By Gregory Hale
Talk about the Industrial Internet of Things (IIoT) is at such a fevered pitch not seen in the industry in a long time, or if ever, but what users and vendors alike need to understand is security needs to be a major part of the discussion – and it appears it is not.
There can be great advantages if IIoT ends up properly implemented, but there is great danger if it is done wrong.
ARC: Connected Enterprise a Game Changer
Open Systems Needs Intrinsic Security
Security: Ease the Pain …
… Experts See ‘More of the Same’
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
IT Getting an OT Education
IIoT products are hitting the market at such a rapid manner it has gotten to the point where there is a smart anything going out right now. With IIoT, the hope is users have matured enough to realize by adding in intelligence and more connectivity there should be added security.
“Vendors of the products for mainstream controls companies have spent a lot of time and effort trying to figure out how to secure their PLCS, DCS’ or drives,” said security controls expert Eric Byres. “Now we have all these other little ‘things’ makers and security is not even on their radar. They are probably good product engineers and they have a product and they are making them an IIoT product by putting in a chip, an Ethernet interface and a web server they say we now have an IIoT product. In my experience, they say, ‘security, what security?’ For security, they say the client should keep it off the Internet. They take a product and try to make it an IIoT product and security has not even come into their wheelhouse.”
That all falls back on the thinking about security from the outset. In the rush to get to market, no one is thinking security.
“Nobody stopped to think about the impact,” Byres said.
Going to Market
If the marketing hype is to be believed, there has been a rush to get to market and that could end up an issue within the industry if users don’t force “things” suppliers to ensure a secure product.
“I believe the original intent was to make IIoT mean it was an industrial system which encompassed reliability and security, amongst other things” said Graham Speake, CSO at Berkana Resources Corp. “While some companies might be designing systems to meet these goals, the drive to get new and innovative products out the door is often causing the additional engineering needed to produce a secure solution being shortened or curtailed altogether. Often the need to be seen in this (IIoT) space as a leader is more important to companies as they know the sales cycle can be long and features (such as security) are often perceived as being able to be added if the end user demands them.”
That means IIoT right now could be a security run away train.
“IIoT is something that is being adopted regardless of security,” said Yoni Shohet, chief executive SCADAfence. “It is being adopted because it saves these industrial companies money. Whether these architectures or networks are secure or not is not relevant to decide of they will adopt or not. They will adopt. The question is how well will they secure them after they adopt.”
The good news is security awareness level is higher than it has ever been, so a user understands the talk about securing their system at the plant and over the Internet.
“Vendors supply basic security, but it is not enough. It is also the people and organizations adopting the products. It needs to be a combination of both. It is about having the right people and right policies on the job for IIoT security,” Shohet said. “We are seeing an increase in IIoT products that increase productivity regardless of the level of security. I don’t think there are a lot of companies that will stop an integration that can save them a lot of money because they think it is not secure. It is part of an awareness of potential risk. I think they understand the risk at a very basic level.”
The interesting thing about the IIoT comes from all the mini devices that were not intelligent until recently and security for those devices is different. They end up using protocols not secured. They have a small amount of software they have processors and tiny amount of memory. If security ends up built in, then there is no problem, but if it is not, then there will be cases where there are rooms an attacker can end up manipulating lights remotely over the Net. That was a real vulnerability where a researcher just discovered a hotel room’s lights controlled by an Android tablet was running the Modbus control protocol, which doesn’t use authentication controls. After finding the IP address the tablet was using, a researcher was able to take over his room’s controls.
While the IIoT hype has ramped up, the actual technologies behind it have been around the industry for quite some time as intelligent control devices have been interconnected. Look at the smart grid. The challenge comes when a user ends up tying all this connectivity and data collection and intelligence with things like cloud services and this connected network of things that once lived well within the confines of the company’s network, is now a part of the Internet. That means the attack surface just skyrocketed.
“IIoT is in many ways already part of the industry and has been for the last decade,” Byres said. “After all, what are all those RTUs and IEDs in substations and on utility pole tops if not ‘Smart, Interconnected Things?’ What are all those EtherNet/IP drives and sensors? The big change/threat is in:
1. The number of new and different ‘things’ being integrated, especially from vendors traditionally separate from the actual control functionality
2. The scale of the interconnections
3. The attention industry is now getting from ‘bad actors’ like the people responsible for the Ukraine blackouts or Dragonfly
“All these changes require a different way of looking at ICS security, instead of the obsolete bastion model (aka ‘electronic security perimeter’ in NERC CIP) particularly popular in power industry security regulation today. When your ‘security cameras’ tunnel through your firewalls to connect to a site in China, it has to be 100 percent certain your control network is not ever connected to the Internet.”