Scary but true: the state of IIoT Security in Electronics, Part 2
Sector-level benchmarking of IIoT cybersecurity capabilities
In Part 1 of this series on IIoT security, we looked at the current state of IIoT adoption and related cybersecurity concerns by electronics sector. Part 1 provided valuable, sector specific, content exclusive to The Future of Electronics, as an insider view into the paper “Electronics Industrial IoT cybersecurity: As strong as its weakest link.”
To allow you to benchmark your own performance, we are providing specific detailed charts on the sectors. The IBM Institute for Business Value (IBV) partnered with Oxford Economics to survey 700 industrial and energy executives in 18 countries. These executives are responsible for the security of their companies’ IIoT deployments and “Electronics Industrial IoT cybersecurity: As strong as its weakest link” is a report on the 269 electronics firms that participated. Our research shows that electronics companies are aware of the cybersecurity risks and are working to manage their security spending accordingly. However, they are less clear on the combination of IIoT cybersecurity capabilities — skills, controls, practices and protective technologies — required to secure their current and future business from IIoT threats.
This is Part 2 of the series on IIoT Security. Here we address the effectiveness of electronics companies’ existing IIoT cybersecurity capabilities by providing more exclusive detail : a view of how each sector is performing on key IIoT cybersecurity metrics.
Exclusive: special reporting on industry subsectors
Unless companies have a quantifiable method of assessing the effectiveness of their cybersecurity capabilities, they can’t hope to understand how well or poorly their IIoT cybersecurity capabilities are performing or how much they need to improve. That’s where our benchmarking comes in — it allows executives to:
- Understand how they are performing
- Compare this performance with peers in the industry, region, company size etc. (or relative to a target the organization has set)
- Quantify the improvement they can hope to achieve
- Identify the areas that will deliver the most benefit
- Build business cases to justify the improvements
- Prioritize and select appropriate initiatives to achieve them.
When we collected and analyzed response data, we identified a group of early leaders that are in the top quartile of performance on 3 KPIs:
- Percentage of known IIoT vulnerabilities addressed by security controls.
- Cycle time to discover/detect IIoT cyber- security incidents. This excludes dwell time (the time between a successful intrusion and its discovery).
- Cycle time to respond to and recover from IIoT cybersecurity incidents.
By sharing the actual levels of performance on these metrics, together with the level of security spending, we hope to provide electronics companies with a basis for comparison and an opportunity to identify areas where they can focus improvement efforts.
Performance combines three metrics: cost, cycle time and efficiency/ quality. This “performance triangle” must be considered together with the organization’s capabilities to get a complete understanding of effectiveness/ performance. We surveyed the deployment maturity of 44 security controls, technologies and practices that can be applied to protect IIoT deployments. Let’s start with how companies rated their own maturity of IIoT cybersecurity capabilities:
Chart 1: Maturity of IIoT Cybersecurity capabilities
Chart 1 shows a continuum of IIoT cybersecurity capabilities, and we see the nascent state of the domain across electronics subsectors. Semiconductor device manufacturers are most mature: 69% have moved beyond simply investing in IIoT cybersecurity capabilities. By contrast, only 29% of appliance manufacturers are at this point.
The following charts depict sector-level performance on cost, cycle time and efficiency/ quality KPIs.
The first metric we will look at is detection and response times. The best way to think about this is in two phases:
Phase 1: Before Detection: There is often a period of time, known as the “dwell time,” between a successful intrusion and when it is discovered by an organization. This can be a number of months. (According to the M-Trends 2018 report by Mandiant, a Fire-eye company, the global median dwell time is 101 days.)
Phase 2: After Detection: Once the organization has detected the intrusion, they can contain it and limit the damage.
Charts 2 and 3: Detection, Response and Recovery. Charts 2 and 3 are concerned with Phase 2. They show the times that electronics companies take to discover/detect, respond to and recover from IIoT cybersecurity incidents. (This is over and above the “dwell time”)
The median value represents the midpoint value in the distribution. This is the level at which half of respondents perform below and half perform above. The benchmark is the 80th percentile in the distribution. This is the level at which 80% of the respondents perform below and 20% perform above. The charts highlight that once electronics companies detect the challenge, they are responsive. Yet, the difference between the benchmarks and the medians shows much room for improvement.
Chart 2: Cycle Time from Detection of an Incident to Establishment of its Scope (after dwell time)
Chart 3: Average cycle time (in calendar days) to respond to and recover from IoT cybersecurity incidents. This process begins once an incident has been detected and scoped. It includes activities to remove the threat and restore the affected systems to their pre-incident condition; testing, monitoring, and validating affected systems, and restoring operations.
You have to take these two together — so for instance, in medical device, it’s a difference between 25 days and 4.4 — a magnitude of 5x. In semi-conductors it’s 13 versus 7. In this case, moving closer to the benchmarks is how quickly you can act to mitigate damage.
Chart 4: Percentage of known IIoT vulnerabilities addressed by security controls.
Addressing known IIoT vulnerabilities with security controls is a logical place to start when protecting IIoT deployments — they are “low hanging” fruit from a security perspective. Yet benchmark performers have addressed at most 50%. When you are only addressing half of the known vulnerabilities — the things hackers know about — it’s akin to leaving your car doors open and the keys in the ignition. At the median, appliance manufacturers have addressed only 10%. This means that 50% of appliance manufacturers have addressed less than 10%. Security patches and running the most updated software is your best bet here. Taking machines, lines or plants down to address these needs is not always efficient but clearly better planning or scheduling is needed to prevent risks.
Chart 4: Cybersecurity cost as a percentage of IT cost. (The portion of the total annual IT cost used to protect or defend the use of cyberspace from cyber-attacks).
In general, for cost metrics, the benchmark value is shown as “Less is better”. However, this may not always be the case: when we look at the maturity of electronics companies’ IIoT cybersecurity capabilities (on average, very low) together with the level of performance on KPIs (not very strong), it would appear that companies may not be spending enough on cybersecurity. Each organization is different and it may be that in some cases, more spending may be better.
Appliance manufacturers are a good example. In Part 1 of this series, we highlighted that appliances show an IIoT spend driver profile well aligned to their risks. When taking a closer look, their benchmark and median spending is lower than that of the other segments, but their performance on KPIs is weaker and their IIoT cybersecurity capability maturity is lower. Taking a limited view can be misleading — it is important to evaluate performance across multiple dimensions to get a clear picture.
Electronics companies were fast to adopt IIoT, but now need to be equally fast to address security for that IIoT. As our research shows, IIoT cybersecurity capabilities are in the early stages of deployment. Yet, there is a fast path available. We’re happy to provide more detail on how to close gaps and reach a safer path forward. (Reach out — we love it when you do!)
In our next and last installment , we address the nine essential practices that will allow you to better protect your plants, assets, people and data.
Read the full report here http://www.ibm.biz/electronicsiiot
Look out for:
Electronics Industrial Internet of Things (IIoT) Cybersecurity Part 3: A deep dive on the 3 areas where leaders differentiate by sector, where we will discuss the extent to which where each sector has deployed the associated IIoT cybersecurity practices.
Connect to the authors: Lisa and Cristene
Get more perspectives on Cybersecurity:
Also check out our other report on Warranty Management — the unsung hero of dropping money to the bottom line
And finally, the C-Suite study detailing the IoT opportunity: Reinventing the Enterprise with Intelligent IoT
