IIoT applications bring many ICS security risks to critical industries like manufacturing, energy, oil and gas, chemical, transportation. As a part of CEO Insights, Dr. Ulrich Lang, Co-founder and CEO of ObjectSecurity, explains what are the most critical cybersecurity risks, how to address them, and also what are the challenges and opportunities in this market.
Lucian Fogoros: What is ObjectSecurity's focus with Industrial IoT?
Dr. Ulrich Lang: ObjectSecurity's solution technically enforces powerful security policies effortlessly across what we call generically "interconnected IT landscapes." These can be desktops and servers across enterprise networks, but often are interconnected device landscapes that are today referred to as IIoT.
There are multiple challenges with enforcing security policies for IIoT - in particular, rich and dynamic policies need to be applied in many industries to restrict information flows to only what is authorized. At a high level, everyone wants to implement the theoretical policy "everyone and everything is only authorized to access exactly what they need for their current authorized task and not more", but this least-privilege policy, of course, means different things on many systems, many users, many kinds of information etc.
Technically implementing policy for IIoT is complicated by the fact that IIoT landscapes frequently evolve/change, and the policy implementation solution needs to be able to handle that. Another complication is that IIoT landscapes are usually very heterogeneous, that is there are many different kinds of devices and applications. The policy implementation solution needs to be able to handle that as well.
Our solution solves these challenges through a unique "security policy automation" approach that allows users to author very policies intuitively, using a natural language editor and a graphical editor. To be able to generate the numerous detailed technical rules and configuration, our solution imports and analyzes information about the IIoT landscape that needs to be protected, gathered from available sources such as user/role/key information, network traffic patterns, configuration files (for systems, applications, firewalls, etc.).
Some of the areas we have used our solution for IIoT include intelligent transport, medical devices, air traffic management, supply chain, CCTV/surveillance etc.
Lucian Fogoros: What are the most critical risks that IIoT applications bring in a factory? Are your customers aware of these risks?
Dr. Ulrich Lang: I don't think customers are aware of the risks yet. IIoT in general (factory and elsewhere) introduces numerous risks. In particular, the software of many (legacy) devices was not built for an interconnected IIoT scenario, but for operation in a mostly closed system (we have seen this in all most all of our IIoT deployments). By interconnecting devices more, and adding cloud back-ends and internet connectivity, the attack surface increases significantly, and previously minor issues (open ports etc.) are now major security vulnerabilities. In addition, there is the challenge of how to figure out which information flows should be allowed and why, and how to technically implement that. This is especially hard for badly protected, unusual and/or legacy devices, which make up much of the IIoT device landscape.
All this is compounded by the fact that prices and sizes for full-fledged computers have come down so much that they are often the preferred choice over PLCs. For example, the consumer-grade Raspberry Pi Zero for $5 is a full Linux computer that is smaller than a credit card (the Pi Zero W includes wireless and costs $10). Just to clarify the what this means: you can plug a monitor into the HDMI, and mouse/keyboard into the USB port of a $5 computer and get a full desktop computer that is more or less compatible with how software is written for desktops and servers. I do not dare to predict where PLCs will go, but if this development continues, we will see powerful general-purpose computers in most places where we have previously seen custom PLCs – from a security perspective, this means that there will be a lot of dormant functionality for an attacker to use. For example, a hacker may eventually be able to hack into an IIoT device that "doesn't do much" (e.g. a camera), enable a bunch of features like network access, install advanced hacker tools, and "move laterally" across your organization's networks in search for more high-value targets. Or disrupt your business, for example.
I think customers are often not sufficiently aware either that IIoT is usually a "cyber-physical" system, which means that software directly impacts our physical world. This makes the impact of IIoT cybersecurity breaches potentially much more dangerous (potentially many people may die) than breaches during the mainframe, PC, the Internet, and Mobile eras of IT. Looking at it from a systemic or a cyberwar perspective, it also becomes evident that if there was a war, IIoT systems would be a primary target due to their cyber-physical nature, and also because IIoT drives a lot of the critical infrastructure, such as power grids, transport systems, utility systems, etc.
In conclusion, no I don't think customers are sufficiently sensitized to this yet (especially the systemic impact of IIoT risks), and often haven't been hit (other than Mirai DDoS last year) that much yet to really give it much thought. But maybe last week's WannaCry ransomware will change customer awareness, considering that critical IIoT devices such as medical devices were also compromised during the attack. In fact, many IIoT devices run old, unsupported versions of Windows (e.g. XP) and are thus susceptible to this sort of attacks. Microsoft issued WannaCry emergency patches for old operating systems, and I strongly recommend applying those.
Lucian Fogoros: What is the first step to address ICS security issues?
Dr. Ulrich Lang: I recommend a risk analysis to be carried out to assess how IIoT risks stack up, so that management can be convinced to provide funds to secure IIoT. This risk analysis should not be done with a per-device perspective, but with a "system-of-systems" (SoS) perspective, taking into account the information flows between devices. I also recommend a roadmap and implementation pilot projects to determine the best IIoT security approach forward (we actually do quite a few of those). You cannot rely on device vendors to deal with cybersecurity for you unless everything comes from a single vendor as a packaged system (and the vendor provides a SoS solution). If you use a bunch of ICSs in your factory or other IIoT environment, you are effectively the integrator of a very heterogeneous device landscape, and the SoS perspective is your responsibility. It is important to communicate that to management so they can provision the right staff and external help to get the analysis, roadmap, and pilots funded and scheduled.
I don't think customers have nearly as much time as they think they do to address this because if IIoT is rolled out without the right security approach in place, it will be really hard to retrofit it later.
Lucian Fogoros: What is the biggest challenge that IT will face in implementing cybersecurity solutions with industrial companies?
Dr. Ulrich Lang: It is that cybersecurity retrofitting problem I just mentioned: As usual, customers will implement interconnected IIoT landscapes with the immediate benefits in mind, and then attempt to add security later when they realize that they have to "control the beast they created". This retrofitting problem perpetually plays a part in why security is not as good as it should be – with desktop computers, the internet, mobile devices and more.
There is some awareness that IIoT devices need to be protected, but the awareness that a policy needs to be technically enforced across the interconnected "SoS" is usually not sufficient yet, and most of the tools available to IIoT implementers are not providing much in this area.
Lucian Fogoros: What are the biggest opportunities in ICS security market in 2017?
Dr. Ulrich Lang: I am not really sure, 2017 is already almost half-over, and the opportunities may spill over into 2018 and onwards. Right now I think a lot of customers need initial guidance (risk analyses, architectures, pilot implementations etc.) to get their IIoT cybersecurity roadmaps on track. We currently offer all these services with great success even though it is not our core business. We do this work to help our customers because it paves the way for our core business (which is our OpenPMF product) down the line. Eventually, IIoT/ICS customers and markets will hopefully mature and consolidate sufficiently to allow us to focus more on implementing our product for IIoT and less on the initial guidance part of the process.
Lucian Fogoros: What are your main goals in 2017?
Dr. Ulrich Lang: Even though we have our plate full through 2017, we are planning on growing the IIoT leg of our business by educating customers (through articles such as this, or our upcoming conference talks at ISSA International Conference and Cloud Identity Summit), guiding customers towards an IIoT cybersecurity roadmap that works. To meet customer demand, we will also hire several additional technical experts to join our team this year. We are definitely heavily invested in IIoT cybersecurity for the foreseeable future.