Converged Cybersecurity for Industrial IoT
Published on : Saturday 06-02-2021
By : Editorial Team
IT-OT cybersecurity convergence can be challenging; however, attackers are already exploiting gaps between IT and OT defences, says Sumit Deb.
The advent of ‘Internet of Things’ or IoT has unleashed a new wave of digital transformation across industries by connecting billions of physical devices around the world to the internet, all collecting and sharing data to add to the overall system intelligence and efficacy. Industrial Internet of Things (IIoT) or the fourth industrial revolution or Industry 4.0, are all names given to the use of IoT technology in line of business (LoB) contexts – concept is same as for the consumer IoT, but in this case the aim is to use a combination of sensors, wired and wireless networks, big data, AI and analytics to optimise industrial processes. IIoT has gradually become a pivot for digital transformation across industrial environments.
IIoT networks can be broadly divided into four levels, each characterised by different physical devices: 1) Perception layer represents data transactions between the physical devices such as barcodes, RFID tags and readers, BLE devices, GPS, sensors, etc.; 2) Network layer components includes wireless sensor networks, WLAN, LAN/WAN and cloud networks; 3) Service layer consists of service management, databases, and service APIs – i.e., middleware technology for data management and communication; and 4) application layer components of industrial IoT are smart applications and management interfaces.
Fast adoption of IIoT is witnessing an exponential growth of interconnected devices, resulting in increased threat vectors for hackers to launch attacks through any weakly guarded OT interfaces. Hence, a robust security framework for IT/OT and OT devices security has become imperative for IIoT/Industry 4.0. Finally, all disparate silos across the plant need to be tightly integrated with enterprise security operation centres (SOC) as well as 3rd party applications to achieve complete synergy for converged IT-OT security architecture. Interestingly, functional priorities of OT security are different from IT security – while IT systems are designed around confidentiality, integrity and availability (CIA), OT environment being more mission-critical, objectives follow priority of availability and integrity and confidentiality.
The most challenging issue faced in OT environments is often to deal with older control systems that have been in operation as long as 30 years, along with a plethora of industrial protocols. These legacy systems and devices were often deployed on flat networks, at a time when need for security took a back seat to other priorities, such as high availability and performance. Unlike IT, patching of OT assets means taking them offline – something that’s not an option with critical infrastructure or production lines that rely on high-availability. Consequently, vulnerabilities stack up as devices age, leaving attackers with large overlays of exploits to attempt compromising IIoT assets. So, security of hardware, software, connectivity, or others needs to be individually addressed apart from integrating assets under ICS security platform to ensure that IIoT doesn’t bring in any unwarranted headwind. All connected objects, from refrigerators to manufacturing bots, are inherently susceptible from hacking with serious consequences, whether it is Ukrainian BlackEnergy power outage or WannaCry ransomware attack on Renault-Nissan
The good news is that most IIoT assets are not directly exposed to the internet, which means attackers must rely on other methods to hack them. Most common vector for compromise for cyber-attacks – email – features here as well. The attacker often attempts to gather information about engineers, plant managers or developers that have access to IIoT network and mostly target them with phishing emails. Compromising one such computer can lay the most direct path for compromising IIoT assets. Unpatched systems, simple (default or unencrypted) passwords, relaxed remote access policies for maintenance contractors all offer attackers various soft spots. The attacker then works his way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. In absence of multi-factor authentication for access, the attacker encounters least resistance. The attacker eventually manages to compromise a domain controller, wherein he deploys malware using Group Policy Object (GPO), successfully compromising most of the plant IT network. Due to poorly implemented OT area segmentation, the attacker eventually manages to work his way to OT network. Then the attacker typically identifies vulnerability in assets, exploits them and knocks them offline, eventually bringing the plant production to a halt.
So, how can we defend IIoT assets and OT networks against attacks? Network monitoring through an integrated ICS security platform is the first step. However, it is important to passively monitor traffic for IIoT assets as active monitoring – where traffic is generated and sent through the network primarily to observe its behaviour – can result in an increased load on the network, resulting disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment. Keeping current inventory of assets on the network is very important in protecting OT networks, since traditional siloed networks often created many blind-spots on available OT assets. Passive monitoring is useful to identify the OT network asset base, including earmarking errant and rogue devices. With a comprehensive OT assets visibility in place, the next step is to create policies for asset groups.
One of the most critical aspects of OT network design is logical segmentation while keeping it scalable and manageable. While this may not be enough to prevent a determined attacker from crossing boundaries between different areas of the network, it can surely slow him down, providing more time to respond in case of an attack. Following ISA 99 /IEC 62443 guidelines for zone segmentation policies is a prudent step to begin this implementation. It’s important to note here that many OT assets use broadcast and multicast network communications, wherein one or more devices will send traffic to all other devices in the network – this will pose a challenge when segmenting an OT network. The asset inventory discovery mechanism set up through ICS security platform with a real-time dashboard reporting will be helpful to deal with this issue. A strong NetFlow mapping mechanism is useful to know which assets are talking to each other and how they interact as a whole. Also patching IIoT assets after discovering a vulnerability is an absolute must. Since all OT assets can’t be taken offline for patching, redundancy in IIoT network is another important design consideration as it will allow one device to be taken down while another picks up load during maintenance cycles.
Another must-have for OT security intelligence is to detect traffic anomalies that may be defined as any OT asset behaviour that falls outside of normal expected characteristics and set policies, such as two IIoT assets talking to each other that are not supposed to communicate, unplanned firmware updates, unexpected configuration changes or other anomalies. Finally, setting a threat hunting mechanism to look for and flush out threats within the OT environment is important. Proactive discovery of bad actors, building playbooks, and automating them are important steps to improve overall security posture. More and more, ICS connected to IoT are exchanging data with 3rd party contractors or OEMs through cloud for remote control and monitoring while leveraging IP-based networking technologies. System component providers are riding Industrial IoT wave and supporting many of the IP-based messaging protocols (such as MQTT, XMPP, AMQP, Pub/Sub). Representational State Transfer (REST) Application Programming Interfaces (APIs) are often employed to connect devices to internet. APIs are another way for an attacker to connect to device and access data. Only authorised devices and applications should be communicating with APIs. An attack (or potential threat) needs to be detected immediately. Strong encryption, authorisation and authentication (such as secure booting, MUD, RoT or PKI) can all be used to enhance API security. Integration with security platforms like SIEM, CMDB helps in implementing ICS security compliance guidelines apart from keeping OT system hygiene high, like tracking intrusion logging incidents and managing OT asset passwords. New evolutions in IDS like deep learning-based system for hybrid intrusion detection and signature generation of unknown attacks can be adopted to stay ahead in race.
In essence, the objective of OT security is to secure networks that run in industrial environments to help maintain safety, reliability and continuity of operations. IT is primarily tasked with overall policy setting and enforcement, remediation and risk mitigation. The need to converge between non-carpeted OT plant area and carpeted IT world is forcing both sides of the organisation to learn to speak each other’s lingo, but, many industrial companies still view IT and OT cybersecurity as separate challenges. Different concerns and practices seem to justify siloed efforts and separation of responsibilities. However, attackers are already exploiting gaps between IT and OT defences. For example, spam phishing is commonly used to gain privileges and entry into OT systems. And hackers are using HVAC and other poorly defended OT systems as entry points into data centres and corporate IT networks. While necessary, IT-OT cybersecurity convergence can be challenging. The different priorities, practices, and technologies could be hard to reconcile. Cultural issues, such as overcoming long standing distrust between IT and OT groups, can be an even larger hurdle. A team led by both IT and OT representatives must be entrusted to create a robust convergence plan with clearly defined process mechanisms, while anticipating these roadblocks, to make it successful.
Sumit Deb, with 20 years in the corporate arena, worked across Telecom, Networking, Industrial Automation, IoT and IIoT business practice domains in Sales, Business Development & Strategy, and Product Management roles in his career tenure. In terms of geographical coverage, he has worked in key APAC market regions like ASEAN and ANZ, apart from India. He has held various strategic and leadership portfolios in Tata Communication, Belden, Siemens and Cisco.
An engineer from NIT Silchar coupled with full-time MBA, writing is an area of his forte. In the past, apart from publishing papers in leading engineering journals, he has published articles in The Times of India, The Hindustan Times and The Economic Times, as a freelance writer.