Article

Cyber Security Risks and Challenges for the Industrial Internet of Things

Posted September 13, 2017 | Technology | Amplify
security
In this issue:

 
CUTTER BUSINESS TECHNOLOGY JOURNAL VOL. 30, NO. 7
  


Anjali Kaushik and Kanishk Gaur discuss the most important reason for not adopting IIoT: security. In this article, they warn readers of the possible damage that can result from a lack of adequate security, providing several real-world examples of the harm caused by past cyber attacks. 

In recent years there has been significant growth in the Industrial Internet of Things (IIoT), both in terms of the types of devices getting connected and the applications for which they are used. The number of Internet-connectable devices worldwide has increased from 8 billion in 2011 to 17.4 billion in 2016. This connectivity is providing benefits such as better analytics to improve productivity and quality, predictive maintenance, and remote monitoring of industrial equipment. The growth of the IIoT is also bringing challenges, such as the need for a strategy to manage high data volumes and promote secure coding practices in IIoT devices.

As the Internet reaches beyond computers and mobile phones to other devices — especially in industrial systems — the threat of remote exploitation is also extending to new areas. Nearly half of US firms using an IoT network have been hit by a recent security breach, which can cost up to 13% of a smaller company’s annual revenue. IoT attacks expose companies to the loss of data and services and can render connected devices dangerous to customers, employees, and the public at large. The potential vulnerabilities for firms of all sizes will continue to grow as more devices become Internet dependent.

While some risks in the IIoT arise from its unprecedented scale (with such a large number of inadequately protected things connected to the Internet), other risks stem from the nature of these devices and how they are designed, deployed, and managed. These risks range from malware attacks, hacktivism, and espionage to physical damage or sabotage. When deployed in an industrial control system (ICS) or production process, the IIoT controls switches, valves, and motors, which in turn may control vital systems. Critical infrastructure sectors such as power, oil, natural gas, manufacturing, and transportation use IIoT devices as sensors and actuators for automation, remote monitoring, and control. The controllers themselves may be Internet accessible. As a result, cyber attacks in the industrial space can have severe consequences for operations and safety.

An awareness of IIoT risks and challenges and how to manage them is important to making safe and beneficial use of the Industrial Internet of Things. In this article, we discuss those risks and challenges. To make the IIoT viable, organizations will need a strategy to address them.

Possible Risks

The possible risks to IIoT devices include reduced performance, reduced quality, poor reliability, and nonavailability of the IIoT device owing to physical damage/destruction of the production system deploying it. Other risks may arise from a “botnet of things,” data leaks, and increased concerns around privacy, interoperability, and data access privileges.

Physical Damage/Destruction and Operational Losses

If malicious attackers wish to take over IIoT devices remotely, they can do damage by calling, texting, or clicking from anywhere on the Internet. As the Stuxnet incident shows us, the possibility of cyber-physical attack is real. IIoT devices are now used in power plants, water pumps, and oil rigs, and these devices appear to be far less secure than we might assume.

An insecure remote access control protocol can allow a cyber criminal to hijack a process control system and push parameters to unsafe levels. For instance, in 2000, in what is known as the Maroochy Shire incident, a hacker remotely seized control of an Australian wastewater facility on 46 separate occasions and, over the course of two months, spilled 264,000 gallons of sewage into nearby streams and rivers.

In another incident in Germany in 2014, attackers used spear phishing and social engineering to gain access to the office network of a steel plant. This gave them access to the production network and further to the devices controlling the production machines. The outages in the production machines prevented the plant from appropriately shutting down a blast furnace, leaving it in an undetermined state. This resulted in significant damage to the plant. In such attacks, the malware is introduced through conventional IT systems and goes on to affect the operating system in the device. For the attacker, it requires specialized knowledge of not only corporate IT, but also industrial control systems and the production processes.

Given the vulnerabilities in today’s corporate IT (which includes firewalls, routers, desktops, and mobile devices), significantly better security will be required, even in small and seemingly insignificant IIoT devices. This is even more the case as such devices may be interconnected, and thus an insignificant IIoT device may lead to an important control device.

In 2017, the WannaCry ransomware attack crippled the UK National Health Service and severely impacted operations in different organizations. Likewise, car manufacturers Renault, Nissan, and Honda were forced to shut down their production facilities because systems were infected with WannaCry. Such malware attacks can disrupt the operations of IIoT devices and gain unauthorized access to production systems and corporate IT systems. There have been instances where IIoT devices have been compromised, allowing unauthorized users to perform surveillance and monitoring, gain access to or control production systems, and induce device or system failures.

IIoT devices may leak private user data, both from the cloud (where the data is stored) and between IIoT devices themselves. Most IIoT devices do not encrypt data that is being transferred; the clear-text data can be read in transit. This can cause a breach and is a potential risk to the safety and security of the systems.

“Botnet of Things”

Most IIoT devices are vulnerable to compromise and capable enough to be part of a distributed attack. If we do not deploy adequate security measures on these devices, multiple hacked connected “things” can be taken over and then used for coordinated distributed denial-of-service (DDoS) attacks. Many devices that unknowingly contribute to DDoS attacks are not behind any firewall or else have weak default firewall configurations which, again, are easily compromised. Individual IIoT devices that are compromised can be pulled into a new botnet anytime.

In 2016, the Mirai botnet caused a massive DDoS attack that brought down parts of the Internet using a large number of hacked surveillance cameras and home routers. Devices infected by Mirai malware continuously scan the Internet for the IP address of IoT devices. Mirai then identifies vulnerable IoT devices (those using common factory default usernames and passwords), logs into them, and infects them. In another incident in 2016, routers from Deutsche Telekom crashed due to exploitation by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices. Such DDoS attacks can cause immense damage.

Privacy, Interoperability, and Data Access Privileges

A security breach in an IIoT device can have implications for life and property. This risk is heightened if the devices are deployed in the healthcare industry. A malware or ransomware attack on thermostats or medical appliances in hospitals (body scanners, infusion pumps, etc.) can threaten human lives and safety. Privacy requirements and data access privileges must be carefully crafted in IIoT devices. In addition, standards are needed to facilitate interoperable installations and seamless integration involving many different vendors’ devices.

Common IIoT Flaws and Vulnerabilities

Failure to Observe Fundamental Security Principles

Not all vulnerabilities stem from the technologies themselves — behavioral aspects also come into play. For instance, a lack of security awareness within the organization can inadvertently expose systems to cyber attacks, such as when employees bring portable media that is infected with malware. Some operations employees working on the IIoT simply believe their systems are an unlikely target, and therefore they are reluctant to change their behaviors and implement new security protocols.

Many IIoT breaches are caused by exploiting the rudimentary default passwords that connected device owners didn’t bother to change, as in the Mirai attacks discussed above. In August 2017, Bharat Sanchar Nigam Limited (BSNL), an Indian national telecommunications company, suffered a malware attack that targeted 60,000 modems with a default “admin-admin” username/password combination. BSNL’s broadband customers had not changed the modems’ default user name and password, thus enabling the breach.

Most IIoT devices have a Web or mobile interface. If the interface is vulnerable, it may lead to a breach in the system. Sometimes, the data access privileges flout basic security principles such as “least privilege” and “need to know.”

Finally, the majority of IIoT devices do not encrypt data that is being transferred. As mentioned above, this means the clear-text data can be read in transit. This can cause a breach and is a potential risk to the safety and security of the systems.

Outdated Software

The updating of software and plugging of vulnerabilities do not occur as promptly with IIoT devices as in corporate IT. As a result, devices may be running vulnerable and outdated software, which can be easily compromised. If used in process automation and industrial control systems, such software can compromise the quality and specifications of products, be a safety hazard, and cause damage.

In some cases, IIoT devices may be dispatched from the factory with embedded software that is either outdated from the start or becomes outdated over time. In other IIoT devices, the device may carry more current software, but vulnerabilities may be discovered in the future. This makes the IIoT device less secure unless there is an automated mechanism to update the software.

A number of IIoT devices allow for automated software updates. In such cases, the system may fail if the corresponding authentication mechanism is not robust. Weak authentication mechanisms can be misused by an attacker to compromise the IIoT device.

Increased Connectedness, Data Volumes

Until recently, enterprise information systems and production systems were not linked to IIoT devices. The new trend toward connectedness has brought the challenge of developing a unified, secure enterprise architecture. Also, a huge volume of data is expected to be generated as a result of the growth in interaction between devices and systems. The real value of the IIoT comes from the ability to extract, organize, and mine this data and take proactive action based on the insights gained. For example, the device data can be used to design safer and more efficient mechanisms, practice predictive maintenance in ICS, and so on. Organizations will need a strategy to manage the high data volumes and push secure coding practices in IIoT devices.

Crafting a Mitigation Strategy

The IIoT risk is real. A strategy to manage this risk is a must, and the following components can help.

Proactive Awareness and Understanding of the Risks

The IIoT is not a standalone device. Organizations that adopt it must embrace a total system perspective that takes into account vulnerabilities in the devices, firewall security, network connections, cloud services, and the Internet itself. Along with that, organizations need to proactively assess how integrating the IIoT with ICS and corporate IT will affect their risk profile. They should also conduct security awareness trainings on behavioral issues such as failure to change default passwords, improper use of portable devices, and similar security risks.

Pushing Secure Coding Practices for the IIoT

Organizations and industry vendors that are developing IIoT devices need to embed robust security and privacy practices into their design and development. Data access privileges should be based on established security principles such as “least privilege” and “need to know.” Data in transit between IIoT devices or between an IIoT device and a corporate IT system must be encrypted. Organizations should avoid the tendency to introduce beta test versions of systems without conducting sufficient trials in an IIoT device.

Vendors need to design IIoT devices so that they can receive software updates over their entire lifespan. This will help user organizations in the rapid automated remediation of serious flaws. This is important, as new vulnerabilities may be discovered in IIoT devices over a period of time. The automatic updates should be supported with a robust authentication mechanism. For instance, IIoT devices can be designed with unique credentials, and users can be made to change the default password upon first use.

Furthermore, organizations should implement resilient system architectures that can inherently minimize the risk in case of a breach or failure of an IIoT device. This may be done through techniques such as segregation, backup, redundancy, proactive monitoring, and so forth.

For consumer IoT, the end user is also the system administrator. Organizations that deploy IIoT devices can define the role of IIoT device administrator depending on the ICS and production processes in which each device is deployed. For instance, devices deployed on the shop floor can be connected so that they give a warning signal to the supervisor or local maintenance technician in case of a security flaw. This can aid in better management of IIoT devices.

Cyber Insurance

A possible strategy to reduce (or mitigate) IIoT breaches is cyber insurance. Lower insurance premiums for more secure IIoT devices would be an incentive for organizations to take IIoT security seriously. Cyber risk issues that challenge insurability and market development include:

  • Lack of awareness of cyber insurance products. The biggest challenge in obtaining the insurance is business leaders’ lack of awareness of cyber being an insurable risk.
     
  • Low level of cyber insurance coverage. The level of coverage provided by the insurer may not meet the organization’s need. Insurers must also take the initiative and communicate to business leaders the value of cyber insurance in coping with cyber risk.
     
  • Problems in fixing liability. When major disruptions occur due to an IIoT device, is it the fault of the manufacturer, the vendor, the person or organization that deployed the device, the cloud or back-end communications provider, or the user of the device? More work needs to be done to define possible scenarios and standardize the cyber insurance industry’s methods for establishing liability for irresponsible cyber security actions.
     
  • Difficulty in pricing cyber insurance products. Standardized definitions are needed across the cyber insurance industry. For instance, how are different risks — and the policies surrounding those risks — defined? This will require data and analysis of that data to fine-tune the pricing models. Another approach would be to set up a forum to facilitate the sharing of insights on cyber disaster scenarios, with a view to improving the ability to underwrite risks and understand their aggregation.
     
  • Uncertainty as to what is covered under a cyber insurance policy. What further complicates the development of cyber risk insurance offerings is the fact that traditional insurance products have not been designed to protect clients against cyber risks. In fact, underwriters of traditional business insurance lines have reacted to the emergence of this new class of risk by introducing cyber exclusions. The resulting mix of implicit and explicit coverage creates a complex situation in which the buyer is never able to ascertain the true level of coverage for any given cyber risk scenario.
     

With ransomware-based attacks increasing day by day and attack vectors getting more complex, it is not possible for the insurance market to develop a dedicated product line that addresses many of the key risks clients face. Hence true end-to-end cyber insurance coverage remains a far-off dream for today’s business users. Instead, businesses can explore the possibility of purchasing cyber-specific coverage in the form of extensions to traditional policies or as standalone cyber policies.

More Advanced System R&D

To ensure that all known risks are reasonably managed, it is a good idea to study a few categories of IIoT devices in research and development. This research can specifically focus on design and development of trustworthy systems. Blockchain technology appears to have immense potential for increasing IIoT security as it can transfer data in a way that is transparent, safe, auditable, and resistant to outages. This can help IIoT devices to update software and manage bugs directly.

Government Regulation

Electronic products that have the potential to hurt or kill people or cause serious business disruptions need to be brought under some form of government regulation and testing. IIoT device development, distribution, and maintenance processes need to be strengthened by ensuring that robust security and privacy practices are used in design and development. National governments can play an active role in harmonizing international best practices for the IIoT and deciding on security checks and compliance requirements. The distribution of IIoT devices that suffer from significant security and privacy issues must be prevented.

Discretion Is the Better Part of IIoT Valor

How much automation is too much? When extending Internet connectivity to the process automation industry and industrial control systems, we need to measure the risk and then decide which types of devices should (and should not) be connected and the applications for which they can be used. It may simply be too risky to connect all types of devices to the Internet. An organization’s IIoT strategy should be supported by a formal risk management plan that addresses such issues. Meanwhile, governments can intervene by clearly defining the categories of IIoT devices that, in view of the health and safety risks, they deem too risky to be connected. Overall, IIoT devices have increased the vulnerability of all stakeholders, and we need to take responsible steps to reduce cyber attacks and make the IIoT viable.

 

About The Author
Anjali Kaushik
Cutter Fellow Anjali Kaushik is a Professor at the Management Development Institute (MDI), Gurgaon, India, and Chair for MDI’s Center on Emerging Technologies, which conducts capacity building in artificial intelligence, blockchain, and the Internet of Things. She also leads a cybersecurity fellowship program for senior Indian government officers. Dr. Kaushik has worked as a consultant on various projects related to strategic planning,… Read More
Kanishk Gaur
Kanishk Gaur is a Senior Manager with Deloitte Touche Tohmatsu LLP in the Cyber Risk Advisory Practice. He has more than 10 years of experience in information and cyber security consulting, advising both enterprise and government clients in the areas of risk management and business protection. Prior to joining Deloitte, Mr. Gaur spearheaded an advanced security service line for EY in North India, where he advised various banking, telecom, and… Read More