A tale of two water supplies portends the coming security nightmare as industrial assets are connected to the Internet of Things (IoT).
Hackers, potentially linked to Iran, were able to breach an unprotected human-machine interface (HMI) system at an Israeli water reservoir, allowing them to tamper with water pressure and temperature changes. More recently, a plant operator working in a water treatment facility serving Oldsmar, Fla., discovered an unknown hacker had gained entry and successfully altered chemical levels in the county’s water supply—the timing of this incursion is notable as it took place during Super Bowl weekend, which was hosted in nearby Tampa.
While both incidents caused no immediate public harm, they raise alarming concerns about security vulnerabilities as factory equipment, remote industrial assets, and critical public infrastructure are synced to the cloud and enterprise systems in support of new initiatives designed to garner efficiencies, improve operational performance, and deliver proactive maintenance. While IT has actively embraced cybersecurity practices, including patching and configuration management, OT (operations technology) has historically eschewed such measures, primarily due to concerns about how unplanned, ill-timed, or inadvertent changes could bring systems down, negatively impacting worker safety and plant resiliency.
“This is a story of cultures colliding—in the IT world where change is a good thing…to the world of industry where change is bad and introduces risk,” says Grant Geyer, chief product officer for Claroty, a supplier of industrial cybersecurity technology. “But to gain access to advanced analytics, just-in-time ordering systems, and unlocking new insights, it’s inherent that we connect the world of aversion to change with the world of attraction to change—that is really the core of the problem.”
A shifting security landscape
The growing complexity and connected nature of the modern industrial landscape introduces risks that simply didn’t exist before. The spread of IIoT devices, more widespread deployment of edge analytics, the continuous transmission of time-series data, and the adoption of digital twins open up new attack vectors in industrial environments, which were never designed with cybersecurity in mind. Not only is the line of attack expanded—threat actors are becoming more attuned to the opportunity to disrupt business through industrial operations.
“Frankly, industrial systems are easier to compromise or get into than business systems, but they are harder to exploit,” says Francis Cianfrocca, CEO and founder of Insight Cyber Group, which delivers a managed IoT security service. Cianfrocca explained further that a certain level of skills is required to do real damage to industrial equipment. “You need real knowledge to mess with a centrifuge or robot, whereas anyone can mess with a Windows computer because everyone has one,” he says.
A Trend Micro report on IIoT security identified several emerging attack scenarios, such as: compromise of an engineering workstation through a malicious industrial add-in for stealing trade secrets, trojanizing a custom IIoT device to become a bad actor, and exploitation of a vulnerable mobile HMI to tap sensitive information or to take over the device. Infiltrating MES systems to create defects in the final product or to promote denial of service attacks that block production is another growing concern as is the ability to inject malicious automation logic into a complex machine, paving the way for information theft or untended machine movement.
Perhaps the most dangerous and potentially prolific security threats are employees, experts contend. “We fear Russia in terms of cybersecurity breaches, but the good-hearted employee is the most dangerous,” says Greg Baker, vice president and general manager for the Cyber Digital Transformation organization at Optiv, a security systems integrator. “The employee that tries to stretch their responsibilities by updating a Windows XP workstation to Windows 10 and shuts the factory down—they’re the most dangerous threat actor.”
Historically, security of OT environments has been addressed by preventing connectivity to outside sources or walling off as much as possible from the internet using a strategy many refer to as an “air gap.” With the latter approach, firewalls are the focal point of the security architecture, locking down an automation environment, perhaps in a specific building, to prevent external access as opposed to a strategy predicated on securing individual endpoints on the industrial network such as HMIs or PLCs. “We used to live in a world that was protected—you didn’t need to put a lock on your jewelry drawer because you had a huge fence around the property and no one was getting in,” explains John Livingston, CEO of Verve Industrial, which markets an industrial control system endpoint security platform. “Now that the fence has come down, you need to protect the assets inside rather than relying solely on network protection.”
While manufacturers have been gathering data for years through data historians, the data remained siloed or, at best, was shared within the internal network. In today’s environment, the flow of data has been altered—not only is plant data pushed out through the cloud to enterprise systems or automation experts for analysis, there is also inbound traffic to initiate changes, whether that's calibrating machinery to optimize performance or correcting a glitch that is causing quality issues. “With IIoT, people don’t just want to analyze—they want to act,” says Verve’s Livingston. “What was a one-way street is now a two-way street and there are risks associated with that. If you’re making a temperature change to a boiler, for example, you’re also changing its pressure. Now, you’re potentially not just making a bad decision, but taking a bad action.”
The need for visibility
The first step for any manufacturer trying to elevate industrial security is to have visibility into what’s actually in their environment—a picture that is lacking at most companies. Prior to deployment, organizations need to gain a deep understanding of their current operations technology asset and network environment so they can establish where the risks are and evaluate how new IIoT initiatives might impact future exposure. Many shops are unaware of IIoT devices that have come in under the radar, such as a random router added to create a Wi-Fi hotspot in a dead zone or a device connected to the backplane of a controller that’s part of the distributed control system governing plant processes.
“Wireless connectivity bridges the theoretical air gap, which is one of the key security components companies rely on,” Livingston says. “As a result, unpatched systems can now be exposed to the internet through the backplane of a controller.”
Once taken, asset inventory needs to be mapped to a risk profile predicated on things like business revenue or regulatory compliance. If both the business and network infiltration risks are determined to be high, that asset should be red flagged for immediate action, whereas other high-risk assets that map to areas of lower vulnerability can wait for security remediation, according to Insight Cyber Group’s Cianfrocca. Insight Cyber Group’s NetRadar managed IoT security service reportedly collects data from cyber-physical environments in a “non-invasive” way to get an accurate inventory picture without disruption to industrial processes and production, he says. Their approach also favors intelligent monitoring and incident response services as opposed to conventional IT firewalls. “Intelligent monitoring is the way forward—it’s non-invasive and proactive, and the way security changes, you need to move past traditional technology to something based on monitoring, visibility, and artificial intelligence (AI),” he explains.
Differing approaches to OT cybersecurity
Cisco is parlaying its enterprise security muscle to the industrial space, but is committed to adapting its offerings to meet the needs of the OT world where it exists rather than coerce them into IT-driven solutions, notes Wes Sylvester, Cisco’s global industry director, manufacturing & energy. Visibility into assets, but specifically visibility into the next-level details related to those assets is important; for example, knowing the kind of data, where it’s coming from, and if it’s secured, Sylvester explains. Through device recognition and data tagging, Cisco’s CyberVision platform builds a view of asset inventory, communications patterns, and network topologies while also extending IT cybersecurity capabilities to the OT domain, including protocol analysis, intrusion detection, behavioral analysis, and OT threat intelligence. The platform creates a converged IT/OT security operations center, bringing detailed information on OT assets and threats to enterprise security infrastructure like firewalls.
“In the best case, OT has a different security posture; in the worst case, it has no posture,” Sylvester says. “You can’t flip the switch and have them be on the IT security side.”
While IIoT cuts a path to real-time analysis and the ability to boost operational performance by calibrating automation systems, the very ability to modify equipment creates risk by establishing new access paths into the industrial control network. As a result, organizations need to move away from conventional perimeter-based security measures to a software-driven approach and a focus on hardening endpoints such as HMIs, workstations, controllers, and PLCs against potential attacks, security experts say.
Verve’s Endpoint Protection Platform is said to tackle the problem with agent and agentless technology in that the platform uses agent-based asset management capabilities to provide a view into each subnet and asset on a real-time basis without scanning or scripts and consuming minimal bandwidth. The agentless device interface gathers data on firmware, configurations, and network device rules. The platform also combines asset inventory, vulnerability management, configuration management, and patch management into a single platform while supporting open APIs (application programming interfaces) so telemetry from both the IT and OT worlds can be integrated for end-to-end enterprise visibility.
Tripwire Industrial Visibility also makes OT network assets visible to enterprise security teams. The platform extends IT security controls—automatic discovery of assets, AI-driven network zoning and segmentation, and known and zero-day threat and anomaly detection—to the OT landscape by supporting a diverse range of industrial protocols and by incorporating passive, active, and AppDB scanning capabilities for visibility.
The Claroty Platform is evolving the OT security model with new capabilities to address remote work—now the norm even for industrial companies due to the global pandemic. With its Continuous Threat Detection 4.2 and Secure Remote Access 3.1 capabilities, the Claroty Platform features remote incident management features, including alerts on remote user activity and providing help to prioritize remediation, as well as insights into similar events across the Claroty user base to contextualize whether alerts are true threats or false positives.
“In IT, active scans that touch every device and every query over the network are the norm, but in industrial environments, those practices can bring a plant down,” says Tripwire’s Tim Erlin, vice president of product management and strategy. “We’ve changed the technology to support passive assessment…and found different ways to approach visibility.”
Platforms that straddle the needs of both enterprise and industrial security are an important path to fostering IT/OT alignment, which is essential to a successful cybersecurity strategy. While IT has a deep bench of talent devoted to cybersecurity practices like managing patches and doing vulnerability testing and configuration management, that level of domain expertise is lacking in OT. Because of that delta and the need for end-to-end visibility, fostering alignment between IT and OT through education and joint collaboration is crucial for success.
“Education is the biggest hurdle on the OT side of the house,” says Richard Wood, product marketing division manager at Moxa. “The average worker doesn’t understand that plugging their cell phone into a USB port on an industrial computer potentially risks infecting the entire network. People have to understand that security is not something you buy—it’s a continuous process like quality.”