Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives
After more than 20 years of connecting devices to the Internet, we’ve reached the point where our physical world is very dependent on its digital components. We now have direct connections to process control systems and smart sensors in industrial environments, medical imaging equipment and patient monitoring systems in healthcare organizations, and other devices used in smart grids and building management systems. Even our most basic needs like food and water depend on cyber-physical systems (CPS) and the connected devices that underpin them, referred to holistically as the Extended Internet of Things (XIoT). But many of these connected devices were not necessarily designed with security in mind. This is par for the course with technology innovation and will take years, if not decades, before a new generation of connected assets emerges with more natively integrated security processes and pathways.
Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives. Recent key events have brought this into sharp focus:
● Industroyer2, a variant of the 2016 Industroyer malware, was deployed in a foiled attack against a Ukrainian electricity provider.
● A suite of attack tools called Incontroller (aka Pipedream) was discovered and found to have components purpose-built to target specific industrial equipment and disrupt service delivery.
● Dubbed OT:ICEFALL, 56 vulnerabilities were disclosed affecting devices from 10 XIoT vendors.
While IT security research communities and vendor vulnerability disclosure programs have been around for decades to accelerate identification of vulnerabilities and corrective action, only recently have we started bringing that expertise and insights to the XIoT. With a growing realization that industrial environments are rapidly changing and more exposed to attack as highly connected CPS become the norm, the level of effort to safeguard users is accelerating.
New research on XIoT vulnerabilities found that in the first half of 2022, vendor self-disclosures surpassed independent research outfits for the first time. While the number of vulnerabilities impacting smart devices, networking gear, and cameras almost doubled since the prior six months, vendors provided full or partial remediation for 91% of published vulnerabilities, including marked improvement in firmware remediations which presents challenges. This is significant as the vast majority of published XIoT vulnerabilities were either critical or high severity.
Mitigation strategies are often the only remediation option open to operational technology (OT) engineers and security teams in industrial environments, where many of the systems being connected to the Internet are legacy and availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade can be a non-starter. Even if you plan to patch during a maintenance window, the following foundational security measures should be put in place to mitigate risk moving forward:
● Network segmentation. Physical network segmentation between IT and OT networks reduces the chance of an attack on the IT network spreading to the OT network, but it can be a drawn out and costly endeavor. A cost-effective, efficient alternative is virtual segmentation within the OT environment to establish what “normal” communication looks like and create zone-specific policies, so security teams can be alerted to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. This should include micro segmentation for XIoT devices, creating even smaller groups of assets with which these devices can communicate. In certain levels of the network, it isn’t possible to block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold.
● Secure remote access. Hand-in-hand with segmentation, secure remote access involves not only separating critical zones from the rest of the IT and OT networks, but also securing remote sessions through the addition of encryption, authentication, and authorization capabilities. Strict controls over users, devices, and sessions empowers organizations to identify connected devices, control access to devices and processes granularly, and be alerted to non-trusted communications and behavior across the network and terminate sessions if needed. Password vaulting and multi-factor authentication (MFA) provide additional layers of security controls to prevent password reuse and sharing among users.
● Cloud risk management. To gain process efficiencies, organizations are connecting XIoT devices and systems to the Internet and managing them from the cloud. However, vulnerabilities impacting cloud-managed OT devices and management consoles in the cloud often escape the attention of asset owners and security teams. Verify cloud support protocols of XIoT devices and use security mechanisms such as encryption and certificates to protect the exchange of data. Authentication and identity management mechanisms such as MFA, strong credentials, and granular user and role-based access control policies help prevent unauthorized access to devices and systems. Additionally, since cloud providers operate with a shared responsibility model, it is critically important to have clarity between the organization’s and its cloud providers’ responsibilities.
Given the overwhelming business benefits, links to smart technology assets and devices across all types of organizations will continue to proliferate. Threat actors are increasingly targeting vulnerabilities in these assets and devices. Fortunately, we’re seeing significant advances across multiple fronts to close XIoT security gaps rapidly and simplify risk mitigation. Organizations should embrace all the resources available to assess and address risk to their mission-critical operations.