security (NIS) Directive adopted by the European Parliament in 2016. This includes specific recommendations and requirements in terms of the level of security as determined by the national capabilities of the Member States in respect of cybersecurity.
“More generally speaking in Europe, since 2019 there is a regulatory framework that has been brought in via the Cybersecurity Act, which provides for three levels of cybersecurity with tailored assessment and certification requirements: 'High' – for financial institutions, essential infrastructures, etc. and anything else deemed fit to include by Member States – 'substantial' – for large corporations and 'basic' for anything else, and in particular, the IoT as used by the general public. In reality, it is clear that in this day and age all industrial sectors at these different risk levels need to take action to guarantee the IoT’s cybersecurity” concludes Jean-Baptiste Gillet.
ENHANCING MOBILIZATION
In practice, the ‘substantial’ and ‘basic’ levels are essentially where work still needs to be done in terms of enhancing and structuring mobilization. By way of example, experts recommend that, on average, 3% of turnover be invested in cybersecurity – how many companies do not even spend this amount on their IT department as a whole?
The efforts of companies producing connected objects for the general public toward cybersecurity are primarily aimed at internal IT equipment and processes. “While more and more companies have appointed a Chief Information Security Officer (CISO), the role of this CISO is often focused on the company’s IT processes and not on its products, which is managed by R&D” remarks Jean-Baptiste Gillet.
From one company to another, from one type of connected object to another, the levels of awareness around the issues, preparation and implementation of cybersecurity strategies vary wildly. “It is important to understand that connected devices for the mass market often include connected components whose vulnerabilities are not necessarily identified, let alone factored in. Yet, a connected light fitting may give indirect access to a home Wi-Fi network – we have already seen this type of hacking” explains Philippe Sissoko.
Ultimately, there are four types of risk associated with a cyber-attack that we can generally identify: altering the functions of the equipment, remote control device, accessing data or data theft of confidential information (including intellectual property data) and using the connected device as the entry point to the Internet network. And if the risk is not controlled, the responsibility of the manufacturer is now directly questioned.
As a result, companies now more than ever need a support service they can trust in to help them understand the cybersecurity of the IoT at the heart of their processes. “In practice, we help our industrial clients identify the relevant threats and risks; we then help them design action plans to reduce these threats and ensure data integrity; we then support them to check that these plans are properly implemented and offer them several certification solutions that attest to their understanding and efforts in IoT cybersecurity” explains Jean-Baptiste Gillet.
And, as Philippe Sissoko adds, the results are there for all to see: “After pointing out to a manufacturer that the Wi-Fi connected to their electrical circuit breaker was unprotected, we recommended that they block the Wi-Fi connection by default so as to prevent a hacker from taking control of the circuit breaker and allowing them to disable all of their physical safety devices”.
This support centers on tailor-made benchmarks and evaluation schemes that allow companies to stay one step ahead of European regulations. The specifications proposed by Bureau Veritas are based not only on published and recognized technical standards and specifications (e.g., IEC 62443 for the security of Industrial Control Systems) – suitable for implementing the requirements of the Cybersecurity Act – but also on innovations from the Eurosmart Working Group, to which Bureau Veritas contributes.
The challenge is to provide smart, accessible verifications while ensuring a certain level of security that is tailored to the product’s functionality. “Some assessments, as provided for by the certification scheme based on ‘Common Criteria’, may take anywhere between 50 and 200 days, which is just inconceivable for most of our clients” says Philippe Sissoko, “The aim is to find ways to adapt the assessment requirements and techniques in order to speed up certification and manage its costs. This is why we have, for example, worked alongside the CEA-LETI to develop an automated system for detecting known vulnerabilities for certain interfaces of connected objects. With this tool, we can now carry out a test on a connected object’s first level of cybersecurity as we perform our traditional interoperability or electromagnetic radiation tests”. Why it’s enough to speed up the building of a climate of trust to usher in the next wave of connected objects!