Managing The Evolving OT/ICS Security Risks Enabled By IoT/IIoT
To many people, the Internet of Things (IoT) is a new innovation. To consumers, who love the modern conveniences of Wi-Fi-enabled Internet-accessible gadgets, IoT has given rise to fun toys with some usefulness, albeit limited utility. These devices are connected to the Internet for convenience, but can create possible cases of privacy infringement, and in extreme cases, are used to enable broad Internet attacks.
Though IoT security issues are significant, they do not compare to the life and safety impacts that can be incurred utilising Industrial IoT (IIoT) devices. These devices have been around for decades, supporting all aspects of life behind-the-scenes, in the form of Industrial Control Systems (ICS). They sustain day-to-day operations of machines working across numerous industry verticals, including heating, ventilation and air conditioning (HVAC) systems, power plants, and management and monitoring tools in areas such as air quality management and pumps in water treatment facilities.
Technologies including ICS, Supervisory Control and Data Acquisition (SCADA), and Programmable Logic Controller (PLC) systems were once air-gapped and hardwired to sensors, switches, and servos. Now, as with IoT devices, more industrial devices are being developed utilising IIoT capabilities, including Internet-connectivity, WiFi, and other wireless technologies, such as ZigBee. Some concerning cybersecurity trends on IIoT systems include:
More than 70% of the vulnerabilities disclosed during H1 2020 can be exploited remotely via a network attack vector. This observation reinforces the fact that fully air-gapped operational technology (OT) networks that are totally isolated from cyber threats have become exceedingly rare, highlighting the critical importance of protecting internet-facing ICS devices and remote access connections. Claroty
Many IIoT devices run Windows, making them vulnerable to traditional security incidents such as WannaCry. Gartner
Lack of a device or sensor inventory for IoT devices makes it easier for threat actors to establish persistent bridgeheads into target networks for data exfiltration, command injection, protocol manipulation and other technical attacks. TechTarget
Vulnerabilities in communication protocols such as Modbus and Profinet lack the availability to authenticate users and detect unusual behaviour. The integration of systems from different vendors that have varying levels of security capabilities, could also expose the organisation to IIoT threats.
There are fewer than 1,000 ICS professionals in the world, creating an issue for OT security. Typically, OT teams do not know security, and IT teams do not understand operational processes. This critical skills gap amplifies the cybersecurity risk.
Each of these trends raises considerable concern. Loss of water or power at critical times of the year potentially means serious public health and safety incidents. So the big question is, "What can we do to better secure OT/ICS systems?” Let us consider a few key areas.
Q1: How should the IoT/IIoT industry address the risk from third-party components as seen over recent years with vulnerabilities such as Blueborne, KRACK, Urgent11 and Ripple20 to name a few?
While complete threat protection and prevention is impossible, there are several defensive mechanisms that can protect your organisation against zero-day threats:
Layered security defence: Assume your product is vulnerable. Ensure there are additional compensating security layers in place to prevent any exploitation of those vulnerabilities.
Next-generation security protection tools: Use solutions that leverage threat intelligence, behavioural analytics and machine learning code analysis (e.g. NGFW, IPS/IDS, NGAV).
Patch management: This cannot prevent zero-day attacks, but it can significantly reduce the exposure window. Furthermore, doing this Over-The-Air (OTA) is becoming a must for the industry.
Reliable incident response function: Having a specific response plan focused on zero-day attacks will give your organisation a huge advantage in case of an attack, reduce confusion and increase your organisation’s chances of avoiding or reducing damage.
Q2: What are the main challenges in securing IoT/IIoT devices today? What about in 5-10 years’ time?
While IoT/IIoT devices bring effective communication between devices, automate things, and save cost and time, this comes at a price - security. There have been security incidents that have made some IoT/IIoT devices challenging to trust, and it is no secret that cybersecurity and IoT do not support each other’s respective domain goals.
In particular, we are specifically referring to several challenges that make security adoption difficult to achieve. These include:
- IoT/IIoT is rapidly evolving, highly diverse with enormous unit volumes. In 2020, there are estimated to be approximately 31 billion IoT devices in use. A greater number and variety of IoT devices means increased security vulnerabilities across the enterprise, and it is a growing challenge for the security practice.
- Security comes last in IoT devices. By their nature, smart IoT devices are user-centric, focus on innovative functionality and ease of use. Embedding security might restrict important features or downgrade the user experience.
- IoT software security is costly, as it requires regular testing, patching, and updating. Furthermore, providing firmware and software updates for embedded devices is an additional challenge.
- The ICS/IIoT industry is not as strictly regulated as other safety-critical industries. Sure, the IIoT industry has security regulations (e.g., ISA/IEC 62443, NIS Directive for Critical Infrastructure), but the IoT ecosystem is young and has no industry standards for architecture and/or security. IoT devices often use custom-built operating systems and proprietary communication protocols, which are far from being secure.
- IoT devices are built without security in mind, using insecure protocols, insecure SW/HW components, insufficient privacy protection, and may even use hardcoded passwords.
- Low processing power devices can lead to a lack of security mechanisms on the devices (e.g. many IoT devices don't have the computing resources to support encryption or secure key negotiation).
Looking to the future, we expect security regulation to play an essential role in making the OT/ICS and IoT/IIoT fields more secure. Diversity of IoT devices will still be one of the biggest challenges, together with creating the right balance between consumer satisfaction and security.
Q3: What role do emerging technologies like AI and blockchain play in making the IoT/IIoT landscape more secure?
IoT/IIoT devices continue to flood the lives of consumers and organisations, leaving enterprises with the complexity of handling hundreds of thousands, or even millions of IoT devices. The growing number of devices means a considerable amount of data to transfer across networks, store, and manage.
AI capabilities and automation are already being used to process massive amounts of data in the IT world. These advancements might one day help IoT administrators and security officers enforce behaviour-specific rules and detect anomalous data, communications and traffic patterns. However, there are still serious concerns related to allowing AI’s role in safety-critical decision-making in sensitive industries such as transportation, manufacturing, and healthcare.
Blockchain (also known as distributed ledger technology) has the potential to help tackle some of the most significant IoT security and scalability challenges. The technology has several interesting capabilities, including:
- It is immutable. Data cannot be altered without the network agreeing to it.
- It removes the need for trust among the involved parties.
- Its use of advanced encryption algorithms to secure data.
- No single organisation has control over data generated by IoT devices.
- Provides transparency, allowing anyone who is authorised to access the network to track the communication/transaction.
For more information about our ICS and OT security services, visit this page.