By Jalal Bouhdada
Four words have guided the practice of Western medicine over the last two and a half thousand years. The phrase “first, do no harm” has become an unwritten law throughout the healthcare sector, highlighting how a physician should be certain they won’t make a patient worse off through their actions.
This needs to be the mantra adopted by firms developing solutions for the Industrial Internet of Things (IIoT).
The benefits of IIoT technology are undeniable. We’re now well into the age of Big Data, where business value extracted from a myriad of connected sensors and devices via cloud computing, analytics and artificial intelligence (AI) within industrial processes is well understood. GE Digital even predicted 46 percent of the global economy can benefit from efficiencies, performance and productivity driven by the IIoT.
While chasing the benefits of IIoT technology, however, it is imperative we “first, do no harm.”
The last two years have been object lessons in the challenge of unforeseen consequences of digitization. From the political damage of personal data harvested illicitly from social media networks, to the potential for patient harm caused by ransomware attacks on healthcare providers, the lessons are clear: We cannot reap the benefits of the fourth industrial revolution without accepting and protecting against cyber risks.
IIoT Device Risk
Since the IIoT revolution, we have seen and identified first-hand multiple vulnerabilities in various IIoT devices deployed into industrial environments such as water, oil, gas, chemicals and manufacturing plants. These vulnerabilities include potentially allowing attackers taking over a device to issue arbitrary commands.
The even more serious consequence of increased IIoT deployments is we have witnessed the blurring of boundaries between operational technology (OT), which controls the physical hardware of an industrial enterprise, and information technology (IT).
This is down to the understandable desire to improve remote monitoring and data gathering from industrial control systems (ICS) and OT, but providing network access to these systems has led to too many instances in which systems designed for monitoring, control and safety of infrastructure have become exposed to Internet-based attacks. This could potentially create opportunities for criminal networks and state-sponsored attackers to disrupt critical infrastructure within industrial processes for commercial or political gain.
We don’t believe we should roll back progress in IIoT. The merging of OT and IT is inevitable. What we do believe is security should be a business enabler, not a grudge purchase or after thought.
Industrial facilities can and should, however, be taking steps to mitigate the risks of IIoT solutions. Adopting industry best practices will protect against the increased security risks and aid with the increasing burden of compliance they face.
But what are those best practices? To help businesses identify and counter the threats inherent to IIoT, here is a minimum six-point checklist which is fundamental for basic security when designing and implementing IIoT products.
1. Secure interfaces: Insecure interfaces can result in data manipulation, loss or corruption, lack of accountability, denial of access or complete device takeover.
2. Software and firmware integrity: It is crucial IIoT devices perform updates regularly to protect against the latest threats, and that cryptographic checks are implemented to ensure these come from a trusted source.
3. Access control: Strong passwords, the protection of credentials and separation of roles must be ensured to prevent compromising the device or user account.
4. Network services: Only necessary ports should be available and exposed. Insecure network services may be susceptible to a variety of attacks, including denial of service rendering a device inaccessible.
5. Backdoors: It should go without saying no IIoT device should have undocumented backdoors or hidden functions an attacker could exploit.
6. Security configuration: Attackers often exploit a lack of granular permissions to access data or controls. Security hardening, encryption of data in transit and logging security events can counter this.
What’s truly important, though, is these six points are considered right at the start of the planning process. Manufacturers, end customers and integrators must all adopt a “secure by design” mindset that anticipates and mitigates potential threats at every stage in an IIoT product’s lifecycle.
Combined with strict lifecycle management regimes and regular, constant testing, these six points should give firms the security, safety, reliability, resilience and privacy controls needed to deploy IIoT solutions effectively.
“Secure by design” is our equivalent of the medical practitioner’s “first, do no harm”. If we cannot say with absolute certainty all six points on our checklist have been fulfilled, we cannot say for certain an IIoT solution will not be exploited to put other systems at risk.
Jalal Bouhdada is founder and principal ICS security consultant at Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment with a focus on process control and industrial IT security.