What Companies Need to Understand About CybersecurityBy MBN Staff | Tue, 05/24/2022 - 13:01
A: I co-founded CyberIIoT five years ago to provide cyber-risk analysis to the industrial IoT world. Everyone talks about Industry 4.0 but the reality is that Industry IoT will become the new standard. My definition of Industry IoT is manufacturers, organizations and the government working together in a new ecosystem and what that will look like. There are many consultancies that provide enterprise services, where Wi-Fi is the main network system, but we are thinking beyond that. An example is the eventual arrival of 5G in Mexico and what will happen when it becomes fully deployed in factories and universities, which will be the main stakeholders where 5G will be implemented.
Q: What variables should be considered before the 5G transition occurs in Mexico?
A: The risks related to 5G will be new; they will be different from those we are used to. Understanding those risks requires a joint effort among the regulator, which in Mexico is the Federal Institute of Telecommunications (IFT), the operator, the equipment and solutions providers and interested parties, such as clients, which will be industries. Mexico will see an explosion in everything that has to do with industry control systems. I will propose to the IFT the creation of a reference framework in which we will start structurally analyzing all of the risks related to cybersecurity, security and privacy. If we do not do this, we will face a great many problems because this cellular network will handle an excess of corporate data on a large scale. As regulators, IFT could establish this framework. From there, the National Institute for Transparency (INAI) could take up the necessary work in the absence of advanced innovation and technology centers.
Q: What are some of the common misconceptions regarding cybersecurity?
A: Cybersecurity is a marketing buzzword right now but, really, it is a strategy. It is how you calculate, quantify, differentiate and accept a risk in cyberspace to prevent attacks. That’s why it is so important at a company level to understand cybersecurity. Some think that installing antimalware is enough but if we do a risk analysis, its participation is minimal in defining an indicator or a risk quantifier. Sometimes, it is important to have teams in place, which might require an investment for training, or we may need to activate security controls to be able to mitigate or reduce the risk. Security is related to three pillars: confidentiality, availability and integrity of data. How am I going to address that triad through controls? Those controls are already written in the new actualization of the IC2701 2022 as the US Department of Homeland Security established 18 critical controls. They are the norms regarding multiple controls for every industry. Our regulator for privacy is INAI. It establishes these controls to preserve integrity. All of that is part of my strategy to contain risk. We analyze all of the risks related to security controls and determine what I have to fulfill in terms of security. Then I form my strategy. That is cybersecurity.
Some companies have a security accord but do not fulfill it because of a lack of good risk management. The consultation we offer involves audits and diagnostics relative to the technology and industry.
Q: How will 5G make IoT more accessible to the industrial sector?
A: With 4G, two-use pathways opened and through its evolution to 4.5G, there is already consideration for lines for IoT communication through a very early version called NBO, or narrow-band IoT, but it was not successful because it is a bit expensive and the environment was not ready for it. IoT has been managed through frequency networks but Wi-Fi continues to be more common. The deployment of mass IoT, which is a mass case for 5G in the two modes of standalone and non-standalone, will be focused on smart factories or any industry that has multiconnections, sensors or assembly arms that are already utilizing 5GS and 5GNS. There is now a model with cellular networks and with 5G. These types of networks will help with security because you will manage your own internet traffic. If you leave your region, you can then connect to the public network. But there is a new advantage because it will no longer rely on 4G or 4.5G. As far as business and supplementation goes, 5G will be friendlier. Some US airports are complaining about 5G interfering with their communication waves but this really is not a 5G problem or the frequency it uses but, rather, that some airports and control towers have not updated their background software. They now have six months to actualize their technology.
Q: What can companies do to prepare themselves in the face of cybersecurity trends?
A: For companies in general, I recommend first that they prioritize their activities. This means the tangible, intangible, supply chain, all of the infrastructure, employees, suppliers, clients and users. They should prioritize and create a critical risk analysis based on their business. Next, they need to establish a risk management program, including industry standard and investment indicators. Their risk management program should be agile, with agile methodologies.
The last link is to ask, “I had a risk, how do I recover?” A term I like is mesh-cybersecurity, which is a type of innovation that creates better web links with your users and can monitor them or manage their risk quicker and more efficiently. It is an organizational methodology for cybersecurity because there are so many options that don’t know how to respond and recover, which then ruin the program.
CyberIIoT (cybersecurity for Industrial IoT) is a scientific consulting services company that offers security architecture, risk analysis and cybersecurity maturity assessments.