By Gregory Hale
An Internet-enabled industrial CCTV system went live online not too long ago and in three short minutes the camera started to get malicious traffic requests. Think about it: One system placed on the massive Internet and it started getting attacks in three minutes.
Welcome to the age of connectivity in the digital world.
There is no doubt a smart, connected manufacturing enterprise can embrace the digital transformation leading into the Industrial Internet of Things (IIoT) environment by culling new types of information that could result in increased levels of collaboration, operational excellence, agility, productivity and profitability.
While complete and unadulterated adoption of IIoT may not occur across the board for years, the process toward digital transformation is occurring now and manufacturers need to embrace how they are going to secure their enterprise.
“The biggest thing when we start talking about if IIoT is coming is the reality is it is already here,” said Joshua Carlson, Subject Matter Expert and Cybersecurity Technical Sales Leader, Americas, for Schneider Electric. “What does the Industrial Internet of Things really mean? It means it has an IP stack, it has an Ethernet port on it, it has a Wi-Fi card on it. We have been building those type of devices for a very long time and people have been using them for a very long time. What we are seeing now is more of a use of a public infrastructure or a more common infrastructure to communicate with those devices.”
In the quest to enhance productivity and gain the competitive edge in an emerging global landscape, manufacturers need to apply smarter and more connected technology. Adding that smart technology can garner important data from new sources that can increase knowledge of the process.
Paucity of Security
What is at issue is a lack of even basic protections like anti-virus which can enable attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces, said researchers in the Cyberx “Global ICS & IIoT Risk Report.”
Among the findings in the report, it found control networks are easy targets:
• 1 out of 3 industrial sites are connected to the public Internet
• 3 out of 4 sites have legacy Windows boxes for which Microsoft is no longer providing security patches
• 60 percent have passwords traversing OT networks in plain-text
• 50 percent of industrial sites aren’t running any antivirus protection
• 82 percent are running remote management protocols (RDP, VNC, SSH, etc.), making it easier to perform cyber reconnaissance
“IIoT is all about access management,” said Adam Gauci, Cybersecurity Program Manager, Energy Division, at Schneider Electric. “Manufacturers have to have an accurate inventory of the devices that connect to the network and have a way to monitor them. They need to be able to identify when new vulnerabilities come into place. It is about having a process and having a system that manages the new devices coming on line.”
“Manufacturers have to have an accurate inventory of the devices that connect to the network and have a way to monitor them.”
– Adam Gauci
The challenge from a security perspective is understanding the reward of the capability versus the security risk.
“Do we simply plug in the devices and hope for the best, hoping the manufacturer has protected the device in the method where it won’t hurt me or do we take it to the next step — and we are seeing people taking it to the next step,” said Jay Abdallah, Global Director, Cybersecurity Solutions for Schneider Electric. “The suggestion we have is to continue your isolation. Yes, the device is connected to the Internet, but it does not need access to everything. Figure out how it works, figure out the minimum required ports and protocols, sources and definitions, and filter the traffic because you can take out a vast majority of the malicious traffic that attempts to break into the systems by creating very simple firewall rules and protecting them.”
CCTV System Hit
The risk/reward analysis comes into play when you see a boost in connectivity, but not a comparable rise in security. In 2016, one report found, IIoT technology was reportedly hacked, on average, within 360 seconds of going online.
To expand on that report, just go back to Abdallah’s CCTV example.
“We did a test once where we had a segmented network on a test lab and we plugged in an Internet enabled industrial CCTV system,” Abdallah said. “We wanted to see if we left it as it was, how long would it take for malicious traffic to start coming in. It took three minutes. Within three minutes that camera was hammered with malicious traffic requests. The reality is at some point it is going to get cracked, and you may say it is only a camera, but what is it connected to? What other parts of the plant does it have visibility into? What databases is it feeding to? Are those databases secure? That is why we have to throw many different network-based solutions to protect IIoT devices to ensure the minimum traffic required is allowed in and allowed out.”
That means in the move to a more digital environment, manufacturers need to ensure a secure device and secure network.
“Make sure what you are working with is a secure product that is using secure protocols and uses secure authentication and they have been tested and they are tried and true and the vendor that makes that product has a good development practice behind that,” Carlson said. “If you find a vulnerability in the product, make sure they have a vulnerability management process that can address that. The worst thing is you put all these wonderful IIoT devices out there and they are vulnerable to simple types of attacks. The second thing is to make sure they operate on secure networks themselves. You have security parameters that says this is the fence you have drawn around this and I know what protocols and what systems and what applications are going in and out of there and I have the situational awareness and visibility to know that something else is going through that shouldn’t be there.”
That can lead to a secure digital world.
Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).