Critical Infrastructure Targeted
Unfortunately, no vertical market has remained immune from the harmful aftermath of a successful cyber attack or data breach. The situation is only exacerbated with regards to the Internet of Things (IoT), as the sheer volume of these devices continues to grow with each passing year. The IoT device explosion has seen a proportionate growth of the cyber threat landscape due to the new attack vectors that many insecure IoT devices can introduce into the ecosystem. Furthermore, the industrial markets that comprise our critical infrastructure have routinely found themselves in the crosshairs of potential cyber-criminals and data thieves.
The Industrial Internet of Things (IIoT), has remained a consistent target due to several characteristics that are unique to critical infrastructure. The primary security concerns surrounding the IIoT are numerous:
- The overall age of the underlying legacy components of our critical infrastructure poses a unique security challenge.
- Increased demands for consistent, uninterrupted operation of the variety of legacy systems that comprise the infrastructure are growing.
- In the absence of any fully developed and mature security standards, much of our critical infrastructure is run on makeshift solutions comprised of an assortment of hardware and software products that present security concerns due to their unique configurations.
- The sheer volume of IoT devices being placed inside industrial facilities, due to the increasing demand for equipment monitoring and management, creates an enormous attack surface within the IIoT for potential hackers to target.
Our Aging Legacy Systems
A great deal of the world’s critical infrastructure is currently operating on outdated hardware components and obsolete software configurations. These legacy systems were initially designed to be operated solely through internal network connections. This scenario created a natural air gap, which protected the infrastructure from external threats by limiting access to only those devices with a hardwired physical connection to the internal network. Because of this requirement, authentication security controls were negligible, or often absent entirely, since the demand for physical connectivity made visibility less of a concern. Nevertheless, as security was not organically built into the development of these legacy systems, they are rife with vulnerabilities that may be exploited.
For example, Fieldbus is a family of computer network protocols that provides real-time communication for distributed control systems within the industrial sector. One of the earliest and most popular Fieldbus protocols developed was Modbus. Due to the ease of its deployment, as well as being openly published and royalty-free, Modbus became the go-to standard for many Supervisory Control and Data Acquisition (SCADA) systems. These systems are deployed throughout the world in critical infrastructure sectors such as the energy, gas, and oil industries. SCADA systems are utilized as a means of data collection and process automation. While other protocols like DNP3 were developed to provide additional functionality and interoperability, they too were designed to be used within internal networks without secure communication in mind. As these protocols proliferated, systems became dependent upon the technology. However, due to their age, multiple vulnerabilities have been discovered within these protocols that pose enormous security threats to the systems reliant upon them.
Regrettably, simply being aware of various vulnerabilities present in aging infrastructure doesn’t necessarily translate into solutions that are easy to implement. Many times, these systems are not maintained or updated with security patches, even if the exploits they address are well known. The organizational environment of each facility is likely unique, and entirely dependent upon the specific demands of its respective industry. This often results in the adoption of customized hardware and software configurations necessary to meet the requirements of the explicit operational task. As a result, developing an established update or patch management system can be daunting, especially if the proposed updates result in other components of the facility failing to work properly afterword.
While the isolated nature of the operational technology (OT) market historically added a layer of protection, the age old practices have now become a security liability. Limiting access to physical connections made practical sense when the only devices that needed to connect to the network were hardwired authorized components and machinery necessary to perform specific functions and tasks. However, as the demands for greater access to operational analytics grows, newer communication technologies are being implemented. To meet this growing demand, more legacy components are becoming retrofitted with more advanced IoT devices and sensors. These newly installed devices require network access in order to report any captured data, but are primarily designed to connect to a network wirelessly.
Despite the knowledge of vulnerabilities, and the introduction of more points of compromise into the environment, the demands for consistent output from critical infrastructure can supersede any effort to secure them. The reasons for a lack of any update or patch management system can be multifaceted. In addition to the customized configuration of diverse systems that can comprise a facility, any interruption in service can have catastrophic results. These consequences can affect the operational safety, as well as financial stability of a facility. It is precisely this combination of dependency and vulnerability that make the challenge of securing the IIoT so great. Imagine trying to securely replace the foundation of a home without disrupting any functionality to its residents, or any utility such as the plumbing, electrical, communication, or ventilation systems. Unfortunately, for many industries such situational risks often result in no action being taken, playing into the old adage that “if it isn’t broke, don’t fix it”.
Moreover, industrial facilities face enormous challenges in their efforts to transition their mission-critical communication infrastructure to enable digital and automated operations. In the modern era, immediate access to real-time communication is vital to efficient and effective operation of any facility. This means that even greater demands are being placed on already aging components and systems, in an effort to quench an insatiable thirst for data analysis and operational intelligence. As result, reliance on these legacy systems is crucial, which requires that these systems are systematically updated with capabilities that allow for effective monitoring and management. However, if not implemented properly, the transition can result in the introduction of even more security concerns and operational disruptions.
For example, most newly installed IoT sensors operate wirelessly. The convenience that comes from the adoption of wireless IoT technologies and devices comes with a price that negatively impacts security on multiple fronts. The high degree of visibility that was previously enjoyed due to network access being limited to physical connections is completely negated by the wireless connectivity of these devices. Furthermore, the small physical size of the wireless IoT sensors can make them difficult to track, exacerbating any effort to prevent unauthorized or unvetted devices from being introduced into the environment. Lastly, every wireless device added to the network provides one more method of potential compromise. Therefore, any legacy component with an unpatched firmware vulnerability that is connected to these new IoT sensors, is now a prime target for potential cyber criminals. Data thieves can now seek to utilize the wireless connectivity option to bypass the previous physical connectivity limitations and exploit the well-known vulnerabilities of the legacy components that were previously out of reach.
Lack of Standards
The explosion of the IIoT has created an imminent demand for security that was previously negligible due to the isolated nature of the OT. This demand has prompted many industries to apply a standards-based approach to the adoption of IoT technology. Due to the interconnectivity of global enterprise, a number of specific standards for information technology (IT) security have been established and are enforceable. However, the operational technology (OT) services that control critical infrastructure largely were able to operate autonomously in the past. Additionally, OT has several priorities to concern itself with that IT does not, such as worker safety. As a result, the standards for IT don’t easily transition over to OT. Even some of the standards that have been created for the IT are simply unenforceable within the OT environment due to the diversity of each industrial environment.
Throughout the years, modern enterprises have also developed IT change management processes to ensure that every new piece of hardware or software update is vetted against the current configuration. This is usually done in a virtual instance to ensure a minimal disruption in service once executed in the real world. The OT environment has never enjoyed this luxury. For many legacy systems, there is no way to virtualize the components themselves to test their functionality and interoperability after an update. Furthermore, for many of these outdated components, rolling back any system to pre-update status poses a considerable challenge, if even feasible.
Earlier this year, the National Institute of Standards and Technology (NIST) published an “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)”. The report went into great detail to recognize multiple instances where there are large gaps in coverage for cybersecurity standards. For example, Cyber Incident Management is an area that is lagging with regards to implementation within IoT systems. This is largely to because some IoT systems are not designed to implement software patches in order to address cybersecurity vulnerabilities. In these cases, the only solution may be to replace the components themselves, which can be both costly and time consuming.
Additionally, security issues surrounding hardware assurance was another area of concern that NIST recognized. The report highlighted the technical challenges that come with detecting malware present in software, and these challenges would universally apply to firmware as well. The report suggested that best practices would need to be developed to help industries avoid malware-infested firmware and recognized this as another area where specific standards are lacking.
The NIST report did recognize that some independent and industry backed cybersecurity standards exist in certain areas, and that they have been met with general market acceptance. However, the report highlighted that these standards have not been specifically designed with the complexities of IoT devices in mind. Furthermore, practical application of these standards to IoT devices and systems has been inconsistent. Even those cybersecurity standards that are embraced by industry require routine and consistent revision to maintain their validity and effectiveness.
Volume of the IIoT
Demand ultimately drives the strategic actions within any respective market. As eluded to earlier, the quenchless thirst for operational information and performance intelligence within the industrial market has resulted in the rapid adoption of new connectivity technologies. Be it through the adoption of IoT devices and sensors retrofitted to legacy components, or through the connection of previously isolated internal systems to the external internet, the number of devices currently visible and operating within the IIoT is extensive and growing larger with each passing day. This makes cybersecurity an even greater concern due to the substantive increase in the threat landscape introduced by the growth of the IIoT.
With more devices being connected to the internet, as well as an increase in the number of internet accessible nodes being linked through advanced IoT technology, the IIoT is expected to grow sharply in the near term. According to our 2017 Industrial Communications Report, the number of internet connected devices was forecasted at just under 90 million in 2016 within the industrial sector alone. As more of these systems come online daily, this number is expected to grow to beyond 150 million by 2021, as shown in Figure 1 below.
This forecast further highlights the complexities that come with securing the IIoT. While a large number of industrial devices have been transitioned to take advantage of more protected communication methods, a great deal of these legacy systems remain reliant upon outdated protocols. This situation persists despite the public knowledge of vulnerabilities inherent within them due to a lack of any form of identification or authentication requirements.
However, this is not to say that each and every one of these systems are in fact vulnerable to exploitation. These numbers don’t account for any defensive countermeasures that might reside throughout each of the scanned networks such as next generation firewalls, intrusion detection or prevention systems, advanced threat protection systems, etc. If these systems are going to remain reliant upon potentially vulnerable communication protocols, and routinely become more connected to external networks, it’s imperative that additional and redundant security measures be in place.
Any comprehensive approach to securing the IIoT will require the application of a multi-layered security platform. “Defense in depth” is a staple of every effective cybersecurity practice. This strategy calls for the implementation of several redundant measures of protection in order to ensure there is no single point of failure within the security ecosystem. The enforcement of such a strategy will help to mitigate the risks associated with the continued dependence and use of legacy systems.
Vendors are already developing the next generation of embedded technologies into the their IoT devices to reinforce industrial security. These additional security flavors include everything from the utilization of cryptographic chipset architectures, as well as secure web gateways and advanced routers. Additionally, newer systems and components are being designed with multiple security checks in place from the start, utilizing advanced identification, authentication, and authorization measures.
As our research can attest, these additional security demands have driven significant trends within the market. In fact, according to our analysis, SaaS revenue for content security gateways reached $676M in 2Q18, up 10% over 1Q18 and up 30% over 2Q17. As a result, IHS Markit expects this market to reach $6.3B in CY22, a 2017–22 CAGR of 23.6%. Furthermore, revenues and unit shipments for industrial IoT gateways are forecast to grow the fastest of all product types with a 63% (CAGR, 2016-2021) in shipments of gateways enabling communication of data to the cloud.
In the absence of mature standards specifically designed for IIoT technologies, best practices exist within the enterprise and service provider domains that can provide insight. However, as these practices are not universally applicable to the IIoT, guidance will have to come from industry leaders. Comprehensive direction from a wide range of various groups seeking to bolster cybersecurity amongst the IIoT will be vital. Organizations like the Industrial Internet Consortium (comprised of industry leaders such AT&T, Cisco, GE, IBM, and Intel) are working to provide an architectural framework for the industrial internet. These efforts will serve as a desperately needed cohesive structure with which to build future industrial and critical infrastructure operations from.
Obviously, when it comes to securing the IIoT, substantive challenges will remain in place for many years to come. The transition from the internal connectivity of older legacy systems, to more efficient (yet internet-facing) technologies will be costly on several fronts. Such a monumental task will take a great deal of time, in addition to substantial financial resources. Furthermore, the risks involved within this transitional effort will be even greater for those systems comprising our communal critical infrastructure. However, when it comes to effective cybersecurity, there are usually three options available; fast, cheap, or secure. Unfortunately, in the modern world, you only have a choice between two.