Growing IIoT Security Risks

As the Industrial Internet of Things (IIoT) grows, the security risks grow as well, according to a recent article by Jeff Dorsch in Semiconductor Engineering. According to his sources, the use of the IIoT is expanding both in the amount of new implementations, as well as how the data is being used. In addition to the traditional SCADA-like applications of machine-to-machine (M2M) connectivity, monitoring, and remote connectivity applications, it seems that more and more the IIoT is being used to power a data-driven approach to increasing production efficiency. Using big data tools and technologies, companies can employ better and more sophisticated analytics on industrial process data, thereby enhancing operational performance based on real-time data.

With the increase in use of the IIoT comes a corresponding increase in the potential for risk.  Looking at big picture, Robert Lee, CEO of Dragos, and a national cybersecurity fellow at New America commented, “There are two larger problems that have to be dealt with. First, there are not enough security experts. There are about 500 people in the United States with security expertise in industrial control systems. There are only about 1,000 worldwide. And second, most people don’t understand the threats that are out there because they never existed in the industrial space.”

Both of these problems are real, and need to be addressed.  And is often the case in issues of security, the human factor is closely intertwined with both. On the one hand, there is a crying need for security experts world wide, and on the other hand the man on the street, or in our case factory floor, control room, or corporate office, needs to quickly get up to speed on the unique security risks and challenges of providing data from live production systems over the Internet.

Addressing the Problems

As we see it, correctly addressing the second problem can help mitigate the first one.  When we understand deeply the nature of the Internet, as well as how the industrial space may be particularly vulnerable to security threats from it, then we are in a position to build security directly into control system design.  A secure-by-design approach provides a platform on which a secure IIoT system can run.

Like any well-designed tool, from electric cars to smart phones, the system should be easy to use.  When the platform on which a system runs is secure by design, it should not require someone with security expertise to run it.  The expertise is designed-in.  Of course, the human factor is always there.  Users will need to keep their guard up—properly handling passwords, restricting physical access, and adhering to company policies.  But they should also have confidence in knowing that security has been designed into system they are working on.

Thus, the most effective use of our world’s limited security manpower and resources is to focus them on understanding the unique security challenges of the IIoT, and then on designing industrial systems that address these challenges. This has been our approach at Skkynet, and we find it satisfying to be able to provide a secure IIoT platform that anyone can use.  We are confident that through this approach, as the IIoT continues to grow, the security risks will actually diminish for our users.

Secure by Design for IIoT

Securing the Industrial IoT is a big design challenge, but one that must be met. Although the original builders of industrial systems did not anticipate a need for Internet connectivity, companies now see the value of connecting to their plants, pipelines, and remote devices, often over the Internet. The looming question: How to maintain a high level of security for a mission-critical system while allowing remote access to the data?

As you can imagine the answer is not simple.  What’s called for is a totally new approach, one that is secure by design.  This blog entry, published on the ARC Advisory’s Industrial IoT/Industrie 4.0 Viewpoints blog, gives an overview of why standard industrial system architecture is not adequate to ensure the security of plant data on the Internet, and introduces the two main considerations that must go into creating a more secure design.

Recent IoT Attack on Dyn Calls for Secure By Design

The recent denial of service attack on Dyn, a DNS service company for a huge chunk of the Internet, sure woke up a lot of people.  Somehow when it happens to you, you tend to feel it more.  Twitter, Netflix, Reddit, eBay, and Paypal users certainly felt it when they couldn’t access those sites.  Now that most of us are awake, what can we do about it?

In the short term, not a lot, apparently.  In a recent article about the attack titled Vulnerability Is the Internet’s Original Sin, Internet security expert and author of Dark Territory: The Secret History of Cyber War, Fred Kaplan points out that from the beginning the costs and challenges of designing security into the Internet from the ground up was considered too challenging and costly.

Kaplan tells how, back in 1967, Willis Ware, the head of the Rand Corporation’s computer science department and a NSA scientific advisory board member, wrote a paper warning the ARPANET team and others that “once you put information on a network—once you make it accessible online from multiple, unsecure locations—you create inherent vulnerabilities … You won’t be able to keep secrets anymore.”

The Dyn attack was simple in concept and easy to execute.  The devices used were accessible household appliances and electronics, configured out of the box with simple default user names and passwords like “username”, “password”, and “12345”.  The virus cycled through these default credentials to recruit thousands of devices into a giant collective, which was then coordinated to flood Dyn with traffic.

To prevent this kind of hack, device manufacturers may start updating their devices to ensure more secure usernames and passwords.  But that ignores the elephant in the room.  The fundamental problem is that these IoT devices are available (they are always on, ready to communicate over the internet), they are accessible (they can be seen on the internet), and they are numerous (with numbers growing exponentially).  This combination of availability and accessibility, multiplied by the huge numbers, makes IoT devices perfect for coordinated attacks.  We can be sure that the bad actors are already working hard on defeating username/password protection on IoT devices.

Considering the first of these three critical factors, IoT functionality requires that IoT devices are available for communication.  There is not a lot we can do about availability.  Secondly, the business opportunities and economic promise make device proliferation unstoppable.  We have to expect continued rapid growth.  But we can do something about the third critical factor: accessibility.

No IoT device should be sitting on the Internet with one or more open ports, waiting for something to connect to it.  The device can and should be invisible to incoming probes and requests to connect.  A hacker or bot should not even see the device, let alone be given the chance to try a username or password.  That technology exists, is easy and inexpensive to implement, and has been proven in thousands of industrial installations for over a decade.  Governments and manufacturers need to be employing it across the full range of IoT applications.