Industrial control systems (ICS) do the heavy lifting -- sometimes literally -- needed to keep modern societies running. These are the systems that keep water pumping, power generating and factories running: they are the unsung heroes of our modern industrial age.
Until recently these pieces of software have toiled away in obscurity, but increasingly they are being connected to networks -- either local ones or the internet.
Connecting up ICS can have big efficiency benefits because it can make that expensive industrial infrastructure easier to manage: a machine that can warn factory bosses it is about to break down is much more useful than one that just stops working. As a result, a significant chunk of the billions of devices networked as part of the Internet of Things (IoT) will be these industrial systems.
But networking these systems also opens up new security risks: once something is on a network there is a danger it can be accessed not only by the right people, but also by the wrong ones too.
And while a sewer water pressure monitor control system might not seem like an especially tempting target for most hackers, there are intruders that might find ICS a very attractive target.
Such systems can hold some of the most important industrial secrets that an organisation has, which makes theft of intellectual property one compelling motive. And the capability to shut down a chemical plant or railway by meddling with its internal processes would be a coup for terrorists or state-sponsored hackers: indeed it's highly likely that a variety of state-backed hackers are currently probing a wide range industrial control systems just in case such access is ever needed.
All of which means that securing these workaday systems has suddenly become a high priority. A virus that corrupts a few hard drives is irritating: an attack on a control system that shuts down an energy grid is a potential national disaster.
Who is managing Industrial IoT security?
This is the first problem. Because the IoT bridges the physical and digital worlds, it doesn't fit into the usual management boxes. The IT department will (or at least ought to) look after the security of the organisation's computing infrastructure, but what about the IP-connected air conditioning, or the office door-entry system, or the robots in a factory production line? These require a very different set of skills, which the IT organisation may well not have.
Industrial IoT can pose some of the biggest risks because many of these systems toil away with little human control, which means it's harder to spot if something is going wrong. That means security professionals will have scale up their vigilance to protect perhaps a thousand times as many devices as they did before. "Traditional security models and controls such as network segmentation, application security assessments, and basic device management will crumble under the scale and complexity strains of IoT," warns analyst Forrrester.
In many cases it's the office facilities or engineering teams who run those systems, but these teams may not have IT security as a top priority (or even on their to-do list).
Just because it can be connected to the internet, that doesn't mean it should be. One of the fundamental questions about Industrial IoT is why something should be online in the first place, and what level of access is appropriate. These are risks that need to be quantified and managed at a high level in the organisation, perhaps by the CIO or the CFO: the UK government has a Security for Industrial Control Systems framework that sets out some of the best practice in this area.
The basics of security go a long way
There are plenty of different industrial control systems, but the fundamentals of security remain the same: keep systems patched and up to date. One complication here is that many control systems will have been designed (and perhaps even installed) before the advent of the internet. Upgrading is hard, even if possible, which means that locking down network access as much as possible will be a priority. Understanding who has access to these systems, and how the have access, is key to securing them as they may be vulnerable through corporate VPNs, poorly configured firewalls or even database links.
The US Industrial Control Systems Cyber Emergency Response Team (US ICS-CERT) expains the best practice thus:
"Organizations should isolate ICS networks from any untrusted networks, especially the internet. All unused ports should be locked down and all unused services turned off...Organizations should also limit remote access functionality wherever possible. Modems are especially insecure."
Lock down access as much as possible, and in the case of industrial systems keep them on a separate network to the standard corporate network, because hackers will find it much easier to gain access to the latter (by social engineering or phishing) and then attempt to jump from there into the industrial systems.
"Modern networks, especially those in the control systems arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to malicious actors once they are discovered. These backdoors can be accidentally created in various places on the network, but it is the network perimeter that is of greatest concern," warns ICS-CERT.
It's also important to consider how systems are connected, and the potential knock-on effects -- potentially beyond the organisation -- if one system was offline due to hackers.
"An ICS may be interconnected with other systems, such that failures in one system or process can easily cascade to other systems either within or external to the organization. Impact propagation could occur due to both physical and logical dependencies," warns the US National Institute of Standards and Technology's Guide to Industrial Control Systems (ICS) Security.
Another feature of the Industrial IoT is a variety of sensors that may be outside of a company's immediate control -- those in customers' homes or other remote sites, for example. These can also provide an opportunity for hackers to access corporate systems and are very hard to secure.
"The biggest hurdles facing device and endpoint security are the volume and complexity of devices that will become part of the massive IoT ecosystem. Current limits on scale will be tested as the IoT device explosion occurs, and the complexity of diverse hardware, firmware, operating system, and management techniques will make it nearly impossible to have a unified security solution for all IoT devices," said analyst Forrester in its 'An S&R Pro's Guide To IoT Security.'
Faced with such a range of devices to secure or at least to monitor, cloud based security is likely to become the default option, for example cloud-based public key infrastructure services for device authentication.
A strong focus on the network is going to be key to building a robust security framework: analyst Gartner predicts that one-third of all IoT security spend will go on network segmentation and isolation.
IoT security is still at a very early stage with a number of small vendors focusing on niche areas around the network, or encryption or authentication. Over the next few years these are likely to be snapped up by big vendors who are working on their own roadmaps. However, those organisations keen to take advantage of the benefits of the IoT, without compromising security, could be in for a bit of a wait.