Tag Archive for: IIoT

Posts

Don’t WannaCry on your Industrial IoT System

Pretty much anyone who has a computer or listens to the news has heard about the WannaCry virus that swept across the world a few days ago, installing itself on computers in businesses, hospitals, government agencies, and homes, encrypting hard drives and demanding ransom payments.  After scrambling to ensure that our operating systems are up-to-date and protected against this latest threat, the question soon comes up: How can we protect ourselves against similar threats in the future?

“How?” indeed.  That would seem difficult.  Our reliance on networked computers for business and personal use is fully entrenched, and business/personal PCs will remain vulnerable for the foreseeable future.  In the industrial arena, some may conclude this latest attack is yet another reason to hold off on their IoT strategy.  Or, at least: “You should use a VPN to keep it safe.”

And yet neither of these instincts is necessarily correct because (i) it is possible to build a secure Industrial IoT (“IIoT”) system, and (ii) VPN is not the way to do it.  Industrial control systems may use the same underlying operating systems as PCs but they are different in one critical aspect.  They exchange real-time control data, not files and emails.

How WannaCry Got In

WannaCry comes in two parts – an email “bomb” that exploits your anti-virus software and a “worm” that propagates throughout your network by exploiting configuration weaknesses and operating system bugs.  The special danger of WannaCry is that it can infect a computer through email even if you never open the email message.  Once WannaCry arrives through email, the worm takes over to attack the rest of the computers on your network.

The worm portion of the virus spreads itself by finding other machines on the network.  According to analysis of the code by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (the bug that the virus exploits)

If there is no open port on the other computer, the virus cannot spread.  But the VPN is not much help here.  If anyone on the VPN is struck by the virus, then every machine on the LAN is exposed.  Suppose you have an IIoT system connecting a corporate office to a process control system over a VPN.  If the virus activates on any of the connected machines in the IT department, it can easily propagate itself to any of the connected machines on the industrial LAN.

How to Keep WannaCry Out

The tongue-in-cheek answer is “don’t use email”.  More seriously, industrial systems and IT systems should be separated from one another.  There is no need to read email from the industrial LAN.  Don’t install email software on your industrial computers, and don’t allow email traffic through your firewall.

But industrial systems still need to communicate their data.  How can you reach the data without exposing the industrial network?  The solution is spelled out in detail in the latest white paper from Cogent (a Skkynet company) titled: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure Industrial IoT or Industrie 4.0 applications, and discusses the inherent risks of using a VPN.  But most important, it introduces the best approach for secure IIoT and Industrie 4.0, which is to provide access to industrial data without exposing the network at all.

Specifically, the Skkynet-provisioned devices and the DataHub can make outbound connections to SkkyHub without opening any firewall ports.  These connections are robust channels that support bidirectional, real-time communications for doing monitoring and supervisory control.  The WannaCry virus or anything similar cannot spread into this system because they can’t see anything to infect.  The devices on the network are completely invisible.  Skkynet’s approach provides access to the data only, not to the network.

Cyber Security: Over 90% of IIoT Experts Express Concerns

Respondents to the 2017 Industrial Internet of Things Security Survey by Tripwire paint a pretty bleak picture of cyber security for the Industrial IoT (IIoT).  Among the more than 400 IT professionals responsible for securing their companies against IIoT-related threats, 96% said they expect to see an increase in cyber attacks in the coming year.  At the same time, less than 50% of them feel prepared for those attacks.

This is cause for concern, according to David Meltzer, chief technology officer at Tripwire, who said, Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don’t feel prepared to detect and stop cyber attacks against IIoT.

At the same time, 90% of these same IIoT experts expect the use of IIoT to increase.  They acknowledge that innovation must go forward, and that the benefits of the IIoT outweigh the costs.  Two out of three of them recognize the need to protect against cyber attacks, despite the fact that less than half of them feel prepared for attacks on insecure IIoT devices.

The Industrial Internet of Things ultimately delivers value to organizations, and that’s why we’re seeing an increase in deployments, said Meltzer.  Security can’t be an industry of ‘no’ in the face of innovation, and businesses can’t be effective without addressing risks. The apparent contradiction of known risks and continued deployment demonstrates that security and operations need to coordinate on these issues.

Meltzer points out that the consequences of insecure IoT implementations leading to a cyber attack are far more severe for industrial applications.  Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes, he said.  The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example – cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.

Here at Skkynet, we could not agree more. It was this kind of thinking that led us to develop our secure-by-design SkkyHub service. Those who understand the risks of the IIoT and the difficulty of securing it using conventional IT or OT approaches recognize the value of what we are doing. We invite every survey participant and anyone else who wants to get the most out of the IIoT to see for themselves how these concerns fall away when using an IIoT platform that is secure by design.

Will this be the year that your enterprise makes the IIoT leap?

For the second January in a row, we’re using this lead issue to look ahead at the industry conversations likely to follow over the next 11 months. Like last year, there’s still no bigger buzz than the impact that digital transformation and the industrial internet is having both on work and on the people who do work.

I’m writing this note on the 10-year anniversary of the launch of the iPhone, which marks a genuine milestone in the history of both internet-enabled communications and mobile computing. As the iPhone evolved and the iPad emerged, savvier organizations and IT workers caught on early to the opportunities available to digitize operations. For example, a close friend who works in commercial real estate directed his teams early on to rethink his organization’s processes as each new Apple device launched, reducing business friction in the field and moving toward nearly paperless operations.

Many other contributors this month round out the digital conversation:

  • IFS CTO Dan Matthews identifies three myths that cause organizations to hesitate on IoT projects.
  • Skkynet’s Bob McIlvride examines how to combine in-house skills with outside expertise to build systems that enable deeper data-driven insights into your assets.
  • Bruce Hawkins and Scott Bruni review the foundational IIoT steps that plant teams can take, noting that roughly 60% of the instrumentation needed for critical assets often already exists.
  • Tech Toolbox’s Sheila Kennedy surveys the network security solutions landscape in an age of IT-OT convergence.
  • Jeff Shiver of People and Processes outlines six steps that can improve the speed and quality of cultural change in your organization.
    Finally, in her Big Picture Interview, Bentley Systems’ Anne-Marie Walters looks ahead to the role that 3D modeling will play in the internet-enabled asset management landscape.