Cybersecurity: New security standards for IoT devices

Interview with Michael Jacob - General Manager at Kontron AIS GmbH

In the cybersecurity sector, IoT devices are commonly considered a critical security risk. Just as endpoints in the smart home sector are still poorly secured or not secured at all, manufacturing and industrial facilities sometimes have major gaps in IT and OT security. According to a 2022 study by Trend Micro, 90 percent of German companies in the power, oil and gas, and manufacturing sectors said they had been affected by cyberattacks within 12 months. This resulted in an average damage of about 2.9 million euros.¹

Most often, such hacker attacks are aimed at blackmailing companies. Equally, however, the plants could also be put into dangerous states, causing massive personal and environmental damage. As the interface between information technology (IT) and operational technology (OT), IIoT (Industrial Internet of Things) solutions must therefore ensure particularly seamless security technologies.

From August 2024, the Cybersecurity Act and the Cyber Resilience Act will therefore come into force at EU level. From then on, CE marking will be mandatory for IoT devices, among other things. The IoT Cybersecurity Improvement Act was already passed in the USA in 2020.

In this interview, Michael Jacob, General Manager at Kontron AIS GmbH, explains what the new cybersecurity guidelines mean for manufacturers, customers and users. 

¹ https://resources.trendmicro.com/IoT-survey-report.html

1. Cybersecurity is addressed in the EU Directive 2014/53/EU. As of August 2024, the extension of the so-called Radio Equipment Directive (RED) will oblige higher standards of IoT devices. What does this mean in concrete terms for manufacturers, distributors and integrators of IIoT solutions?

It essentially means that IIoT solutions will have to comply with safety-related requirements from August 2024. For example, devices must have adequate security features to prevent or defend against cyberattacks. This includes, for example, encryption, authentication and access control. So before IoT devices can be sold starting in August 2024, compliance with these requirements must be demonstrated through a conformity assessment. It is the responsibility of manufacturers, distributors and integrators to ensure that their IIoT solutions comply with the new requirements in order to avoid legal consequences and maintain customer confidence in their products. This includes the updated Network and Information Security Act - NIS 2 for short - which will apply from October 2024. Also, due to the increasing cyberattacks on the vast majority of EU companies over the past three years, the EU has adapted the NIS guidelines and published NIS 2. NIS 2 is currently being implemented in national law and industry-specific requirements. These requirements will become mandatory in the EU from October 2024 (ETSI EN 303 645 and NIST 8259A) and will become mandatory for e.g. medical, transport, industrial and other digital services sectors.

a. The Cybersecurity Improvement Act came into force in the USA in 2020. Accordingly, manufacturers of IoT devices must comply with new security standards and regulations. How do these standards differ from the innovations in the EU? 

The Cybersecurity Improvement Act places particular emphasis on the security of IoT devices used by the U.S. government. These devices must meet the government's security requirements in order to be approved for use in the relevant agencies in the first place. The EU directive, on the other hand, applies to all IoT devices regardless of where they are used.

Another difference is the level of transparency. In the U.S., manufacturers must fully disclose what software and firmware is installed on their devices and how long they will continue to be supported. This is intended to enable security gaps to be identified and rectified quickly. In the EU, on the other hand 

In the EU, on the other hand, the main focus is on the security of IoT devices in general.

2. What particular challenges do networked systems pose for security officers?

The challenges are very diverse and range from the essential design of the IoT components themselves to their maintenance:

1. Complexity: Networked systems are often very complex and consist of many different components that communicate with each other. This makes it difficult for security officers to identify vulnerabilities and implement the necessary security measures.

2. Interoperability: Networked systems often need to communicate with other systems and devices. The resulting security gaps can be exploited by attackers. Security measures required here could make interoperability more difficult.

3. Data Integrity: systems process large amounts of data originating from various sources - a major point of attack for manipulation of any kind. To avoid this or other malfunctions, it is very important to ensure that data to be processed is correct and trustworthy.

4. Access Control: typically, different people have access to networked systems and data. To prevent unauthorized actions, different access levels and permissions must be considered in system design.

5. Cyberattacks: networked systems are vulnerable to cyberattacks, which can come from outside or inside. Security measures such as firewalls, intrusion detection, and encryption must be used to defend against and prevent them.

6. Human Error: The main problem is still human error. Insecure passwords or faulty configurations remain the biggest security risks for networked systems. Training and policies for employees can help minimize errors and need to be firmly embedded in organizations.

7 Maintenance and Updating: Networked systems must be regularly updated and maintained in order to close security gaps and ward off new threats. Appropriately implemented processes and procedures ensure that the systems are always up to date.

3. How can we better protect industrial and manufacturing facilities from cyberattacks in the future?

Despite major risks, we have a whole range of measures at our disposal.

A good starting point is always a comprehensive risk analysis that identifies vulnerabilities in the IT infrastructure of industrial and manufacturing facilities and points out suitable protective measures. Another aspect is functioning physical and digital security concepts. This starts with points such as access control and encryption and extends to authentication (e.g., two-factor authentication) and monitoring. 

Awareness training and guidelines for employees should also be firmly embedded in companies to provide necessary knowledge and skills to detect and defend against attacks. Network segmentation, which limits attacks to a specific subnetwork so that they cannot spread to the entire system, also helps to minimize potential risks.

Also essential: regular updates. It is important that all systems and software in industrial and manufacturing facilities are regularly updated to close known security gaps for attackers. Regular penetration tests help to uncover vulnerabilities in the IT infrastructure. Replicated attacks with derived patterns of known attack methods are ideal for deriving further suitable protective measures.

4. With KontronOS, Kontron guarantees a reliable secure operating system for embedded hardware devices. What is special about KontronOS?

KontronOS is a highly secure Linux-based operating system that has been specially developed for use in industrial environments and provides access to the open Internet. Our focus is on highest security ("Security First") through continuous development and maintenance. The system integrates proven measures to safeguard against cyber risks from the outset and is subject to regular assessment processes to ensure security at all times.

Our unique approach includes not only proactively securing the system, but also establishing mechanisms to capture and detect acute cyber risks through CVE scans. This enables us to provide short-term patches to address risks and continuously improve security. Especially for large device fleets, we recommend our KontronGrid, a centralized management tool. This tool enables timely deployment and fully automated rollout of security updates to entire device fleets to ensure consistent security levels. The KontronGrid is the ideal complement to KontronOS and provides all the necessary administration and monitoring capabilities.

KontronOS is more than just an operating system. It is a long-term promise of comprehensive cyber risk protection throughout the operational lifetime of your IIoT devices. In doing so, we also comply with current and future EU regulations, the importance of which is increasing in the industry. Another advantage of KontronOS is its flexibility. It is not limited to Kontron's scalable standard IIoT device fleet. Rather, customer-specific hardware systems can also be brought to the same high level of security with specific adaptations. Thus, customers with individual or customized systems benefit from our security promise and our bundled know-how.