Industrial Internet of Things Dangers

July 17, 2019

Today’s industrial technology settings have more interfaces than ever before, making industrial systems some of the most attractive targets for malware and ransomware attacks. Most of the top industrial IoT (IIoT) security concerns relate to this increasing openness – and the slow pace of industry’s response to it.
One of the biggest challenges that organisations with industrial systems now have is that they are increasingly connecting them to the broader IT infrastructure, for reasons of operational efficiency and effectiveness

Simon Sherrington, MD

Get in touch on 07917 541246 to discuss what we can do for your business.

Once-secure systems are now more accessible

The IIoT today includes Operational Technology (OT) – the hardware and software systems that control physical industrial processes – and Information Technology (IT) and requires a multilayered security approach. “One of the biggest challenges that organisations with industrial systems now have is that they are increasingly connecting them to the broader IT infrastructure, for reasons of operational efficiency and effectiveness,” says Sean Newman, director at Corero Network Security. He adds that, traditionally, OT systems were never designed with IT security in mind. Recognition for the need for a multilayered approach is rising, however, as confirmed by Patrick McBride, chief marketing officer at industrial network security firm Claroty. He told us that demand for purpose-built security technologies for industrial networks is growing fast, as is better integration between IT security and OT operations teams.

Regulation isn’t good enough

Patrick Daly covers emerging technologies in IoT security as an associate analyst for 451 Research. He points out security weaknesses arising from the state of regulation: “There isn’t a whole lot of regulation around the IIoT. Where we see the most of it in electric utilities from organisations like the North American Electric Reliability Corporation Critical Infrastructure Protection body (NERC-CIP) … while NERC-CIP is a good starting point for establishing a security posture, most of its provisions are not sufficient to deal with the threats that we are seeing today.”

Daly adds that while the regulations aren’t good enough they are at least ensuring that there is some level of security process going on in power utilities. ”In manufacturing or another critical infrastructure industry beside the electric utility space, you don’t even have that baseline level of regulation governing your security policies,” he says. This is partly due to the fact that those systems weren’t initially intended to be connected, so regulators are struggling to keep up and trying to determine the best way to react to the changes that the IIoT is bringing.

Many companies aren’t that well prepared

Innovation in IIoT is specifically impacting sectors utilising OT such as energy, oil and gas, transportation, and manufacturing. However, despite evidence and warnings many industrial players still don’t feel prepared for a hit and only a small percentage have embraced a full scale security approach.

Tripwire – a provider of security and compliance solutions for industrial organisations and enterprises – has released the findings of a survey into ICS security in the energy and oil and gas industries. About two-thirds of the IT and OT security respondents cited that lack of budget and investment continues to be the greatest barrier in meeting ICS (Industrial Control Systems) security goals, and 56 percent of those respondents believed that it would take a significant attack to drive proper levels of investment. While 91 percent are worried about an attack on their ICS only 35 percent said that they currently implement a multilayered approach to ICS security.

The threat of attack is increasing

There has been an increase in the frequency and severity of threats and attacks impacting the IIoT in the last 18 months. While these may not have resulted in actual security breaches, it seems clear that actors are attempting to establish persistence in IIoT environments as part of a longer agenda. We’ve also seen rapid expansion of WannaCry and NotPetya malware from the IT network to the OT environment, highlighting that IIoT networks are not as air-gapped for security as first thought.

Many devices and security protocols are outdated

Plants and operations commissioned twenty to thirty years ago are still running some old, often unpatched, equipment. Further, in terms of remote authentication and access control – as IIoT networks span multiple sites and geographies – many networks could be better managed and monitored. This includes the need for higher authentication levels and security in process sensors, gateways, and the transmission of data.

Chris Clark, principal security engineer of global solutions at software integrity specialist Synopsys, says: “Many IIoT providers [i.e., manufacturers of devices, as well as providers of applications and software platforms for IIoT] utilise traditional security practices to attempt to protect their solution, yet we continue to see breaches and vulnerabilities. IIoT providers need to look at how they develop their software in a way that ensures cybersecurity is a foundational element of their development practice. By utilising architectural review, automated quality and security tools, IIoT providers can help ensure that cybersecurity best practice is a core component.”

Reducing the threat landscape means adopting a truly holistic approach – on every device, every route, every part of the network, and implementing better management and maintenance.

Start-ups and industry associations are tackling the issues

Reducing the threat landscape means adopting a truly holistic approach – on every device, every route, every part of the network, and implementing better management and maintenance. In response, start-ups such as Claroty, Nozomi Networks, and Dragos have emerged and the industry is backing the quest.

Claroty enables deeper visibility, threat detection, secure remote access, and risk assessments for ICS and OT. The company recently secured US$60 million from a global syndicate and will use the investment for expansion and product innovation. Nozomi Networks, which offers real-time cybersecurity and visibility for ICS, raised US$15 million back in January to fund global expansion of its early warning system of cyber attacks and wider system issues. And Dragos is building what it claims to be the first industrial cybersecurity ecosystem. It attracted US$10 million to advance its analytics to identify adverse behaviours, and also partnered with operational intelligence firm, OSIsoft to enable the ICS community with a broader analysis of both network and operational data to detect and respond to threats more effectively.

A handful of specialist groups are hot on the trail of IIoT security, too, such as the Industrial Internet Consortium which has published studies including Key Safety Challenges for the IIoT and Endpoint Security Best Practices, and the IoT Security Foundation keeps a list of useful resources on its website. 

[Image licensed to Ingram Image]

Other Tech Stuff

Disruptive media manipulation

Such are the capabilities of AI to help improve the traditional ways of creating manipulated media that there is the potential to disrupt sectors of commerce – as well as presenting a challenge to news organisations and publishers.

VR: Regulation and side effects

VR is still in its early days and its impact on human body and mind is yet to be thoroughly assessed. However, various sources point out that immersive reality and pharmaceutical products may have a thing in common – side effects.

Impact of VR on Healthcare

No universal therapeutic tool is possible because no two medical conditions are the same. For instance, simple 3D images are required for dementia sufferers whose fading memory struggles with the complexity of the real world, while advanced and engaging virtual worlds must be created to distract cancer patients from the painful procedures they have to endure. VR for young children is a whole different story where a fairy-tale, cartoon-like approach is vital.

In Pain? Don a VR Headset

In Pain? Don a VR HeadsetSoftware developers and medics around the world are working to prove that Virtual Reality (VR) powers stretch far beyond gaming and entertainment and have the potential to aid thousands suffering from cancer, anxiety, personality disorders,...

Joseph’s technocapable coat: energy harvesting for smart clothes

Smart clothes are where style and science meet, giving garments a whole host of innovative applications, such as charging depots for personal electronic gadgets, fitness trackers for capturing biometric data and colour-changing fashionable assets that go with everything.

Could AI help spot a fake Donald Trump?

spotting a photograph or video where part of the image has been manipulated. Such a challenge faces news organisations on a regular basis: sensitivity over “fake news” means responsible publishers are on heightened alert to potential manipulation.

Telecom Industry Slices 5G

Network slicing, a key feature of 5G, lets operators automatically create separate, virtual end-to-end networks over the same physical infrastructure.

Electric Vehicles: Charging Infrastructure Policy Stifling Adoption

Financial incentives are available to encourage EV drivers with access to off-street parking to install home-charging units. Local councils have access to funding to install on-street EV chargers. The former has been successful, the latter has so far failed.

FarmTech: Application of Drones

Drones are eyes in the sky helping farmers gain insight into crop growth and about microclimates within individual fields …