Securing the Industrial IoT: What's going on?

By Georgina Elrington

Today's industrial technology settings have more interfaces than ever before, making industrial systems some of the most attractive targets for malware and ransomware attacks. Most of the top industrial IoT (IIoT) security concerns relate to this increasing openness – and the slow pace of industry’s response to it.

Once-secure systems are now more accessible

The IIoT today includes Operational Technology (OT) – the hardware and software systems that control physical industrial processes – and Information Technology (IT) and requires a multilayered security approach. “One of the biggest challenges that organisations with industrial systems now have is that they are increasingly connecting them to the broader IT infrastructure, for reasons of operational efficiency and effectiveness,” says Sean Newman, director at Corero Network Security. He adds that, traditionally, OT systems were never designed with IT security in mind. Recognition for the need for a multilayered approach is rising, however, as confirmed by Patrick McBride, chief marketing officer at industrial network security firm Claroty. He told us that demand for purpose-built security technologies for industrial networks is growing fast, as is better integration between IT security and OT operations teams.

Regulation isn’t good enough

Patrick Daly covers emerging technologies in IoT security as an associate analyst for 451 Research. He points out security weaknesses arising from the state of regulation: "There isn't a whole lot of regulation around the IIoT. Where we see the most of it in electric utilities from organisations like the North American Electric Reliability Corporation Critical Infrastructure Protection body (NERC-CIP) … while NERC-CIP is a good starting point for establishing a security posture, most of its provisions are not sufficient to deal with the threats that we are seeing today.”

Daly adds that while the regulations aren't good enough they are at least ensuring that there is some level of security process going on in power utilities. ”In manufacturing or another critical infrastructure industry beside the electric utility space, you don't even have that baseline level of regulation governing your security policies,” he says. This is partly due to the fact that those systems weren't initially intended to be connected, so regulators are struggling to keep up and trying to determine the best way to react to the changes that the IIoT is bringing.

Many companies aren’t that well prepared

Innovation in IIoT is specifically impacting sectors utilising OT such as energy, oil and gas, transportation, and manufacturing. However, despite evidence and warnings many industrial players still don't feel prepared for a hit and only a small percentage have embraced a full scale security approach.

Tripwire – a provider of security and compliance solutions for industrial organisations and enterprises – has released the findings of a survey into ICS security in the energy and oil and gas industries. About two-thirds of the IT and OT security respondents cited that lack of budget and investment continues to be the greatest barrier in meeting ICS (Industrial Control Systems) security goals, and 56 percent of those respondents believed that it would take a significant attack to drive proper levels of investment. While 91 percent are worried about an attack on their ICS only 35 percent said that they currently implement a multilayered approach to ICS security.

The threat of attack is increasing

There has been an increase in the frequency and severity of threats and attacks impacting the IIoT in the last 18 months. While these may not have resulted in actual security breaches, it seems clear that actors are attempting to establish persistence in IIoT environments as part of a longer agenda. We've also seen rapid expansion of WannaCry and NotPetya malware from the IT network to the OT environment, highlighting that IIoT networks are not as air-gapped for security as first thought.

Many devices and security protocols are outdated

Plants and operations commissioned twenty to thirty years ago are still running some old, often unpatched, equipment. Further, in terms of remote authentication and access control – as IIoT networks span multiple sites and geographies - many networks could be better managed and monitored. This includes the need for higher authentication levels and security in process sensors, gateways, and the transmission of data.

Chris Clark, principal security engineer of global solutions at software integrity specialist Synopsys, says: “Many IIoT providers [i.e., manufacturers of devices, as well as providers of applications and software platforms for IIoT] utilise traditional security practices to attempt to protect their solution, yet we continue to see breaches and vulnerabilities. IIoT providers need to look at how they develop their software in a way that ensures cybersecurity is a foundational element of their development practice. By utilising architectural review, automated quality and security tools, IIoT providers can help ensure that cybersecurity best practice is a core component.”

Start-ups and industry associations are tackling the issues

Reducing the threat landscape means adopting a truly holistic approach – on every device, every route, every part of the network, and implementing better management and maintenance. In response, start-ups such as Claroty, Nozomi Networks, and Dragos have emerged and the industry is backing the quest.

Claroty enables deeper visibility, threat detection, secure remote access, and risk assessments for ICS and OT. The company recently secured US$60 million from a global syndicate and will use the investment for expansion and product innovation. Nozomi Networks, which offers real-time cybersecurity and visibility for ICS, raised US$15 million back in January to fund global expansion of its early warning system of cyber attacks and wider system issues. And Dragos is building what it claims to be the first industrial cybersecurity ecosystem. It attracted US$10 million to advance its analytics to identify adverse behaviours, and also partnered with operational intelligence firm, OSIsoft to enable the ICS community with a broader analysis of both network and operational data to detect and respond to threats more effectively.

A handful of specialist groups are hot on the trail of IIoT security, too, such as the Industrial Internet Consortium which has published studies including Key Safety Challenges for the IIoT and Endpoint Security Best Practices, and the IoT Security Foundation keeps a list of useful resources on its website.

 

[Image licensed to Ingram Image]

Add this: