S4x23 Review Part 4: Cybersecurity for Industrial IoT

March 31, 2023 TH Author Trend Micro Research : Articles, News, Reports, Trend Micro Research : Compliance&Risks, Trend Micro Research : Cyber Threats, Trend Micro Research : Exploits&Vulnerabilities, Trend Micro Research : ICS OT, Trend Micro Research : IoT, Trend Micro Research : Security Strategies

Bellotti said first that we should start with the realization that legacy technologies are successful technologies. Legacy technologies remain because they are usable and important. They are the foundation for other systems therefore it has a significant impact when they are changed. But people believe in some myths of modernization.

First, the technology is regarded as old. It doesn’t matter if the technology is new or old.

For example, Python is older than Java, and LISP is older than COBOL. What really matters is whether it is still being developed, can provide security patches, and be integrated into modern protocols. We should beware of Shiny Object Syndrome, that new attractive words make us overlook existing values.

Second is rip and replace legacy systems. This is one of the riskiest migration plans. We need to see how easy it is to roll back the old system if the new technology doesn’t work as expected. The purpose of modernization is to add new value. But rewrites consume a lot of time and money to give organizations what they already have. It also includes engineering and operations retraining/onboarding. New values should start small and accumulate gradually, based on Minimum Valuable Product (MVP) rules.

Third is the migration to COTS, SaaS, and the cloud. COTS and SaaS are good options when you have a common problem that many other companies hack. On the other hand, the more you customize COTS, the less stable it becomes. Managed infrastructure is best when you can do it without economies of scale.

However, be careful with putting everything in one stack and vendor lock-in. Low/no code is great if you’re dealing with an internal service with a limited number of users, but it generates a lot of “junk code” that slows down performance and contain vulnerabilities.

She said technology is about people. Technology is to solve problems by people, for people, not the purpose itself. Problems caused by ignoring operations cannot be solved by replacing technology.

It is important that organization’s leaders understand operational excellence and know the resources required to meet the performance goals of the system. In that case, modernization is the best strategy for improving in the right way, rather than just replacing “old” technology with “new” technology. We should set goals based on evaluating and monitoring existing systems, define problems, and make investment decisions on where to spend money and time.

Similar organizations may have different problems. As organizations grow, their maturity and strategies change. The tradeoffs in an organization change all the time. Remember, there are many trade-offs in technology, and improving one characteristic degrades another important one. Teams that can identify value versus investment trade-offs excel at modernization to avoid unnecessary re-write and migration.

Challenges Of Using IEC62443 For IIoT
Ryan Dsouza, AWS, Principal Industrial IoT Security Solution Architect

IEC62443 is a series of Industrial Automation Control System (IACS) security standards, consisting of a total of 12 documents in four categories: general, policies and procedures, systems, and components. Since 2002, the committee has started deliberating on ICS security, and IEC62443 has been referred to in many industries.

Dsouza, a solutions architect at AWS with over 25 years of digital platform and IIOT experience, discussed the future of OT security through the establishment of a new certification program of IEC 62443.

You May Also Like

Revisiting 16shop Phishing Kit, Trend-Interpol Partnership

Trend Micro Partnering with Bit Discovery

Security Resources Now on AWS CloudFormation Templates