CEO of The Cyber Scheme Charles White writes about the influence of Industry 4.0 and how we need to ensure smart technology doesn’t create life-threatening problems alongside the solutions it provides.
“I’m fortunate to know a bit about OT / ICS / IoT or whatever label you want to use today.
In 2017 the company I founded, Information Risk Management (IRM) was acquired by Altran, one of the largest Engineering Research and Development companies in the world with 48,000 employees and 2.9Bn Euro in revenues.
Altran could pretty much count every vehicle, aviation and advanced manufacturer on the planet as clients. Partnership with the Renault F1 racing team and a commitment to the Solar Impulse project, development of the altitude control system for the European Space Agency’s Ariane 5 rocket and the design of the Météor autopilot system for the first automated subway line for the Paris Metro all highlighted the core ER&D (engineering research and development) capabilities.
Why am I telling you this? We were acquired because Altran knew the seismic shift that was happening as Engineering (them) met IT (us). The Fourth Industrial Revolution (Industry 4.0/the digital revolution as it has become defined), was evolving exponentially and Altran were all too aware of how critical OT / ICS / IoT cyber security was to become to each and every one of their clients.
Today we accept and expect the evolution of driverless vehicles, autopilot, connected devices, remote medical apparatus, robotics; the list is endless. And yet how secure are these things? We know the answer is often not very – not necessarily because there is a design flaw, but often because the required speed from idea to POC (proof of concept) to manufacture is mere months. Capturing the market with the latest amazing IoT thingy is imperative; ensuring OTA (over the air) updates are baked into the design stage less so.
I see the growth of IoT security as the growing realisation that we need to return the POC back to the design stage and move security higher up on the executives’ agendas, bearing in mind manufacture is being scaled to meet demand at an unprecedented level. Can we scale safely and securely?
As noted in this excellent article in the Guardian newspaper our vehicle manufacturers face a daily battle with serious and organised crime to counter the attack vectors being thrown at their designs. And the crime gangs can move a lot faster than a globally sourced international production facility.
So here we see the necessity of the disciplines of engineering, production engineering, health and safety, IT architecture, design, security and innovation all converging. If I’m honest, it’s unlikely design engineers will become IT architects, security testers production engineers or cyber risk consultants suddenly turn into health and safety experts … that’s why as Altran identified 7 years ago we need blended teams with skills across the spectrum of engineering, IT and security to build, maintain and develop fully secure innovative products.
And that’s why I’m writing this article. We must collectively see this is as a significant market opportunity, an opportunity for engineers to learn about cyber security and how threat actors operate and for the cyber security community to learn an entirely new “engineering” environment.
IRM and Altran are very much in my past. My focus now is on how The Cyber Scheme, which represents much of the cyber security testing industry, can support our community by innovating and developing leading edge skills.
Our CSII IoT/ICS course has been developed to give seasoned testers a good understanding of IoT and ICS environments; you’re not going to sit the course and find yourself leading an advanced manufacturing security review, but you’ll have a significant start on the learning ladder.
As we develop plans with key industry partners and The UK Cyber Security Council, we will look to expand the training path to facilitate advanced technology and techniques and we will create alongside the UK Cyber Security Council recognition of Chartered Status for individuals who wish to specialise in this area.
For the moment if your organisation is providing ICS / OT / IoT services or has clients within the ER&D space I’d suggest you look at the CSII training course or get in touch with us to learn more”.