Industrial IoT Security: Cyber Security Implications for IT-OT Convergence
In June 2017, two information security firms researching the 2016 hack of the electricity grid in Ukraine announced that they had identified the malicious code used to shut down power stations and leave thousands of households and businesses in darkness for several hours. The malware used to target the Kiev power grid has been named "Industroyer," and it serves as a sobering reminder about the dangers faced by the Industrial Internet of Things (IIoT).
The IIoT is a business technology concept also known as Industry 4.0. In essence, the IIoT is a massive network of internet-connected devices and sensors that collect and transmit data by means of communications protocols that improve business processes such as scalability, productivity and operational efficiency.
As an emerging technology that shows considerable promise, the world's biggest tech firms are investing significant time, effort and money in terms of IIoT research and development; we are talking about Intel, AT&T, Cisco, Bosch, and General Electric. The current phase of IIoT development is tied to Big Data collection and analysis that executives can use to understand how their companies are performing and to improve their operations.
There is no question that the IIoT is a great value proposition that companies should be adopting. However, there are also some major security concerns that need to be addressed. Each and every IIoT device could be an entry point or attack vectors for malicious hackers to explore. The security aspect of IIoT is immature at best; new devices are routinely manufactured, distributed and installed without proper security measures, and this contradicts the "safety first" philosophy of industrial sectors such as manufacturing.
Incidents such as the Kiev power grid takedown have prompted tech giants such as IBM, AT&T, Cisco, and General Electric to form the Industrial Internet Consortium, a group that published an Industrial Internet Security Framework in late 2016; the goal is to establish a set of best practices, guidelines and protocols to promote IIoT security.
Notwithstanding this effort, there is an overall expectation by security experts that IIoT attacks are highly likely. At the 2016 Black Hat USA conference, security research firm surveyed professionals in attendance about their feelings on the state of the IIoT, and 96 percent stated that they feel attacks are imminent. More than half of respondents believe that they are not prepared to handle attacks.
The Need to Integrate OT and IT in the IIoT
One of the issues affecting IIoT development and widespread development is the disconnect between operational and informational security. What is currently lacking is a convergence of Operational Technology (OT) and IT.
OT refers to the hardware, firmware and software that either monitor or control processes and activities in the industrial sector. One example of OT would be internet-connected temperature sensors, thermostat controls and smart locks found at many buildings these days. In essence, OT is used to facilitate and control operational business factors.
IT is the data-centric process that has revolutionized all business sectors. The security of cloud computing and office networks is managed and developed by IT researchers and technicians.
In recent years, the lack of convergence between OT and IT has been observed in the enterprise world as businesses install internet-connected sensors and devices that lack security standards such as certificates and root of trust protocols. While security has significantly matured for business networks with new developments such as hardware firewalls, content access security and remote backups, many IIoT devices ship with default username/password combinations that are often shared by malicious hackers in the same online forums where zero-day exploits are discussed. If anything, many hackers who operate in the underground brag about their IIoT prowess and present evidence of infrastructure attacks as a badge of honor.
In the past, industrial networks used to be closed off from the internet and were protected by strict physical security measures. However, the growth of the internet is pushing the industry to seek greater internet connectivity for the purpose of taking advantage of Big Data analytics, automation, remote control and other advanced features. The problem with this trend is that the lack of OT/IT convergence provides malicious hackers with more opportunities to find and exploit security holes.
IIoT Security Challenges
The manner in which IT is changing OT can be described as a series of growing pains in terms of security. Network connectivity can be applied to devices used in industrial settings, and manufacturers often apply off-the-shelf technology to IIoT devices and sensors. Up to now, IT has been data-centric and has not developed with OT in mind.
Without IT/OT convergence, the industrial sector can be affected by the same IoT security issues recently experienced in the smart home automation realm, whereby household devices are left open and unsecured. Whereas in the past IT managers had to worry about attacks coming from company laptops or smartphones that have been compromised, these days they have to worry about attacks originating from HVAC systems connected to enterprise networks.
An Abundance of Attack Vectors
As the situation stands, many of the best practices, protocols and standards keeping the IT world safe cannot be effectively applied to the OT world. As previously mentioned, every thermostat, smart lock, IP camera, and machinery sensor can be considered to be an attack vector that is vulnerable for the following reasons:
1. Outdated Systems
As seen in the Stuxnet attack against nuclear plants in Iran, legacy control systems can be vulnerable when they are not compatible with current IT security practices. The Supervisory Control and Data Acquisition (SCADA) protocols targeted by Stuxnet were running outdated software that had not been patched in years. Many OT devices are running on software that has not been updated or patched in the last 10 years. Moreover, some devices feature custom configurations developed in a proprietary manner that may seem esoteric to some technicians. Root of trust, identity protocols and security certificates can appear to be alien concepts to recent IT graduates and developers.
2. Increased Security Stakes
OT connectivity means that industrial devices are vulnerable to the same attacks perpetrated against IT systems, but these devices do not enjoy the same protection as office networks and their vulnerability could have some very serious implications.
On one hand, a law firm having to deal with a data network that has fallen victim to a ransomware attack can be handled as a business setback; on the other hand, bringing Kiev to a standstill by shutting down power plants for hours is something that has very serious implications. This is of particular concern with telematics devices being installed in vehicles; a future IIoT nightmare scenario would be an attack against the self-driving systems of autonomous cars. Without IT/OT convergence, there are real and physical risks that cannot be understated.
3. Sophisticated Attackers
If the current IT threat environment is any indication, malicious hackers are becoming increasingly sophisticated in terms of developing tools and coming up with new attack techniques. Stuxnet and Industroyer are just two examples; another issue that can be added to the list of concerns is the 2017 leaks of cyber warfare weapons developed by the United States National Security Agency, which were used to deploy the WannaCry ransomware attack against public health and transportation systems. This particular incident actually forced the temporary suspension of operations at plants operating by Nissan, Renault and Honda.
4. IT/OT Accountability
Traditionally, IT and OT teams have not worked together. In recent decades, corporate culture has developed in a way that gives IT departments considerable autonomy that ultimately insulates security experts from other sections of an enterprise business.
Enterprise IT security experts and technicians are rarely familiar with OT systems. In the case of technicians who maintain legacy control systems, they may not be familiar with current IT security protocols. Even if the convergence of IT and OT teams is forced today, there would be a major learning curve to confront.
5. Productivity Risks
This is a threat that strikes fear deep in the hearts of industry leaders. A cyber attack that shuts down a manufacturing plant completely could bring about a major economic loss, but an even more dangerous situation would be a strategic attack that degrades quality control steps and goes undetected. This could result in defective and faulty products that could end up injuring end users.
In the end, IT/OT convergence is a serious challenge in the enterprise world because it goes beyond technological issues. ITOT security should not be treated as an afterthought. IT and OT teams must work together to learn from each other. Here are two worlds that have traditionally worked and developed separately, but they are essentially obligated to collide at this time. This means changing workplace philosophies and rethinking corporate culture. A common goal must be shared between the IT and OT communities, and the ideal goal should be security.
Josh McAllister is a freelance technology journalist with years of experience in the IT sector. He is passionate about helping small business owners understand how technology can save them time and money. Find him on Twitter @josh8mcallister
Visit this page to know about our technology for industrial IoT or SCADA system. Alternatively, if you'd like to get an assessment of the architecture and security of your industrial IoT solution, contact us.
Data encryption tool for GDPRMore information
You Might Be Interested in Reading These Articles
The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.
Published on December 06, 2016
Security Researcher Filip Chytry: Online Security Is an Unattractive Topic - until People Get Hacked
I studied at Applied Cybernetics school and worked on various fields: robotics, networks and programming. There I got curious about security and became increasingly passionate about the industry, trying to learn more about cyber crime and attempting to hack into my classmates‘ computers for fun.
Published on August 20, 2015
Mobile app startup companies are notorious for cutting corners. One of the first things that is cut is security. After all, they have the big guys like Comcast, AT&T, and Verizon to protect mobile users, right? Wrong! All the way down the line. TechCrunch's article about security for mobile devices is an interesting theory on the state of security on the Internet. Although, they do hit the mark in the article about how companies fix the problem after the fact of the security breach.
Published on January 13, 2015