The Colonial Pipeline ransomware hack cost $4.4 million in ransom and millions more in lost profits, reputational damage, and governmental scrutiny. Following the attack, the rising volume and severity of cyberattacks are forcing federal agencies to incentivize cybersecurity overhauls. But behind the government’s calls for change are the struggles of industries to embrace the digital revolution.
While there are applications of data-driven automation spread across industrial sectors, these innovations co-exist with workflows that share data via clipboards, and waste hours or even days and weeks waiting for information from partners to be captured, circulated and acted on.
A diagram of a zero-trust system.
Now, with Biden’s executive order to improve the nation’s cybersecurity posture, 100-day plan to address the security of an aging power grid, and the Department of Homeland Security’s new directive for U.S. pipelines, industries that have yet to fully adopt modern technology are being heavily encouraged to enhance cybersecurity processes and technologies to safeguard operations — a challenge that can be complex and expensive to address.
For many operations, this task feels just as difficult as it is needed. Fixing the security problems inherited from joining new and legacy equipment together (a common and often necessary approach in the industrial world) requires more than a new security solution off the rack; it requires a whole new mindset.
Security can no longer be thought of as merely a defensive tactic. Instead, it needs to be understood as the foundation for transitioning to “smart” infrastructure — a vision that’s been circulating for close to a decade now, but has grown more popular in theory than it has in practice.
The vision for a smart power grid, for instance, looks something like this:
Electric substations are managed by IoT devices that can communicate with administrators, partners and customers in real-time; various energy assets — wind, water, solar, nuclear, and fossil fuels — are all automatically blended to optimize generation and distribution; energy-intensive spaces, like data centers or large office buildings, as well as residential homes, all have smart thermostats that leverage machine learning to optimize heating and cooling, driving down costs and energy consumption.
While these ideas aren’t new, it took a series of high profile cyberattacks to prove that this vision for a smart grid (or any connected infrastructure) is predicated on a sufficient cybersecurity posture.
For example, the only way to enable fully automatic voltage adjustments at an electric substation, or communicate in real-time with thermostats, streetlights, and office heating systems, is if those interactions are made secure. Otherwise, large-scale investments in digitizing infrastructure would create too many cyber vulnerabilities to be worth the hassle.
Now that we know that cybersecurity is an essential component of smart infrastructure, what’s next? According to Biden’s recent executive order, the security strategy that could offer an answer is a complete departure from traditional models. The directive encourages operators to adopt a zero trust architecture, the modern alternative to perimeter-based security.
You can think of zero trust as putting a lock on every door to your house, including the fridge, pantry, and microwave — with each individual family member possessing a unique access key to each location. This is in contrast to a traditional security approach, whereby regular locks, with just one master key, are placed on the front and back doors.
Within this zero trust architecture, utility administrators would give each user, device and application its own unique identity with specific access protocols. And in the off chance that a cyber criminal does get in, the system would isolate the entity and adjust its controls to prevent it from accessing anything further.
Lack of granular control is precisely why incidents like the Colonial Pipeline ransomware hack can easily escalate to a point where the operation is forced to shut down, and it’s why nearly each week we see a new large-scale cyberattack cripple yet another critical operation.
With a zero trust strategy implemented to protect everything from 20-year old systems with no passwords or encryption, to future IoT devices with digital identities, operators will begin to feel the benefits of digital transformation. They’ll experience easy remote access, efficient data sharing and convenient collaboration with partners, all resulting from a tactic previously considered purely defensive and costly.
With mandates and incentives to adopt a different approach, the Biden administration isn’t just elevating the role of security in building smart infrastructure; it’s redefining what it means to be secure. In the process, and perhaps without fully realizing it, they’re encouraging the industrial world to start a new digital revolution of its own.
— Duncan Greatwood is chief executive officer of Xage
>> This article was originally published on our sister site, EE Times.
- Standards are critical for secure connectivity in industrial IoT
- Security-as-a-service embedded software protects IoT data in motion
- Understanding NIST Framework security controls
- How quantum computing will impact IoT security
- IoT Security – Anatomy of IoT cyber attacks
For more Embedded, subscribe to Embedded’s weekly email newsletter.