Security Experts:

Industrial IoT: Protecting the Physical World from Cyber Attacks

The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers. Companies are now able to automate tasks through a connected network spanning devices, applications and control systems. This includes things as simple as smart lighting in an office building to more industrial applications, like self-driving mining equipment or robotics.

A recent survey from McKinsey found that 98 percent of business leaders report including industrial IoT initiatives in their strategic road maps. Those same respondents believed that key executives have recognized industrial IoT’s value, with nearly half reporting that company leaders either strongly supported or were directly engaged in industrial IoT initiatives.

The benefits from industrial IoT seem clear, but these advancements have not come without risk. Connected devices have been associated with poor security and attackers are targeting them to get access to and infiltrate otherwise well-defended networks. Industrial IoT in the enterprise expands the threat landscape by opening up new vulnerabilities that can be exploited across endpoints, applications, cloud infrastructure and networks. Adding to the challenge, a lack of transparency of devices on the network means these weak points can often go unseen, which is compounded by the lack of device-level security. 

With so many companies embedding computing and connectivity into different devices — factory robots, medical equipment, and industrial control systems — the consequences of security vulnerabilities are not only serious but also have an increasing impact beyond the digital world and into the physical.

Industrial IoT: More devices, more risks

Enterprises looking to streamline many aspects of day-to-day work including manufacturing, operations, and logistics are the ones driving adoption of industrial IoT technology. These implementations are becoming more common, even in unexpected ways. Something as simple as a smart light bulb, as mundane as an elevator, or as complex as a factory robot, may all be connected to the same network, yet under the covers can be hidden a small footprint Windows, Linux or other UNIX operating environment that must be protected. As industrial IoT continues to grow in the years to come, the types of deployments will be divided into two major categories:

● Fixed-function devices – Connected devices that exist on the outer edge of the typical IT purview, such as building components (cameras, lighting, locks, etc.) and collaboration tools (video conferencing, smart TVs, etc.).

● Operational Technology (OT/IIoT) – Industrial and operations technologies such as Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control Systems (DCS) that run the business behind the scenes. 

Consider the recent VPNFilter malware attack. According to reports, at least one million routers were infected with the VPNFilter malware, which allowed attackers to monitor traffic on infected devices or even remotely destroy them, cutting off internet access. That number continues to rise, as does the number of different routers that are vulnerable. This attack was focused on a consumer audience, but it is highly relevant since the attack surface used by the attackers is an unprotected landscape, clearly rife with potential vulnerabilities like much of the enterprise world. Further, the same type of attack could be used to intercept transmissions from an industrial control system or shut down an elevator bank in a skyscraper. The VPNFilter malware itself is designed, in part to monitor SCADA protocols – the type of system that would typically control a manufacturing plant.

While attacking someone’s computer can lead to a loss of data, trade secrets and major problems, the attack of industrial systems can bring businesses to a screeching halt or even endanger lives. As if today’s CISO didn’t have enough to be concerned with inside of their traditional IT landscape, the explosion of these connected systems is making their job harder than ever before.   

For years, the priority has been placed on securing and protecting data, and many of the most devastating attacks we have seen involve slow-and-low advanced threats focused on exfiltrating massive amounts of PII, credit card numbers, or in some cases intellectual property.  However, attacking and taking control of systems that are running factory robotics, a nuclear power plant, or even critical medical equipment is simply a different animal. Unfortunately as we’ve seen far too often, many of these device makers (particularly many smaller ones) tend to focus on the unique service their technology delivers, yet unfortunately do not understand or disregard the security risks that may be introduced. This leaves the security organization in a predicament as they work to empower the needs of the business while doing so securely.   

How to protect Industrial IoT Deployments

While the current state of IoT security leaves many longer-term concerns that must be addressed, there are ways businesses can protect themselves today. The first step to securing industrial IoT is simple – understand what is connected to your your network.  There are so many different devices that can be connected, that it’s easy for even the simplest of things to fall through the cracks when you don’t know what is on your network, such as changing default passwords on new devices. IT leaders need to work together with both business and operations leaders to ensure processes are in place to prevent new devices from being connected to the network without total transparency and risk mitigation. 

Next, it is important to harden environments that are running software for connected devices. For example, a building automation system that controls elevator or HVAC operations should run in a dedicated environment, with specific policies around traffic and interaction.  Applications should be whitelisted and controlled at a granular level to ensure functionality is limited to specific tasks. Endpoint security and multifactor authentication are also must-haves for every connected device and sign-in attempt.   This will ensure that only truly authorized individuals and trusted resources are engaging those connected environments.   

The operating system running connected devices should also be hardened through complete monitoring of everything including files, settings, events, logs and application behavior. Technologies should be considered that prevent any unwanted or unexpected changes to those environments. Further, it’s critical to understand if any of the devices are controlled by cloud services and factor that into a protection strategy, incorporating cloud access controls.

The benefits of an increasingly connected enterprise are clear, but so too are the risks. CISOs have spent time and money on data protection strategies, but now is the time to ensure they have a robust industrial IoT strategy that matches the investment being made on the business efficiencies these systems can introduce. While protecting data is absolutely critical, it’s equally important that all CISOs think about how to protect these industrial infrastructures, as not doing so can have catastrophic results.  And as a start, that new multimillion-dollar MRI machine or advanced factory robotics platform comes with a default password – don’t forget to change it.

Releated: Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Bradon Rogers is SVP of worldwide sales engineering and product strategy for Symantec’s Enterprise business. Rogers leads the pre-sales teams including Symantec’s worldwide sales engineering, product marketing, and sales enablement functions. From 2015 to 2016, he served as Blue Coat’s senior vice president of product strategy and operations. Prior to Blue Coat, Rogers was senior vice president of product and technical marketing at Intel Security. Prior to Intel Security, Rogers was vice president of worldwide sales engineering at McAfee. Rogers holds a B.S. from Auburn University.