By Gregory Hale
You can’t have any discussion with anybody in the manufacturing automation sector these days and not talk about Industrial Internet of Things (IIoT). Everyone agrees it is coming and, while security at manufacturing facility is suspect at best now, what happens when the entire Internet has the potential to come knocking at the front door?
Last Friday’s attack involving IIoT’s big brother the Internet of Things (IoT) just goes to show how people, while well intentioned, ignore any thoughts of security. While that may work in a consumer setting, with the critical infrastructure, where so much is at stake, that kind of attack cannot be taken lightly. Security awareness needs to convert to protection.
Just as a recap, Friday’s cybersecurity attack affected 80 major websites and ended up blamed on the Mirai botnet that largely targeted unprotected IoT devices, including Internet-ready cameras.
Those devices ended up used by unknown attackers to overload servers at Domain Name System provider Dyn in a Distributed Denial of Service (DDoS) attack.
“Until last week, the major concern of IoT (one ‘i’) in regard to security was how to defend connected consumer devices against attack,” said Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Process Solutions. “The use of IoT devices in a massive distributed denial of service attack turned that upside down. The introduction of insecure, Internet connected devices enabled attackers to use consumer devices that were developed with the best intentions to be used for ill purposes, and on a massive scale.”
Graham Speake, CISO at Berkana Resources Corp., agrees.
“The IoT has definitely come into the consumer market with most people having one or more devices that can fall into this category,” Speake said. “Talking to neighbors over the last few weeks, I have been amazed at how few have even considered the risks of hooking these devices up to the Internet, even when they have purchase them for security.”
While the growth of IoT far surpasses IIoT, manufacturers today need to understand what they need and what to look for as they start to implement a more connected environment.
“When looking to the IIoT, the good news is that we really are in the beginning stages,” Knapp said. “And, unlike many of the connected consumer devices that make up the IoT, the security of connected industrial devices is a primary consideration in IIoT planning and development.
“When done properly, IIoT is less about connecting devices to the Internet, and more about aggregating the information produced by devices in a manner that provides both strong business value and strong security.”
The rush to get IoT- or IIoT-enabled devices out to the market means security can either be left out or turned off. Either way, that is a problem.
“Manufacturers, even if they have good security options on their devices, will often ship these in an unsecure configuration to make it easier and quicker for companies to set them up and “assume” they will implement security,” Speake said. “This mindset will often result in these devices being set up in a low security way. Manufactures should try to ship products that will be setup and operated securely and make it more difficult to set them in the low/no security mode. Also, while there are not many device certification schemes – with ISASecure being a good, but relatively expensive one — using free/low cost security tools would be a great leap forward.”
Having a plan and understanding the security landscape is something everyone has to work on when the potential attack surface is so big.
Assume an Attack
“Manufacturing companies must assume that their Industrial IoT devices are exposed to vulnerabilities and attacks,” said Yoni Shohet, co-founder and chief executive at SCADAfence. “Therefore, companies need to define and enforce a clear remote access policy to these devices. In addition, manufacturers need to continuously monitor the internal network activity and leverage the operational nature of IIoT environments to ensure devices are not compromised and that they are operating as expected.
Shohet, though, is realistic.
“Vulnerabilities in IIoT devices are probably inevitable. Industrial vendors should keep an effective disclosure policy and be transparent with the end costumers. Beyond properly testing the devices before releasing them to the market, vendors need to embed remediation capabilities into the devices so end customers can reduce the attack surface once a vulnerability is discovered.”
In the end, it is all about developing a mindset similar to safety, where everyone thinks security from the beginning and understands the consequences of what could happen if they don’t.
“Manufacturers need to incorporate security by design into their production lifecycle,” said Dewan Chowdhury, founder and chief executive at MalCrawler. “Cyber security functions should be thought of in the design phase of products. Many of these companies are creating functional technology that can work over the Internet to please consumers, the typical consumer is not concerned about if the product has encryption, the strength of the algorithm, password complexity, firmware verification, etc. The consumer just sees a password and assumes it is secure, and the manufacturer goes along as no push for security is forcing them to change their product line.”
Chowdhury offered what he called the simplest things manufacturers can offer from a cyber security standpoint:
• Encryption with good algorithm for network transport and data at rest (this is actually very easy to do).
• Ensure password complexity on the devices, and force the user to change the default user name and password.
• Have the ability to have auto update enabled by default to ensure devices are patched.
• Firmware integrity checking — this control can ensure the integrity of the device that malicious code has not been put on it.
• Disable remote management of devices over the Internet. Devices should only be managed within the internal network.
Security controls expert, Eric Byres, sees some other ways to protect against the DDoS threat.
“First, the zone model really helps keep attacks like this from propagating throughout a company. I like to say without zone segregation, companies have a ‘Titanic’ problem (i.e. no functional bulkheads),” Byres said. “Second, if your IIoT infrastructure is running over the Internet, either build in real redundancy or make certain the IIoT comms are not mission critical — the Internet isn’t designed for mission critical comms.”