IIoT security: Why it matters, why it needs to be much better
The Industrial Internet of Things (IIoT) sees networks of connected industrial devices working together to collect and analyse data in order to help deliver new insights and optimise business processes. It can range from the smallest sensors to large industrial equipment.
If applied correctly, it can help drive smarter, more efficient operating environments for manufacturing plants, utilities providers, power stations and more. Predictive maintenance alone could help save vast amounts in outgoing costs, while also helping critical infrastructure to run smoothly.
However, as with any IoT network, if the security of that IIoT environment is poorly implemented, it can have a drastic impact on the cybersecurity of an entire organisation, potentially providing cyber attackers with new avenues for hacking into the heart of industrial systems with damaging consequences that go well beyond data theft.
"Historically these devices would have been on an island. Nobody thought much about them, they were theoretically air-gapped and didn't connect to anything," says Eitan Goldstein, senior director of strategic initiatives at cybersecurity company Tenable.
On an IIoT network, it's possible that what was previously a separate network for operational technology -- responsible for monitoring and controlling physical devices such as pumps and valves -- could be converged with the rest of the information technology network. While this can have benefits, the risk is that critical software that once ran in its own secure environment is now linked to a broader network, creating an easier target for hackers.
The potential effect of an IIoT cyberattack isn't just theoretical: hackers have already deployed malware to industrial networks by exploiting internet-connected sensors and gaining access to cyber-physical networks, as demonstrated by the Trisis attack.
The incident saw hackers shut down industrial operations in the Middle East by targeting and manipulating Schneider Electric's Triconex safety instrumented system.
SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)
It's far from the only example of attackers compromising industrial systems: hackers have previously shut off power in a region of Ukraine and US officials have warned that Russian hackers were able to penetrate several electricity and utilities stations and remote access control rooms of several suppliers.
More connectivity, more risk
These lessons of the risks of new technology have been learned before. Back in the 1990s, cybersecurity wasn't given much thought as organisations simply weren't aware of the potential threats posed by connecting PCs to the internet: industrial organisations need to follow the same path, and the first step is realising connected devices bring additional cyber risks.
"When we first started connecting a lot of IT components, we didn't really think about the security implications of that. Over the past couple of decades we've become educated, we've started to develop standards, best practices and a lot of infrastructure and policy within the industry to help manage that," says Sandy Carielli, security technologies director at Entrust Datacard, an identity and security solutions provider.
"Now you're looking at industrial applications and the people managing those systems are having to go through that same process. It's not surprising really, because it's not something they've had to deal with before," she adds.
If badly installed onto a network, IIoT devices can create additional vulnerabilities. Not only are they providing a new attack vector with the potential to be compromised, but in many cases, IoT products are shipped with poor security -- and it's common for security researchers to uncover vulnerabilities in devices that have vast numbers of users across the globe. The IIoT is still an emerging area, which means a lack of standards and a bunch of tech companies keen to get products out into the market fast -- circumstances where security often takes a back seat.
Even if patches are released for security vulnerabilities, many of these require a manual update, meaning that in some cases the devices won't receive the additional software they need.
This is gold to an attacker, because the vulnerability will have been brought to their attention as well, and they'll use search tools like Shodan to identify these devices in use around the world in the hope that they're still open to attack.
If IIoT products haven't received updates, or are still equipped with default passwords and login credentials, they provide attackers with an easy backdoor into networks that are already known to be lucrative targets when it comes to confidential data.
"A lot of the time, the hacker's mindset [when] trying to go through in these industrial IoT devices is trying to look for the weak link -- it's the easy, low-hanging fruit which bites you in the butt," says Destiny Bertucci, security networking expert at IT monitoring and management provider Solarwinds.
"You could have the most complex system in the world, but if you forget a default password or have an open backdoor with a known vulnerability, people are going to check for it," she adds.
Some of these security basics like changing default login credentials and applying patches as and when they're released can go a long way to help secure IIoT devices, the data exchanged on these networks, and the physical systems they control.
Know your network
However, in order to know when connected devices and sensors require updates, organisations need to know what sensors are installed onto the network in the first place. This could amount to hundreds of thousands of things in a large environment.
It's possible to employ software to examine the network and retrieve real-time data on what sensors and other devices are active in the IIoT environment, but for Reid Wightman, senior vulnerability researcher at Dragos, a cybersecurity company specialising in Industrial IoT networks, one of the best ways to know what's there is for those responsible for securing the network to see it for themselves.
"Walking around your process controls with some engineers and just asking them some questions is really going to reveal a lot when you say 'where does that data come from?' or 'how does that work?' The engineers realise they have a remote site that's connected which they might want to investigate," he explains.
But even if an industrial plant has data on all of the sensors, devices and internet-connected cyber-physical systems across the network, applying patches isn't as simple as it is for Windows updates and other PC software. In many cases, updates may need to be patched manually.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
That's a big task on its own, but even more so when you consider many of these sensors and devices will be part of critical infrastructure for industrial environments. In some cases, it might not be possible to apply updates to IIoT devices without shutting them down -- and that might have knock-on effects for the entire ecosystem.
"With these, uptime is imperative -- it's not like an IT server that you can take down for patching. You take one of these controllers offline and you're shutting down the factory," says Adam Isles, principal at cyber security risk management advisory firm The Chertoff Group and a former deputy chief of staff at the U.S. Department of Homeland Security.
Some might view partially shutting down an industrial site to apply security patches as overkill, but the global WannaCry ransomware attack demonstrated how failing to apply patches can have grave consequences.
Segment your network
Another risk is that hackers could infiltrate an industrial environment via other devices on the network, for example, using a phishing email or deploying trojan malware to gain a foothold into a network shared by office PCs and IIoT devices. In general, IIoT devices ought to run on a separate network to the information technology which powers the rest of the organisation.
"I'm a big advocate of micro-segmentation," says Wightman, who suggests that IIoT devices and sensors that control the pumps, valves, turbines or anything else on SCADA systems should be on a completely separate network to the rest of the IT infrastructure.
"If somebody actually gets into your network, at least they can't re-program things or operate stuff," he said. Separate networks can also give companies a level of protection. "It might be years between when a patch comes out and when you apply it, so being able to implement that kind of micro-segmentation can reduce your risk," he said.
Cybersecurity isn't a new concept, but in many cases these industrial systems will never have been connected to the internet before. Those responsible for operational technology are starting from where information technology was over twenty years ago.
Fortunately, the Industrial Internet of Things is still early enough in its evolution for organisations to take on board what needs to be done, which is fortunate because failing to secure the IIoT could be absolutely devastating.
RECENT AND RELATED COVERAGE
Your smartphone is going to look a lot stranger next time around
Big, small, folding and curvy; MWC should see plenty of oddities to tempt jaded gadget buyers. But the real action is elsewhere.Nokia wants to make your IoT project easier to set up and run
Four IoT packages aim to make enterprise deployments of sensors and analytics easier.How IoT might transform four industries this year
Healthcare, manufacturing, automotive, and public sector set to see big changes.GE's new industrial IoT software business: What it means for customers
With GE's new standalone software business, the company has given the clearest signal yet that running a successful software business is very different from running an industrial conglomerate.3 things you should know about Industrial IoT (TechRepublic)
How does IIoT differ from IoT? What are IIoT's potential benefits and risks? Get answers to these questions.California governor signs country's first IoT security law (CNET)
The new Internet of Things law calls for "reasonable" security features.