October 2020

| 34 | September/October 2020 www.smartmachinesandfactories.com | INTERVIEWS & REPORTS | too often contain latent vulnerabilities, like Urgent/11 and Ripple20, or varieties of Y2K-like architectural defects. We don’t want to simply point out these challenges, but once again take the lead in securing Industry 4.0 by offering concrete guidance for design, coding, verification, and on- going maintenance, along with tools to scan and block malicious and vulnerable code.” According to the research, the industrial automation world may be unprepared to detect and prevent the exploitation of the issues found. It is therefore imperative that the industry start embracing and establishing network-security best practices and secure-coding practices, which as a result of this research have been updated with industry leaders. Trend Micro Research has worked closely with The Robotic Operating System Industrial Consortium to establish recommendations to reduce the exploitability of the identified issues. “Most industrial robots are designed for isolated production networks and use legacy programming languages,” said Christoph Hellmann Santos, Program Manager, ROS- Industrial Consortium Europe. “They can be vulnerable to attacks if connected to, for example, an organisation’s IT-network. Therefore, ROS-Industrial and Trend Micro have collaborated to develop guidelines for correct and secure network set-up for controlling industrial robots using ROS.” Mitigation Strategies for Protecting Industrial Systems SHORT-TERM MEASURES Use network segmentation to isolate machines that need to process data coming from other networks. Adopt network and endpoint protection to minimize the risk of vulnerability exploitation or malicious code infection. Implement proper source code management processes, including automatic or periodic manual source code reviews. MEDIUM-TERM MEASURES Develop security libraries (for example, cryptographic primitives) that will allow developers to easily implement input validation and authentication. Provide a reference implementation of motion servers to allow machines to receive sanitized motion data in a high-level way. Implement proactive patching of vulnerable task programs as a remedy for flaws found in periodic source code reviews. LONG-TERM MEASURES Ensure that future generations of programmable industrial machines will be secure by design, mainly by integrating security features into programming languages. Implement fine-grained privilege separation with a permission system in the runtime on machines’ controllers. Implement code signing to make certain that the code running on an industrial machine hasn’t been tampered with. Head in the Clouds Smart home devices and their apps represent a major weak link in the corporate cybersecurity chain as the lines between work and home life have increasingly blurred. Trend Micro’s Head in the Clouds study has surveyed more than 13,000 remote workers across 27 countries to find out more about the habits of distributed workforces during the pandemic. It reveals that 39% of workers use personal devices to access corporate data, often via services and applications hosted in the cloud. These personal smartphones, tablets and laptops may be less secure than corporate equivalents and exposed to vulnerable IoT apps and gadgets on the home network – for example, more than one third (36%) of remote workers surveyed do not have basic password protection on all personal devices, for example. “The fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this,” says cyberpsychology expert Dr Linda K Kaye. More than half of global remote workers have IoT devices connected to their home network, 10% using lesser-known brands, the study revealed. Many such devices have well-documented weaknesses such as unpatched firmware vulnerabilities and insecure logins. These could theoretically allow attackers to gain a foothold in the home network, then use unprotected personal devices as a stepping-stone into the corporate networks to which they are connected. The research also revealed that 70% of global remote workers connect corporate laptops to the home network. Although these machines are likely to be better protected than personal devices, there is still a risk to corporate data and systems if users are allowed to install unapproved applications on these devices to access home IoT devices. There’s an additional risk to enterprise networks post-lockdown if malware infections picked up at home are physically brought into the office via unsecured personal devices at organisations with bring-your-own-device (BYOD) practices.