We are surrounded by discussions of the benefits of future technology: smart cities and new services that will ease our commutes and improve our work lives and sensor-laden smart homes that will ease our day-to-day chores through the Internet of Things (IoT).
In many ways, though, that future already is here on a much larger scale. The IoT helps direct the industrial control systems (ICS) that generate and transmit electricity, guide the mixing of reactive substances at chemical plants, and direct automated assembly lines at manufacturing plants, among other examples.
With the benefits of these sector-shifting ICS comes the need to ensure proper levels of cybersecurity in order to protect against the risk of cyberattacks. Central to that effort is ensuring that we make the proper investments in and policy environment for encryption. Software.org: the BSA Foundation released an issue brief today on encryption’s vital role in ICS.
The efficiency, connectedness, and productivity that ICS provide place them at the forefront of our critical infrastructure. From the manufacturing to the energy sectors, such systems continue to rapidly expand and evolve. But the involvement of ICS in critical infrastructure means that we must now work harder to ensure that our infrastructure is safe from cyberattacks and malicious adversaries.
We must guard against the repeat of something like the December 2015 hack of Ukraine’s power grid. In that attack, hackers uploaded malicious firmware to devices used to transmit operator commands to and from substation control systems. Once the devices were under the hackers’ control, it would have been impossible for operators to address any damage remotely. The attack was unprecedented and symbolized a warning for all nation states: this can happen to you.
In 2016 alone, the Department of Homeland Security’s ICS Cyber Emergency Response Team responded to 290 cybersecurity incidents across sectors. Critical manufacturing was targeted most often, followed closely by communications and energy. Many ICS deployed today are built to last decades rather than years, and many were built before the emergence of current cyber threats. Additionally, many ICS devices built today fail to include fundamental security features or may not enable these by default.
To address these issues, we must use cryptographic techniques like encryption and authentication. Encryption is important to ICS in deploying cryptographically signed updates and patches. For devices that may not be able to support encryption, advances like lightweight cryptography offer an alternative. But for these options to be viable, continued investment, research, and development on encryption is essential.
Proper authentication is important because it enables components and devices to communicate exclusively with authenticated components and devices. Strong authentication solutions rely on the same cryptographic systems and algorithms that also power encryption.
Making these systems as secure as possible is in everyone’s best interest: government, industry, and consumers. All sides need to work together to develop not only the best technologies, but also the proper standards for hardening our infrastructure against attack today and going forward in the IoT-enabled world. Fortunately, collaborative efforts aimed at ensuring online protections are underway: The Charter of Trust, signed recently by IBM, Siemens, and other corporate leaders, is one example of efforts aimed to ensure confidence in the digital world by ensuring a proper focus on the essential elements of cybersecurity. Key among those elements: access management and encryption.
The charter and other partnerships between government and industry are essential to create an environment where encryption research can flourish, and promotion of strong encryption can be a universal goal for protecting ICS.