The Internet of Things (IoT) can be regarded as the intelligent networking of a global infrastructure comprising a wide variety of devices that fulfil all kinds of functions (e.g. temperature sensors, cars, loudspeakers, machines, etc.). As a result of this intelligent networking, it is now possible to link up physical and virtual resources so they can interact with each other. Moreover, the resulting opportunities mean that actions can be automated and information compiled for further processing.
The terms Industry 4.0 and operational technology combine the fourth industrial revolution with the use of new technologies and technical possibilities, where “Industry 4.0”1 is the umbrella term for a new industrial world in which machines are connected with each other and networked with modern information and communications technology (ICT). Digitalisation is increasingly linking up the different worlds and architectures of classic business information technology (IT) and OT.
Whereas classic IT is used to process information, OT steers physical industrial manufacturing and logistics processes. This combination of highly critical OT systems (e.g. nuclear power stations) and IT systems that are exposed to the Internet creates new risks and potential for harm. The challenges associated with overcoming these are large and demand fresh approaches.
The new technologies and comprehensive interconnection of OT and IT will drive major progress in business, government and civil society, and open up new potential applications and innovative business models, provided we manage the associated risks appropriately and systematically.
The use of new technologies is widely known to harbour specific risks. Linking up physical and virtual processes into an extensive network increases the security risks and potential extent of damage by virtue of the substantially larger target for attack and the growing importance of OT and IT for value creation. A successful attack on an IoT device can have a direct impact on the real-world/physical environment, causing a power cut, crippling a piece of medical equipment or damaging industrial installations, for example. This trend is driving up security requirements, for example as regards secure data communication and storage. The need for greater security requirements is often not recognised at present or deliberately ignored (e.g. in domestic use of the IoT) in the desire to get a low-price, pseudo-innovative (“smart”) device on the market as quickly as possible. This situation generally means that device security and user privacy cannot be adequately guaranteed. The market has failed to provide an adequate security standard for consumer IoT (products for domestic use).
It should also be noted that the focus in the industrial environment is firmly on safety (i.e. accident avoidance) and not primarily on security (e.g. protecting against attack). Furthermore, OT devices in particular are designed for service lives of several decades because they are often deployed in extremely exposed environments where the physical stresses are high. By comparison, other intelligent devices, such as smart tags, are replaced after just a few months, depending on circumstances. This very broad spectrum of requirements and environments has to be taken into account to ensure that enough secure end-to-end systems are developed and integrated in all cases.
The EU has responded to the growth in security risks from “products with digital elements” by introducing a new Cyber Resilience Act (CRA)2. Approved by the European Parliament in spring 2024, the CRA is a cybersecurity testing regulation that sets minimum security standards for products. It compels manufacturers to follow specific product development and support processes and applies to all companies that manufacture, import or distribute any product with a digital element that is available in the EU. After a transitional period, full compliance with the CRA is likely to be required from mid-2027. Switzerland’s National Test Institute for Cyber Security (NTC) commenced operations in mid-2022. The NTC identifies and tests products for weaknesses in a bid to reduce the cyber risks associated with them. Quality testing by neutral bodies has long been an established part of product authorisation in other critical industrial sectors, such as medical technology.
As mentioned at the outset, the IoT and OT can be broadly divided into three categories:
As a result of this division, there is a different action area for each category. The poor awareness of the need for security shown by some manufacturers of smart devices, as well as the naive approach some users have to their devices, need to be addressed through the following action areas:
Adopt international standardisation and corresponding device certification, especially as regards security, to increase transparency (which manufacturers are certified?) and security (e.g. security/privacy by design). Use this as a basis for a regulation to impose an adequate level of security. This must be implemented across the whole of at least one major economic area (e.g. the EU) to achieve an impact on the major manufacturers.
Continue to pursue user awareness initiatives to constantly increase mindfulness of the need for security.
Research into IoT security, particularly methodologies and architectures, to guarantee security over short periods of use (e.g. of devices with 12–36-month service lives).
Growing interconnection in OT presents a challenge for all sectors of the economy, since it involves not only the integration of new systems, but also interconnecting existing (old) systems. The sheer diversity of the systems to be interlinked, which also have fundamentally different safety, availability and service life requirements, make suitable, implementable, end-to-end security architectures (e.g. zero trust3, micro-segmentation) indispensable.
Add greater depth – including technological depth – to awareness campaigns (highlight significance of OT) to prevent the potential spread of shadow IT. This will involve modifying existing IT processes and interfaces to suit.
Research into OT security, particularly methodologies and architectures, to guarantee security over very long periods of use (e.g. 30-year service lives).
Create and circulate an overview of the current situation and future developments in the IoT and which best practices exist (any existing standards and frameworks).
Drive forwards detailed research into IoT/OT security so that new methodologies and architectures can be used to guarantee continued security in heavily heterogeneous environments.
Create and standardise minimum standards for IoT/OT and use corresponding regulations to enforce them. Cooperation with the relevant bodies in the EU would achieve a bigger impact.
EN IEC 62443 - Industrial communication networks - Network and system security ISA standards: https://www.isa.org/intech/201810standards/
SATW blog: Testing the security of networked devices: https://www.satw.ch/de/cybersecurity/die-sicherheit-vernetzter-geraete-pruefen/
National Test Institute for Cyber Security NTC: en.ntc.swiss/
Umberto Annino, Microsoft | Martin Leuthold, Switch | Daniel Walther, Swatch Group Services
Endre Bangerter, BFH | Alain Beuchat, Banque Lombard Odier & Cie SA | Matthias Bossardt, KPMG | Daniel Caduff, AWS | Adolf Doerig, Doerig & Partner | Stefan Frei, ETH Zurich | Roger Halbheer, Microsoft | Katja Dörlemann, Switch | Pascal Lamia, BACS | Hannes Lubich, Board of Directors and Consultant | Luka Malisa, SIX Digital Exchange | Adrian Perrig, ETH Zurich | Raphael Reischuk, Zühlke Engineering AG | Ruedi Rytz, BACS | Riccardo Sibilia, DDPS | Bernhard Tellenbach, armasuisse | Andreas Wespi, IBM Research
