The threat of cyber attacks to critical industrial Internet of Things (IoT) technologies has risen to a near crisis level and is driving more global industrial titans to band together. Recently, Cisco, Dell, oil & gas multinational Total, and testing and certification firm TÜV SÜD joined the Charter of Trust, an initiative spearheaded by Siemens.
The charter now boasts 16 members and is likely to add more. Its lofty goals are threefold:
- Protect the data of individuals and companies
- Prevent damage to people, companies, and infrastructure
- Create a foundation for trust in the digital world
To reach these goals, members have also agreed to 10 principles that range from taking responsibility for securing the supply chain to focusing on user centricity to working with governments. Perhaps the most important and practical principle is the establishment of mandatory independent third-party certifications for critical infrastructure and IoT solutions. While that sounds good, the details are skimpy.
Reasons to Worry
There are clear reasons for corporate leaders to be worried and motivated to act. A study among cyber risk managers in the US oil & gas industry found 68% had experienced at least one security breach in the last year, resulting in the loss of confidential information or operational technology (OT) disruption. A different survey of IT security professionals found that 85% foresee a cyber attack on critical infrastructure taking place in the next 5 years. Then there is the sobering message from the US Department of Energy last year that said the electricity system faces “imminent danger” from cyber attacks, which are growing more frequent and sophisticated.
But one wonders how Siemens’ initiative is any better or all that much different than Microsoft’s call for a digital Geneva Convention, or the more recent Cybersecurity Tech Accord. Yes, the Microsoft push leans more toward discouraging government or state-sponsored hacking. But both companies are focused broadly on cybersecurity and the myriad threats to individuals and corporations.
So which company should we trust and will these efforts actually work? As Sasha Romanosky, a former cyber policy adviser at the Pentagon’s office of Under Secretary of Defense for Policy says, the firms joining Siemens’ charter might have noble goals, but not all companies have the same incentives. For example, some firms might have a greater focus on environmental concerns or health issues or child labor. The threat from cyber attacks might not be as important to some companies, and without widespread participation and a closer alignment of goals, the dangerous level of cyber threats will persist.
These doubts are not raised to discourage efforts to prevent cyber attacks. In fact, a recent Navigant Research report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem, recommends grid operators and other enterprises set up a comprehensive cybersecurity plan and use it. But how many broad initiatives are really going to make a difference? The Industrial Internet Consortium (IIC) has its Industrial Internet Security Framework. Germany’s Industrie 4.0 has a working group focused on security. In the US, NIST has its own program for IoT cybersecurity.
I’m all for serious steps to thwart the bad guys. But count me skeptical until we see demonstrable evidence that these initiatives, alliances, and frameworks are making a difference in keeping data and processes safe. It is hard to be otherwise when some companies and governments are known to skirt the rules to their advantage.