By Michael Rothschild, Director of Product Management, Indegy
The adoption of industrial internet of things (IIoT) technologies in manufacturing environments is unleashing major efficiency improvements and operational cost reductions. Along with these benefits, IIoT is also opening up operational networks to security threats they never faced in the past.
For example, attacks such as Lockergoga, BlackEnergy, VPNFilter, and Wannacry are just a few of the recent malware campaigns that have affected critical infrastructure and industrial operations. The actors in some cases were rogue factions including nation states that hacked into industrial networks and caused havoc.
However, the threat from within is also omnipresent and highly significant, as insiders have ‘the keys to the kingdom’ — or at least know how to find them. Some studies show that insider threats account for more than 50 percent of all industrial cyber security incidents.
The IIoT Threat
While IIoT holds tremendous promise for improving manufacturing via the networking of smart devices that can communicate and coordinate with one another via the Internet, the downside is that few vendors and customers are fully aware of the potential security risks associated with the technology.
The introduction of IIoT in many cases has delivered more efficiency, but the controls needed to protect this potential new attack vector is lacking. In fact, the current lack of security standards for IIoT devices, can create holes that can impact both IT and OT environments. Let’s consider the leading IIoT security threats.
Many IIoT devices are pre-configured with a default password, which is clearly a time-saver for IT staff. However, this benefit is also a major security flaw. When hundreds of thousands of devices share the same default password, attackers can easily compromise organizations that have neglected or intentionally decided notto change it.
This is another huge problem area for organizations, because many IIoT devices cannot be patched or vendors do not issue patches for known vulnerabilities.
Too Many Devices to Manage
Simply performing an inventory assessment of the sheer number of IIoT devices in an infrastructure can serve as a wakeup call. Many security administrators are not aware of the sprawl that can take place once IIoT goes mainstream in an OT environment. While these numbers can be significantly larger than originally anticipated, the ability to track manufacturers, version numbers, patch levels, etc., not to mention vulnerability disclosures can become a full time job. It simply becomes too much to manage.
Lateral Creep Of Security Incidents
Regardless of the IIoT device type, all of them can be used by attackers as a stepping stone to compromise IT and OT networks. Once inside the network, a hacker can do extensive damage to IT and OT infrastructures and move laterally between them; it’s just a matter of finding the weak link in the chain.
IIoT Security Measures
Fortunately, the following best practices can mitigate many IIoT risks.
Fight OT Threats With OT Technology
IT threats can plague OT networks, especially when introducing IIoT. Nevertheless, it is crucial to also employ OT security for OT environments. This involves employing a hybrid detection mechanism which can search for known threats using signature based detection, anomaly based detection for unknown threats, and policy based detection which triggers alerts when OT based functions violate pre-set “rules”.
Identifying and mapping all devices in the OT environment and keeping an up-to-date inventory of them — even of those that aren’t actively communicating over the network is a vital first step. Ideally, this should include collecting granular information on each device, such as firmware versions, PLC backplane configurations, and serial numbers.
Risk and Vulnerability Assessment
As there are so many potential attack vectors to defend, it’s best to focus on the greatest sources of risks and vulnerabilities. This involves automating the process by which new vulnerabilities are identified and processed. A vulnerability management system can generate periodic reports of risk levels for each asset in the industrial control system (ICS) network. When new vulnerabilities are discovered or disclosed, a mechanism should be in place to identify affected devices, remediate threats and verify a fix has been successfully applied.
Device and Configuration Management
Monitoring and managing changes in the ICS environment to ensure that device and system configurations are secure and well documented is essential. This requires maintaining a continuously updated list of the version numbers of all installed software and firmware, and comparing it regularly against a list of known vulnerabilities.
Meanwhile, regular scanning of OT networks can detect unknown devices and unintended changes made to them.
The best solutions issue notifications whenever a new vulnerability appears. They also combine network monitoring with active device queries to provide in-depth vulnerability assessments. For example, they provide information on current device firmware versions and associated CVEs, list open ports, and calculate accurate, up-to-date risks.
Security policies should also be enforced to control which devices can perform certain (privileged) actions such as a code or firmware download to industrial controllers. In addition, policies should mandate that certain devices do not access the internet.
Finally, in addition to implementing these best practices to address IIoT risks, unifying IT and OT security can protect industrial control networks from threats regardless of how they originate.