A new report from Trend Micro concludes based on years of analysis that fundamental design flaws have created serious cyber vulnerabilities in many widely used industrial products. According to the report,
“We believe that this legacy technology, which is intrinsically difficult to replace, has not been discussed and scrutinized in depth from a cybersecurity perspective. Most of the security analyses thus far have focused on finding and fixing vulnerabilities in the software, not in the design, or else on one, specific target. The design issues that we found broadly affect critical sectors where industrial machines are essential, most notably automotive, avionics, military, food and beverage, and pharmaceuticals.”
These vulnerabilities have allowed hackers to inject malicious code into software that has then been pushed out to many of the world’s largest industrial companies like ABB, Mitsubishi and others.
Part of the challenge with industrial automation platforms is they are built on legacy technologies that were not based on security by design as modern products like smartphones are. This is what makes the problems particularly difficult to fix.
As industrial companies accelerate digital transformation throughout their businesses and supply chains, this report is a reminder of why security needs to be at the core of these decisions. Vulnerabilities that reside within the software code that increasingly drives industrial processes, including automation, don’t just threaten data loss but can disrupt operations that pose potential life and death consequences and much larger financial risks for the firms involved.
We also have an idea of what good transformation looks like in the sector versus bad transformation. An examination of Honeywell—a 5-Star rated company—versus 1-Star GE provides concrete examples of how important security and the effective adoption of digital technology is for the business and ultimately its market performance.
As large legacy industrial conglomerates, both Honeywell and GE face similar sector challenges outlined in this report. But they have managed them very differently, and this has implications for every sector their products touch. As the GE report points out, its persistently poor cyber governance performance is a problem not only for GE but also for the global supply chain that it is a part of.
Investors and regulators all have a stake in how industrial companies manage these challenging issues as the shift away from legacy technology systems to digitization continues to gather pace. Moving forward, security-by-design rather than the detection and resolution of vulnerabilities must be the default.