Lax security measures could spell doom for Indian firms as 5G rolls out

With the rollout of 5G drawing near in India, security experts are warning Indian firms to improve their cybersecurity posture. Industry stakeholders say that while many firms are looking to deploy internet of things (IoT) sensors, smart infrastructure and smart factories, doing so also opens them up to more cyberattacks, unless security is taken care of side-by-side. 

“The increased use of industrial internet of things (IIoT), smart sensors, mobility solutions, connected devices or robots in shop floors are making these facilities prone to more and more sophisticated cyber-attacks,” said Clifton Menezes, executive vice president, India Head, Group Portfolio at Capgemini.  

Menezes noted that vulnerabilities in these devices can compromise the entire system of a company.

Similarly, Yogesh Zope, chief information officer (CIO) and chief digital officer (CDO) at forging company Bharat Forge, noted that no manufacturer can ignore 5G’s potential for greater competitiveness and new revenue streams, but warned that it requires new approaches to security in the smart manufacturing industry.

“As more and more sensor-based devices are added to the network, hackers will be able to use a compromised device to infect other devices in an internal network,” he said. 

Menezes was concerned that most facilities are unprepared to deal with the growing number of cyber threats against them. A June report by Capgemini said that 84% of Indian security experts were unable to respond effectively to cyberattacks in their smart factories and manufacturing locations. In fact, more than half acknowledged that the number of cyberattacks will likely increase over the next 12 months.  

IBM’s latest Security X-Force Threat Intelligence Index, published in April 2022, also showed a lack of preparedness among security experts in smart manufacturing facilities in India, due to decades-old legacy systems. Over 45% of the attacks occurred due to unpatched vulnerabilities, the study said. 

In the 5G era, and especially in smart factories, companies tend to integrate the networks running operational and information technology — OT and IT. OT networks traditionally interacted with machines in factory floors, and other devices, whereas IT networks manage data — voice, transactions etc. Integrating the two means a hacker could exploit one by breaking through the other. 

This is usually done to deploy phygital experiences, where interactions happen between digital and physical aspects of a company. For instance, banks are looking to reduce brick-and-mortar branches in favour of more tech-driven interactions.  

For instance, earlier this month, Singapore’s DBS Bank told the Press Trust of India (PTI) that it aims to grow in India using a phygital model, by merging digital and physical capabilities. Similarly, mattress brand The Sleep Company, opened a phygital store earlier this month.

“OT systems have traditionally worked in complete isolation from the enterprise network and traffic. The transition from isolated industrial control systems to a fully converged environment, allows any existing cyber threats in the IT environment to move laterally into the OT environment if the convergence is not designed and implemented properly posing major risks for smart manufacturing companies,” said Menezes.

He added that machines in factories are “built to last” but are legacy systems that were part of the plant and do not connect with the outside world. Hence, they typically incorporate few security features and cannot be upgraded because of proprietary designs or protocols, unlike IT that relies on mobile and cloud technologies that are modernised and upgraded frequently, said Menezes.

Existence of older platforms is one of the key ingredients for the lax security among Indian firms. “Sometimes the systems are so old or they're at their end of life and patches simply don't exist, and it is these platforms that provide a lot of attack opportunities,” said Vishak Raman, Vice President of Sales, India, SAARC & Southeast Asia at Fortinet noted that a lot of older platforms and systems are still in place. 

Another reason is vulnerable supply chain partners. For example, O.A. Balasubramaniam, Director IT - electric horn manufacturer Roots Group of Companies, said that one of its suppliers had a phishing attack this year and the company was 'lured' to make an online payment (through a fake email ID of Roots) which seemed real. But before any widespread damage, they notified the Roots team which prevented them from losing around Rs 35-40 lakh.

Balasubramaniam added that manufacturing organizations should invest in cyber security management programmes including threat intelligence, vulnerability assessment, etc. that extend across their IT and OT networks. “One, they should perform a cyber security maturity assessment and have a formal cyber security governance program that considers OT as well,” he said.