Is Your Security Strategy Dumbing Down Your Smart Factory?
By Peter Fretty
As Industry 4.0 becomes the new norm, smart factories are revolutionizing the manufacturing sector. However, as manufacturers embrace these digital, data-fueled technologies, the potentially exists to introduce or exacerbate cybersecurity and data privacy vulnerabilities.
In a recent paper, Indiana University Professor Scott Shackelford examines the cyber risk in the Industrial Internet of Things (IIoT), including security implications in the smart factory revolution and associated policy implications. Although there has been progress in some areas including making attacks on civilian critical infrastructure, like smart factories, off limits, there is still much to be done. According to Shackelford, several options exist for IIoT: self-regulation/cyber due diligence, insurance as well as proposed federal policies like the IoT Cybersecurity Act of 2017, Consumer Privacy Bill of Rights and the Active Cyber Defense Certainty Act.
But ultimately, Shackelford argues for a polycentric IoT governance system that could be leveraged to improve critical infrastructure security and protect consumer privacy. This polycentric approach to protect the cyber commons would involve multiple diverse organizations, both public and private, at varying levels, creating different types of policies that will increase cooperation and compliance as wells as enhance flexibility and adaptability over time – allowing smart manufacturing to flourish.
“Such an ‘all-of-the-above’ polycentric approach is essential to addressing governance gaps in smart factories as part of improving security and data privacy in the ever-expanding Internet of Everything,” says Shackelford. He cites the NIST CSF as an example of one such successful public-private polycentric collaboration.
The polycentric approach to IIoT is part of the broader concept of cyber peace, or the idea of the international community –individual countries and organizations – working together toward greater cybersecurity for all. “Cyber peace has the potential to link together discussions ranging from making democracy harder to hack to holding cyber criminals responsible for spreading ransomware. A whole ecosystem is needed to support this effort, including academia and civil society,” says Shackelford.
Putting Polycentric Approach into Action
Shackleford tells IndustryWeek, “Like it or not, there are an increasing number of regulators trying their hands at IoT governance. Efforts range from imposing a ‘reasonableness’ standard on IoT security, as in California, to a new safe harbor law in Ohio, to even a products liability approach in France,” he says. “Polycentric governance was conceptualized as a useful tool to better understand how to build trust across such distributed systems, including the central role played by coordination and interaction.”
Shackleford adds that a key aspect of successful polycentric systems is what are called “nested enterprises, that is stakeholders including businesses that are empowered to help set the rules that, in turn, can ward off collective action problems like cyberattacks,” he says. “The NIST Cybersecurity Framework is a great application of this notion, as is the EU’s GDPR, which includes a provision to encourage firms to create industry codes of conduct to further the goals of security and data privacy.”
The challenge to making this work? “Without interaction and coordination across multiple scales, including technical communities, business, and governments, polycentric systems can descent into gridlock, and fragmentation,” says Shackleford. “It’s a tricky balance to get right. We see similar issues cropping up in the climate context given the huge number of stakeholders, diffused responsibility, and the lack of the necessary political will to get the job done. But ultimately, as with a changing climate, no nation is an island in cyberspace (however much some wish they were). We’re all in this together, and so it’s time to apply the lessons from polycentric governance, and sustainable development, to better managed this shared resource of cyberspace.”