Knowing What’s Inside Smart Production Equipment

Knowing What's Inside Smart Production Equipment

IT experts are calling for a Bill of Materials (SBOM) for equipment software.

On food or drug packaging, lists of ingredients are mandatory. Ingredients can even be traced back from the manufacturer to the producer. Industrial control and production systems or devices such as routers, network cameras and printers contain firmware with operating systems and applications, but users usually learn little about the software components they contain. This often means immense risks of attack by hackers and data thieves in companies that use these controls and devices.

For this reason, 75 per cent of IT industry professionals and executives are in favour of the “Software Bill of Materials” (SBOM) for all components, according to Onekey’s “IoT Security Report 2022”. “Virtually all devices connected to a network contain hidden flaws in the firmware and applications, so an accurate content statement of software components is extremely important for a company’s IT to verify and maintain security levels,” says Jan Wendenburg, CEO of Onekey.

Manufacturers neglect security

There is therefore not much trust in the manufacturer’s security of IoT devices: 24 percent of the 318 people surveyed consider this to be “not sufficient”, another 54 percent at most “partially sufficient”. That’ s why hackers have had their eyes on vulnerable devices for some time now – and the trend is rising. 63 percent of IT experts confirm that hackers are already misusing IoT devices as a gateway into networks.

Companies in particular have little confidence in the security measures surrounding IoT: only a quarter of the 318 respondents believe that complete security is ensured by their own IT department, while 49 percent see it as only "partially sufficient". And 37 percent of the IT professionals surveyed for the IoT Security Report 2022 have already experienced security-related incidents with endpoints that are not normal PC clients.

Unclear responsibilities in companies

Another risk: Industrial control, production facilities and other smart infrastructure endpoints have often been used in the company for more than ten years. Without compliance strategies, companies often have no update policies. In addition, responsibilities are unclear: A wide variety of executives are responsible for IoT security, from the CTO to the CIO, the Risk & Compliance Manager to the IT Purchasing Manager. In 21 percent of the companies, external consultants even take over the purchasing of IoT devices and systems. The simplest security control - an analysis and testing of the included firmware for security vulnerabilities - is, however, only carried out by 23 percent.

"This is negligent. An examination of the device software takes a few minutes, and the result provides clear information about the risks and their classification into risk levels. This process should be part of the mandatory programme before and during the use of endpoints - from routers to production machines," says Jan Wendenburg.