According to a forecast by Gartner, the number of IoT devices in use will reach 8.4 billion in 2017 and grow to a staggering 20.4 billion by 2020, and the market opportunity for IoT will reach US$2 trillion by 2017. With the proliferation of IoT devices and technologies in the commercial and industrial sectors, we are starting to see the convergence of the traditional IT and OT environments. This convergence is creating a more collaborative, productive and profitable opportunity for information sharing across the overall organization by providing connectivity for data collection, correlation and analytics, but also - security challenges.
General Security Challenges
An unwelcome effect of IT/OT convergence is the expansion of the attack surfaces and threat vectors across the organization. This provides more opportunities for hackers, malware authors and criminal groups to take advantage of. As shown by the Dyn distributed denial-of-service (DDoS) attacks and the WannaCry and Petya ransomware incidents, the adversaries have become more proficient in exploiting these new attack surfaces and threat vectors. In doing so, they are able to bring about major disruptions such as taking down critical domain hosting providers and compromising millions of systems around the world.
Given the profusion of attacks and breaches, cyberthreats are now top of mind for discerning senior executives and board members. This awareness has resulted in increased funding becoming available for the IT environment, but not necessarily for the OT environment, where cybersecurity is still more an afterthought than an integrated part of the business plan.
As a result of IT/OT convergence, we are starting to see significant security challenges for the overall organization. These include lack of security awareness across the IT/OT environment and fragmented security solutions that don’t necessarily work in the OT environment.
Another issue is lack of standards and regulations for IoT technologies, which makes planning and implementation difficult. Also, some security models may not have been built into IoT devices and platforms, particularly those used in the OT environment.
Furthermore, many forms of malware in the IT environment can impact OT. For fear of the potential consequences, the organization itself might intentionally shut down operations due to a malware attack or even just the threat thereof. This sort of self-denial-of-service was exemplified by Honda and Renault when they halted manufacturing at their respective plants to prevent the spread of ransomware in their systems, even though there were no alarms on the factory floor.
The prevailing security approach in the OT environment is to use IT practices and technologies. Unfortunately, this doesn’t always work and, in some cases, has caused problems with operational equipment and devices. For one thing, the IT and OT environments have different views about security as they have different reporting lines and business needs. Consequently, misapplications of IT security in the OT environment arise, which in turn lead to self-denial-of-service and other complications. For example, applying IT resources such as invasive penetration testing and network mapping tools to the OT environment may impact OT systems such as legacy PLCs. Similarly, applying resource-intensive antivirus software to legacy control system HMIs may impact HMIs and ICS field devices.
But make no mistake: Cyberthreats in the OT environment are real. There have been more than 700 cybersecurity incidents in numerous industries worldwide, including utility distribution, manufacturing, transportation and healthcare. The impacts range from trivial to considerable equipment damage, to significant environmental damage, to major regionwide power outages, and even to deaths (more than 1,000 deaths and more than US$30 billion in direct damages have been noted to date). Very few of these incidents were even identified as being cyber-related — which speaks volumes about the lack of control system cyber forensics and appropriate training. This can be expected to get even more complicated with IoT in general and IIoT in particular.
Security Challenges for IIoT
IIoT is a continuation of trends that have been on the rise since the 1990s. With its emergence, we have seen increased granularity and connectivity in process sensor and control equipment. As well, we have seen increased aggregation of large amounts of cross-sensor, cross-site and cross-customer information in enterprise-level and internet-based repositories.
IIoT advocates predict dramatic increases in the number of “intelligent” devices deployed at industrial sites, the amount of data harvested routinely from such devices, and the degree of central aggregation and analysis of this data. These trends toward increased granularity, increased connectivity and increased aggregation are expected to significantly expand IIoT attack surfaces.
The concept of IIoT comprises successive levels, along with their related security and operational issues:
- Local area networks for collecting and locally processing data from connected ICS objects. Security issue: lack of authentication and security in process sensors. Operational issue: Compromised data can lead to equipment damage, regulatory issues and personal safety hazards.
- Transmission of data to the cloud via gateways. Security issue: lack of security in protocols and gateways. Operational issue: Compromised data can lead to equipment damage, regulatory issues and personal safety hazards.
- Processing and storage of data in the cloud by appropriate platforms and specific algorithms such as big data. Security issue: lack of security of data. Operational issue: Compromised data can lead to equipment damage, regulatory issues and personal safety.
- Interfacing between platforms and end users for monitoring. Security issue: lack of secure communication protocols. Operational issue: Using the cloud for control can lead to unforeseen operational concerns.
In short, the cloud computing environment introduces security and operational concerns that need to be addressed.
IIoT applications are generally built with and therefore inherit the lack of security of existing ICS devices. Existing IIoT networks are being augmented with existing ICS devices (without adequate security) to bring in additional data needed for big data analytics. Interconnected devices currently use custom protocols or gateways to get to universal protocols such as OPC Unified Architecture. Unfortunately, the custom protocols or gateways are often developed without sufficient security considerations.
One of the key selling points of IIoT is reachability: integration between the machines and the humans who run them. Hence, new entry points will need to be introduced into the reference model to achieve increased connectivity objectives. These new capabilities introduce cybersecurity considerations that will need to be addressed.
It is assumed that many industrial applications may need to live with these insecure products for years. Consequently, it will be important to identify any gaps created by differing IT and ICS security and operational requirements as well as to develop compensating controls.
The aforementioned security challenges have led to the establishment by the International Society of Automation (ISA) of a new committee on IIoT cybersecurity: ISA99 Working Group 9.
- IT/OT Convergence and Cybersecurity
- Security Challenges for IIoT
- Best Practices for the IT/OT Environment
- Cybersecurity Framework
- Technologies to Consider
- Choosing a Security Vendor
Richard Ku has over 23+ years of hands-on experience working in the hi-tech and security industry in a number of leading roles, as individual contributor and management. Currently served as Sr. Vice President of Product and Services Management for Trend Micro Enterprise and Small Business Foundation Security Product and Services.
Joe Weiss, PE, CISM, CRISC, ISA Fellow, IEEE Senior Member, MD ISA99, is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems.