Posts

Skkynet’s Approach Calms Recent Security Concerns

/by

Eyebrows were raised among the industrial automation community last week when the well-known Kaspersky Labs issued a report titled OPC UA Security Analysis that lists 17 security issues in the OPC UA protocol and products. While we see no reason to doubt their methodology, we take a different approach to the question.

As we see it, the real issue is not the OPC UA protocol itself. OPC UA was created to allow client/server networking for industrial communication. The flaws that Kaspersky identified were visible on an OPC UA server that, by definition, is listening for network connections from OPC UA clients. Any application that listens for connections on a network can equally be a point of attack for a malicious hacker. This is not unique to OPC UA—it is a fact of the design of TCP/IP networks. Period.

Think about it. How did Kaspersky Labs discover the vulnerabilities in OPC UA and related products? Using a technique called “fuzzing”, they used a specially-constructed client application to send a rapid-fire barrage of messages at the UA server, each of which was slightly altered, or “mutated”, in some way from a standard message. Sooner or later one of these messages would crash the server or uncover an exploitable vulnerability. This technique can be used on any network-connected server, like a web server, VPN server, RDP server or vendor-supplied remote access server.

We would argue that Kaspersky Labs was searching for symptoms while overlooking the cause. What the report does not address, and indeed it is so obvious that it is easily overlooked, is that this kind of attack can only succeed if the intruder has access to the server in the first place. All software has bugs. Any program exposed to the Internet is fair game. However, as long as your servers are running on a trusted network and you keep all inbound firewall ports closed, you don’t run the risk of an attack from outside, no matter how persistent or devious the attacker may be.

The Real Problem

The real problem is that the standard approach to industrial data communications is not suitable for untrusted networks like the Internet. We are used to a client on the user side connecting into a server at the data source―after all that’s the classic server-client architecture. But for Industrial IoT this approach poses a serious risk because the client is often outside the trusted plant network. It needs an open firewall port into the plant to connect. This design itself is the fundamental reason for the security problem. Rather than expecting protocols or software to be bug-free and invulnerable to attack, it makes more sense to find a more secure design approach altogether.

A Better Approach

A better approach is not to allow any inbound connections at all. The whole Kaspersky Lab scenario was built on repeated client connections into the server network. What if the server (over which the attacker has no control) connects out to the client? If you can establish only outbound connections from a data source to a data user, then the entire threat vector is eliminated. With all inbound firewall ports closed, the plant network and all of its OPC UA servers become invisible. And you can’t attack something that you can’t see.

This is Skkynet’s approach. It is running in production systems worldwide, and it is fully compatible with OPC UA. By keeping OPC UA servers within the trusted network, and keeping all firewall ports closed, Skkynet’s approach enables secure Industrial IoT connectivity, while still reaping the benefits of OPC UA in the plant.

Note: A version of this article was recently published on the Automation.com website.

IIoT Security: Attacks Grow More Likely, Users Unaware

/by

A few weeks ago hackers of industrial systems reached a new milestone. For the first time in history, someone was able to break into the safety shutdown system of a critical infrastructure facility. Roaming undetected through the system for an unknown amount of time, the hackers finally got stopped when they inadvertently put some controllers into a “fail-safe” mode that shut down other processes, which alerted plant staff that something was wrong.

The danger was not just in the safety mechanisms themselves, but for the whole plant. “Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks,” said cyber experts interviewed by Reuters.

Plan Ahead

That facility was lucky this time around. What about next time? What about the next plant? Rather than relying on luck, it is better to plan for the future. As attacks grow more likely, those systems that are secure by design, that offer zero attack surface, that are undetectable on the Internet, stand a much better chance. This has always been Skkynet’s approach, and as the threats increase, it makes more and more sense.

In fact, the industrial world is largely unprepared for these kinds of attacks. Having evolved for decades cut off from the Internet, until recently there has been little need to change. And a surprising number of users seem unwilling to acknowledge the risks. According to a recent article in ARS Technica, hundreds of companies across Europe are running a popular model of Siemens PLC (Programmable logic controller) with TCP port 102 open to the Internet. “It’s an open goal,” commented security researcher Kevin Beaumont.

Government Mandates

The situation has attracted the attention of governments, who realize the need to protect critical infrastructure for the sake of their citizens. The United Kingdom has issued a new directive authorizing regulators to inspect cyber security precautions taken by energy, transport, water and health companies, reports the BBC. The National Cyber Security Centre has published guidelines, and companies that fail to comply are liable for fines of up to 17 million pounds. “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said Margot James, Minister for Digital.

IT to OT Challenges

What has brought all of this into focus over the past few years has been the increased awareness of a need for process data outside of the production facility. Companies are recognizing the value of the data in their OT (operational technology) systems, and want to integrate it into their IT systems to help cut costs and improve overall efficiency for the company as a whole. What they may not realize is that the tools of IT were not designed for the world of OT, and the security practices of OT are not adequate for the Internet.

The WannaCry virus that affected many companies worldwide last year is a case in point. Companies using VPNs to protect their IT-to-OT connections found out first-hand that a VPN merely extends the security perimeter of the plant out into an insecure world. A breach in an employee email can expose the whole plant to the threat of a shutdown. “WannaCry is the personification of why computers on the corporate networks should not be directly connected to OT networks,” according to Gartner Analyst Barika Pace in a recent report, Why IIoT Security Leaders Should Worry About Cyberattacks Like WannaCry, January 30, 2018. “It is also the reflection of the inevitable convergence of IT and OT. Based on your risk tolerance and operational process, segmentation, where possible, is still critical.”

Segment Your Systems

By segmentation, Pace means dividing networks into security zones, and maintaining security between each zone through the use of firewalls, DMZs, data diodes and other similar technologies to ensure that if one system gets hacked, it cannot affect others. Segmentation is part of a secure-by-design approach that Skkynet endorses and provides. Our software and services offer a way to connect IT and OT systems through DMZs or the cloud without opening any outbound firewall ports.

A Siemens PLC in this kind of segmented system could be accessed by authorized parties, and exchange data in both directions, without opening TCP port 102 to the Internet. Managers of critical infrastructure that implement this secure-by-design approach to segmentation are not only ready for government inspection, they have taken the best precaution against those who would intrude, hack, and attack their mission-critical systems.

As attacks on critical infrastructure become more likely, users must become aware, and prepare. The acknowledged benefits of IIoT need not entail unnecessary risk—securing an industrial system can be done, and done well. A big step is to segment your OT system though a secure-by-design approach, such as that offered by Skkynet.

Wider Adoption of IIoT Forecast for 2018

/by

With the New Year upon us, now is the time to look back at 2017 to see how far we’ve come, and look ahead to see what’s on the horizon.  After sifting through a number of predictions, it seems that most of the pundits agree that the forecast is good.  The Industrial IoT continues to grow steadily in popularity, as it becomes one of the leading application spaces for the IoT.

“There’s no question the industrial side of IoT is growing rapidly,” said Bret Greenstein, VP of IBM’s Watson IoT Consumer Business.  “In a way, it’s kind of supercharging manufacturing operators and people who do maintenance on machines by providing real-time data and real-time insights.”

“It’s clear that the internet of things is transforming the business world in every industry,” says Andrew Morawski, President and Country Chairman of Vodafone Americas. “As the technology has evolved over time, adoption among businesses has skyrocketed.”

Finding business cases

As part of this growth, the forecast is to see companies begin to apply the knowledge they have gained from small-scale test implementations and pilots to build solid use cases for IIoT technology.  “The focus is shifting from what the IoT could do to what it does, how it fits in business goals and how it generates value,” said J-P De Clerck, technology analyst at i-SCOOP.  We have seen this among our customers here at Skkynet, and we plan to share some of their experiences and use cases later this year.

Edge computing becoming a necessity

Most analysts foresee growth of edge computing as part of an overall IIoT solution.  As we explain in a recent Tech Talk, edge computing means doing some data processing directly on an IoT sensor or device, as close as possible to the physical system, to reduce bandwidth and processing on cloud systems. Daniel Newman, a Forbes contributor says, “Edge networking will be less of a trend and more of a necessity, as companies seek to cut costs and reduce network usage.” He sees IT companies like Cisco and Dell supporting the move to edge computing in IIoT hardware, as well as the industrial providers that you would expect, such as GE and ABB.

Security remains a fundamental challenge

There is one thing that pretty much every analyst and pundit agrees on: security is still a challenge.  Various ideas are being discussed.  One commentator suggested that companies making large investments in IIoT have gained or eventually will gain the expertise and resources needed to meet the challenge.  Others suggest that an altogether new model might be necessary.  “We have reached a point in the evolution of IoT when we need to re-think the types of security we are putting in place,” said P.K. Agarwal, Dean of Northeastern University’s Silicon Valley in a recent Network World article. “Have we truly addressed the unique security challenges of IoT, or have we just patched existing security models into IoT with hope that it is sufficient?”

As we see it, patching up existing models is not the answer.  Providing secure access to industrial data in real time over the Internet is not something that traditional industrial systems were designed to do.  As more and more IIoT implementations come online, and as companies search for robust systems that can scale up to meet their production needs, we believe they will come to that realization as well.  Our forecast for 2018 is that an increasing number of those companies will begin to realize the value of an IIoT system that is secure by design.

Where does Blockchain fit into the IIoT?

/by
Part 11 of Data Communication for Industrial IoT

Nothing I’ve read suggests that blockchain will replace SSL for IoT security.  Blockchains are “distributed ledgers” that are known to be tamper-proof (though there are ways to tamper with them in actuality if you own enough of the computing power validating the transactions). This design works fine for certain Internet applications like bitcoin, but I don’t see the blockchain fitting well into the IIoT.

Size matters

First of all, since there is no central ledger, all participating devices must contain, or have access to, the entire ledger.  No entry can ever be removed from the ledger.  As the number of devices grows, and the number of transactions it contains grows, the size of the ledger grows geometrically.  The size of the bitcoin blockchain is roughly doubling every year and currently is over 60GB.  For an IoT node to fully trust the blockchain it would need a geometrically growing amount of storage.  That’s obviously not possible.

So, individual devices can prune the block chain and store only the last few minutes or seconds of it, hoping that nearby peer devices will provide independent confirmation that their little piece of the blockchain is cryptographically secure.  That produces a possible line of attack on the device, where nearby devices could lie, and produce a satisfactory probability of truth in the “mind” of the target device.

Thus security is based on the availability of massive storage, and attempts to reduce that storage requirement diminish security.  As far as I can tell this is an unsolved problem right now.

Too much connectivity?

The second problem with blockchains is that they assume that every transaction in the system must be transmitted to every participant in the blockchain.  Yes, when somebody’s fridge turns on in Paris, every one of the billions of devices participating in the blockchain must be told.  If they are not, then their local copy of the blockchain is inconsistent and they cannot trust the next transaction, which they might actually be interested in.  As the number of devices and transactions rises, the amount of worldwide network bandwidth required to maintain the integrity of the blockchain grows geometrically.  One article I read says that on a 10Mbit Internet connection the theoretical maximum number of transactions in the entire bitcoin universe that connection could sustain would be 7 transactions per second.  Seven.

The result of these two limitations is that a blockchain probably cannot be used to carry the actual data that the devices produce.  Instead it is more likely to be used as an authentication mechanism.  That is, a device that is legitimately on the blockchain can be verified as being itself based on something that the blockchain knows.  My personal opinion is that it sounds very much like the blockchain would become a distributed certificate authority.  Instead of having the current SSL “chain of trust” of certificates, you would have a “blockchain of trust”.  But since an individual device could not contain the entire blockchain you would still need a server to provide the equivalent of certificate validation, so there’s your point of attack.

There are some examples of IoT devices using blockchains, like a washing machine that buys detergent using bitcoins, that are using misdirection to claim the use of blockchains.  Yes, they are using blockchains in their bitcoin transactions because that’s how bitcoin works, but the maintenance data they produce (the real point of the blockchains-for-IoT conversation) are not being transmitted via blockchain at all.

I have yet to see a practical application of blockchains to IoT data or even to IoT authentication.  The conversation at the moment is in the realm of “it would be nice” but the solutions to the implementation problems are not clear.  Incidentally the same problems exist for bitcoin and there are no clear solutions in that space either.

Continue reading, or go back to Table of Contents

DoublePulsar – Worse Than WannaCry

/by

In a world still reeling from the recent WannaCry attacks, who wants to hear about something even worse?  Nobody, really.  And yet, according to a recent article in the New York Times, A Cyberattack ‘the World Isn’t Ready For’, the worse may be yet to come—and we’d better be prepared.

Reporting on conversations with security expert Mr. Ben-Oni of IDT Corporation in Newark, NJ, the Times said that thousands of systems worldwide have been infected with a virus that was stolen from the NSA at the same time as the WannaCry virus.  The difference is that this second cyber weapon, DoublePulsar, can enter a system without being detected by any current anti-virus software. It then inserts diabolical tools into the very kernel of the operating system, leaving an open “back door” for the hacker to do whatever they want with the computer, such as tracking activities or stealing user credentials.

“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”

The concern is that DoublePulsar can remain hidden, providing a platform from which hackers can launch attacks at any time.  It may already be running on systems in hospitals, utility companies, power infrastructure, transportation networks, and more.  Ben-Oni had secured IDT’s system with three full sets of firewalls, antivirus software, and intrusion detection systems.  And still the company was successfully attacked, through the home modem of a contractor.

Closing the Door on DoublePulsar

Severity of the threat aside, this scenario points out once again the inherent weakness of relying on a VPN to secure an Industrial IoT system.  Had that contractor been connecting to a power plant, an oil pipeline, or a manufacturing plant over a VPN, it is likely that DoublePulsar could have installed itself throughout the system.  As we have explained in our white paper Access Your Data, Not Your Network, this is because a VPN expands the plant’s security perimeter to include any outside user who accesses it.

This threat of attack underscores the importance of the secure-by-design architecture that Skkynet’s software and services embody.  By keeping all firewalls closed, a cyber weapon like DoublePulsar cannot penetrate an industrial system, even if it should happen to infect a contractor or employee.  SkkyHub provides this kind of secure remote access to data from industrial systems, without using a VPN.

Growing IIoT Security Risks

/by

As the Industrial Internet of Things (IIoT) grows, the security risks grow as well, according to a recent article by Jeff Dorsch in Semiconductor Engineering. According to his sources, the use of the IIoT is expanding both in the amount of new implementations, as well as how the data is being used. In addition to the traditional SCADA-like applications of machine-to-machine (M2M) connectivity, monitoring, and remote connectivity applications, it seems that more and more the IIoT is being used to power a data-driven approach to increasing production efficiency. Using big data tools and technologies, companies can employ better and more sophisticated analytics on industrial process data, thereby enhancing operational performance based on real-time data.

With the increase in use of the IIoT comes a corresponding increase in the potential for risk.  Looking at big picture, Robert Lee, CEO of Dragos, and a national cybersecurity fellow at New America commented, “There are two larger problems that have to be dealt with. First, there are not enough security experts. There are about 500 people in the United States with security expertise in industrial control systems. There are only about 1,000 worldwide. And second, most people don’t understand the threats that are out there because they never existed in the industrial space.”

Both of these problems are real, and need to be addressed.  And is often the case in issues of security, the human factor is closely intertwined with both. On the one hand, there is a crying need for security experts world wide, and on the other hand the man on the street, or in our case factory floor, control room, or corporate office, needs to quickly get up to speed on the unique security risks and challenges of providing data from live production systems over the Internet.

Addressing the Problems

As we see it, correctly addressing the second problem can help mitigate the first one.  When we understand deeply the nature of the Internet, as well as how the industrial space may be particularly vulnerable to security threats from it, then we are in a position to build security directly into control system design.  A secure-by-design approach provides a platform on which a secure IIoT system can run.

Like any well-designed tool, from electric cars to smart phones, the system should be easy to use.  When the platform on which a system runs is secure by design, it should not require someone with security expertise to run it.  The expertise is designed-in.  Of course, the human factor is always there.  Users will need to keep their guard up—properly handling passwords, restricting physical access, and adhering to company policies.  But they should also have confidence in knowing that security has been designed into system they are working on.

Thus, the most effective use of our world’s limited security manpower and resources is to focus them on understanding the unique security challenges of the IIoT, and then on designing industrial systems that address these challenges. This has been our approach at Skkynet, and we find it satisfying to be able to provide a secure IIoT platform that anyone can use.  We are confident that through this approach, as the IIoT continues to grow, the security risks will actually diminish for our users.