Advertisement

Blog

IIoT Puts Manufacturers In the Sights of Cybercriminals

BOULDER CREEK, Calif. — We are seeing a number of attacks both on industrial control systems (ICS) and on the operational technology (OT) side of the industrial IoT (IIoT) with increasing frequency.

Why is the IIoT so vulnerable to cyberattacks?

We talked to ICS and OT specialists at major cybersecurity solutions providers, as well as key industry analysts, to suss out the answers.

The consensus was a list of several elements that have combined to create a perfect storm over the last few years:

  • a big increase in the number of sensors and devices being connected to each organization’s IIoT, forming a huge potential attack surface
  • decades-old OT equipment and control systems never designed for exposure to the internet and, therefore, not designed for security
  • a patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs)
  • poor or absent cybersecurity practices and technology, including a lack of either designed for the very different ICS/OT environment, not the IT environment
  • lack of budgets, or insufficient budgets, for implementing cybersecurity awareness, monitoring, and prevention technology
  • a steep escalation in the numbers and types of attackers

Recommended:

Real-life Industrial IoT Cyberattack Scenarios


Phil Neray, vice president of industrial cybersecurity for CyberX, sees three of these as the key factors that indicate that industrial control/OT systems are more at risk today of experiencing cyberattacks than ever before:

“First, most devices and networks used in our industrial control systems were designed 15 or more years ago, when connectivity to the internet was not standard practice and when it was assumed that if you had connectivity to the device, you had permission to configure the device. As a result, most have either no authentication or weak authentication, like passwords that can be easily sniffed from the wire.

“Second, connectivity between corporate IT networks and OT networks has increased significantly because of the need to get real-time intelligence from production. Whether it’s a gas pipeline, a factory floor, or a well site, companies want to optimize their operations and collect real-time intelligence. This means that the attack surface has increased: There are many more ways for attackers to get into industrial networks.

“Third, the group of potential attackers has also increased. From a destructive malware point of view, today, it includes nation-state threats, primarily Russia, North Korea, and Iran. Also China, which is less interested in malware and more interested in stealing intellectual property from industrial networks. Attackers now include sophisticated nation-states, cybercriminals with ransomware for shutting down a plant, and hacktivists. They also include third-party risks.”

EE Times interviewed a host of cybersecurity experts for this Special Project. In the following pages, we will share some of the key points that they laid out for us as to why the IIoT is so vulnerable to cyberattacks

The differences between the two environments are huge.

OT networks are much more complex and diverse, made up of multiple types of older ICS equipment and assets that perform the process being controlled from multiple suppliers with, usually, multiple proprietary operating systems.

Add to that a growing number of sometimes unsecured sensors for collecting data such as for predictive maintenance, and the attack surface of connected devices multiplies.


The fundamental issue in the industrial space right now is lack of visibility. More IT-like technology is moving into OT environments but without anywhere near the amount of visibility that IT security would be used to.

“The result is that the benefits and risks of IT equipment are migrated to the OT environment without the countering benefits of visibility and defensive measures. Simply applying IT solutions introduces risk in terms of action on false positives or applying solutions inappropriate to the environment. At minimum, increasing visibility allows for improved security monitoring and awareness, while prevention remains difficult to achieve.”

— Joe Slowik, adversary hunter for Dragos


OT systems were not designed with security built in. Also, OT end-point devices may have constrained processing capability, limited memory capacity, and minimal or no encryption capability. Machine lifecycles can stretch into decades. There are many issues that you don’t need to think about in the IT space, which is a very controlled environment.

“But in the OT environment, once it gets connected to the outside world, there are problems that need to be addressed that were not taken into account when these networks were first put into production. With these legacy networks, new vulnerabilities are discovered over time with each new attack, and then solutions must be devised to protect these systems. It’s not that people didn’t know that these attacks could happen; they just didn’t know what sequence of steps were needed to make them happen or what vulnerabilities can be exploited.”

— Abhi Dugar, research director for IDC


“One main problem is that every control system is different. Even within a sector such as power companies, each company’s control system has components made by different manufacturers, and the way that each type of system is implemented may be very different: One refinery may be hodge-podged together over time, while another may be brand new.”

— Chris Sistrunk, principal consultant, industrial control systems at Mandiant, a FireEye company


A typical Distributed Control System (DCS) can be interfaced in multiple ways with a plant’s Safety Instrumented System (SIS), which independently monitors the process being controlled. The TRISIS/TRITON malware was designed to attack specific SIS hardware. That attack, FireEye believes, demonstrated the risk of designs that allow two-way communication between ICS and SIS network hosts.

(Source: FireEye)

A typical Distributed Control System (DCS) can be interfaced in multiple ways with a plant’s Safety Instrumented System (SIS), which independently monitors the process being controlled. The TRISIS/TRITON malware was designed to attack specific SIS hardware. That attack, FireEye believes, demonstrated the risk of designs that allow two-way communication between ICS and SIS network hosts. (Source: FireEye)

Most of our experts agreed that many companies with ICS know that they need to protect their plants against cyberthreats, and some have already taken the basic steps recommended on the IT side, including network segmentation, firewalls, and antivirus software for PCs.

But OT systems need a lot more than this, and the tools and methods that work for IT won’t work here.


We should start with understanding how OT security is different from IT security. For one thing, OT objectives are different: They are safety, avoiding the interruption of processes, reliability, and resilience. It’s also important to not modify process behaviors, to not trigger false positives in a critical process, and, if a process is interrupted, to not cause a disruption.

“Because OT systems are embedded systems, you can’t use the IT environment bolt-on approach where you can install software or use other update methods after a device has been built and shipped. Security has to be built into the product itself because it’s a black box.”

— Abhi Dugar, research director for IDC


“Since the critical infrastructure, in industrial control systems and in the OT systems that they manage, was built decades ago, we’re often dependent on outdated hardware and legacy software. We’ve tried to squeeze every bit of capability and functionality that we can out of those systems: We demand so much of them that even shutting them down to install new hardware or software to address cybersecurity, even temporarily, can be financially catastrophic. It’s like trying to fix the foundation of a house without disrupting any major function or utility of the home.”

— Tanner Johnson, senior cybersecurity analyst for IHS Markit


“Although, historically, we may not have had an overlap in vulnerabilities between the traditional IT and OT environments, IT/OT convergence means that we have all of the gains and benefits of using off-the-shelf hardware and software, but we also imported a lot of weaknesses and vulnerabilities.

“While there’s been a lot of work done in IT cybersecurity, that work may not be possible, or may not be applicable to, OT. So tools and techniques that appreciate and understand the nuances and requirements of the OT environment are needed instead of those transferred in from the IT environment.”

— Joe Slowik, adversary hunter for Dragos


Click here for larger image (Source: Dragos)
The necessary requirements for an adversary to successful carry out a cyberattack on an industrial control system (ICS) environment is what Dragos calls the ICS Cyber Kill Chain. TRISIS/TRITON, one of the most closely studied malware designed to attack ICS/operational technology networks, represents only the second stage: Before the breach, attackers had already performed reconnaissance by identifying the specific controller to attack and its hardware and firmware, as well as by having access to the same hardware to develop and test their code.


(Source: Dragos)

The necessary requirements for an adversary to successful carry out a cyberattack on an industrial control system (ICS) environment is what Dragos calls the ICS Cyber Kill Chain. TRISIS/TRITON, one of the most closely studied malware designed to attack ICS/operational technology networks, represents only the second stage: Before the breach, attackers had already performed reconnaissance by identifying the specific controller to attack and its hardware and firmware, as well as by having access to the same hardware to develop and test their code.

Given the massively greater complexity and heterogeneity of OT networks versus IT networks, and the unique environment of each industrial control system, it’s no surprise that standards for OT and ICS cybersecurity are few and not really enforceable. The exceptions are in the energy and chemical sectors, but these don’t apply to manufacturing.


“Although no one mandates its use, the IEC 62443 standard for industrial control security, formerly ISA 99, is a popular, generally accepted standard in the industrial space for protecting a plant. It incorporates the Purdue model.

“This a way to think about structuring control systems by dividing them into levels, including sensors, basic controllers, supervisory control, and production management, with rules about how different levels can communicate with each other.”

— Sid Snitkin, vice president of cybersecurity services for ARC Advisory Group


“Power companies have been using cybersecurity even before 2010, since the mid-2000s. In the U.S., there are only a few government-required cybersecurity standards for control system compliance.

“The North American Electric Reliability Corporation has many reliability standards that North American power companies have to meet, and control system cybersecurity is only one slice of that, while the Nuclear Regulatory Commission has control system cybersecurity regulations for nuclear generators and the Chemical Facility Anti-Terrorism Standards program regulates the chemical sector.

“Other types of companies with control systems such as oil and gas, manufacturing, or mining all have different levels of security awareness. Some have cybersecurity budgets, and some don’t.”

— Chris Sistrunk, principal consultant, industrial control systems at Mandiant, a FireEye company


“There are general cybersecurity requirements like those from ISO or NIST but none specific to OT environments that have sufficient uptake or enforcement behind them.

“The problem is that, with the diversity of OT environments, not only are there dramatic differences in equipment and how it’s laid out between different verticals like manufacturing or oil and gas but also between different companies in the same vertical and even between different plants within a single company.”

— Joe Slowik, adversary hunter for Dragos


Click here for larger image (Source: Cisco)
The Purdue Enterprise Reference Architecture model for industrial control systems (ICS) has been adopted by the International Society of Automation ISA-99 Committee for Manufacturing and Control Systems Security (now ISA/IEC 62443) and other security standards. Its definition of plant technology levels is widely used as a means of segmenting ICS networks, as shown here in Cisco’s Plant Logical Framework, which is based on it.


(Source: Cisco)

The Purdue Enterprise Reference Architecture model for industrial control systems (ICS) has been adopted by the International Society of Automation ISA-99 Committee for Manufacturing and Control Systems Security (now ISA/IEC 62443) and other security standards. Its definition of plant technology levels is widely used as a means of segmenting ICS networks, as shown here in Cisco’s Plant Logical Framework, which is based on it.

Many people working with OT networks are still lacking the good security hygiene practiced for IT networks.

Not only are they not used to following similar procedures but there’s also a lack of trained cybersecurity, change management, and engineering staff that know how to design and manage cybersecurity systems or diagnose and maintain them.


“Most manufacturers do assessments relative to the IEC/ISA standard and then buy technology to install.

“The issues where we see the real problems are in the next step. They don’t have enough people to maintain the technology they bought, and they also don’t have the right people who can diagnose and remediate problems if something does go wrong.

“ARC’s cybersecurity maturity model predicts that the more you do to increase your security, the more resources you need to maintain those efforts. This is a lack in both general cybersecurity and especially in ICS cybersecurity. Many companies have done what they need to do in getting technology, but they don’t have the people and processes in place to sustain the hygiene of their cybersecurity investments.”

— Sid Snitkin, vice president of cybersecurity services for ARC Advisory Group


“Most modern enterprises have a change management team so that every new hardware component, software program, and firmware patch won’t disrupt operation requirements.

“But this was developed and used for the IT side, not the OT side, so trying to do this for legacy-critical infrastructure is very challenging. There are tools but not the talent due to a lack of transitional training for both IT and OT. Both groups must learn to replenish and replace, diagnose and repair, and maintain those new OT and security systems.”

— Tanner Johnson, senior cybersecurity analyst for IHS Markit


“You have to engineer security just like you have to engineer your control systems.

“Many engineers are familiar with their control systems but have no exposure to networking, or maybe they’ve never configured a firewall before. In the past, IT staff didn’t have knowledge of the physical processes, such as mining, for example, so they didn’t understand that a security system could shut down the control system.

“The answer to both is cross-training: This will be the key to getting OT/control system cybersecurity to work. And today, you can build a new facility with cybersecurity from the ground up. Right now, power companies are really good at that.”

— Chris Sistrunk, principal consultant, industrial control systems at Mandiant, a FireEye company


Click here for larger image (Source: ARC Advisory Group)
ARC developed the ICS Cybersecurity Maturity Model to help industrial managers understand cybersecurity challenges without becoming experts on the subject. While most plants have well-established physical security in place (left), implementing increasingly mature cybersecurity solutions requires a parallel increasing amount of staff dedicated to preventing, containing, monitoring, and managing cybersecurity technology.


(Source: ARC Advisory Group)

ARC developed the ICS Cybersecurity Maturity Model to help industrial managers understand cybersecurity challenges without becoming experts on the subject. While most plants have well-established physical security in place (left), implementing increasingly mature cybersecurity solutions requires a parallel increasing amount of staff dedicated to preventing, containing, monitoring, and managing cybersecurity technology.

Acquiring and managing cybersecurity technology that protects all of the OT devices deployed on the company’s factory floor and throughout the plant is a big subject. It can include software and/or hardware solutions, endpoint and cloud-based security, and purchased technology or outsourced security-as-a-service (SaaS).


“Instead of concrete steps to secure an environment, the most fundamental advice is to build out self-knowledge:

  • Do you know what’s on your network?
  • What is a device doing and how long has it been there?
  • What are your bottlenecks, not in the network communications sense but in the self-knowledge sense? For instance, what kind of access to other devices does a single access point give?
  • How do I interact with my operational environment from my corporate environment?
  • Does everyone have access easily, at will, or do they have to go through a concentrator?
  • What is the network layout?
  • What’s on it?
  • What are the critical communication nodes?
  • What are the steps that an adversary must take to have an impact?
  • Do they have to steal secrets from an HMI or interact with a PLC down the line to introduce a disruptive event?

The questions that you have to ask are going to be the same in different environments even though the answers will be very different.”

— Joe Slowik, adversary hunter for Dragos


“Public key infrastructure (PKI) has been used for decades to secure various IT systems, starting with PCs, servers, laptops, and then extending this capability to other systems like cellphones, set-top boxes, base stations, and smart meters.

“However, the scale of OT environments has its own challenges. There can be millions or even tens of millions of sensors collecting data in an industrial OT environment: How would you issue and manage the lifecycle of all of those security certificates at scale, including revoking them, and making sure that they’re up to date? Many of those legacy OT systems use older microcontrollers that don’t have the encryption hardware or CPU resources to support PKI.

“However, PKI vendors have been working with chip manufacturers to embed trusted identities on their devices, and in just the past year or so, they have now come up with ways of leveraging the built-in encryption and security available at the chip level in newer embedded systems to manage the security lifecycle at scale to support the needs of the OT environment.”

— Abhi Dugar, research director for IDC


Click here for larger image 
(Source: FireEye)
FireEye’s cloud-based Threat Analytics Platform integrated with Belden’s products — including the Tofino Xenon Industrial Security Appliance — secures industrial control systems and critical infrastructure, detecting and preventing lateral movement of advanced attacks from IT systems into operational technology systems. On the IT side, Tripwire Enterprise extends the visibility of FireEye network security products by monitoring IT system and file change data.


(Source: FireEye)

FireEye’s cloud-based Threat Analytics Platform integrated with Belden’s products — including the Tofino Xenon Industrial Security Appliance — secures industrial control systems and critical infrastructure, detecting and preventing lateral movement of advanced attacks from IT systems into operational technology systems. On the IT side, Tripwire Enterprise extends the visibility of FireEye network security products by monitoring IT system and file change data.

Check out all of the stories inside this IIoT Cybersecurity Special Project.

Real-Life Industrial IoT Cyberattack Scenarios
What are the worst-case possibilities if your company gets hacked? Imagine these scenarios…

What Makes the IIoT So Vulnerable to Cyberattacks?
We are seeing a number of attacks both on industrial control systems and on the operational technology side of the industrial IoT (IIoT) with increasing frequency…

Designers’ Guide to IIoT Security
How does a professional group like the Industrial Internet Consortium (IIC) actually define the IIoT?

Embedding Security at the Edge
Trust anchors now need to be located down at the hardware level, in silicon, and as close to the edge as possible — even in the sensors…

IT Versus OT Patching, Explained
Last December, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility. The TRITON/TRISIS malware was the first…

1 comment on “IIoT Puts Manufacturers In the Sights of Cybercriminals

  1. pcservice
    November 24, 2018

    Cybercrime, or computer-oriented crime, is a crime that involves a computer and a network The computer may have been used in the commission of a crime, or it may be the target.  Cybercrimes can be defined as “Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss,  If you face any issues then read Fallout 4 Won't Launch On The PC Blog to get the best solution by the experts. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.