The cybersecurity challenges of consumer-grade Internet of Things devices are well-documented and best exemplified by the Mirai botnet’s attack on Dyn in 2016, which rendered large swaths of the Internet unreachable for the better part of a day. Although there have been a few examples of cybersecurity risks in the Industrial Internet of Things, there has not been a single watershed moment that captured the public’s attention so much as not being able to access Amazon, PayPal, Netflix, Spotify, Twitter, or Visa for a day. However, the consequences of a successful attack on IIoT devices could be far more severe and may even lead to the loss of lives.
As the clock ticks towards a massive and preventable cyberattack on IIoT devices, manufacturers and companies deploying them must address three challenges.
IIoT device exploits last longer than exploits against IoT devices
Mirai, Reaper, and other IoT botnets have flourished due to poor security controls, like hard-coded passwords, and a lack of encryption on consumer-grade IoT devices such as baby monitors, security cameras, and DVRs.
Manufacturers of consumer IoT devices, however, assume a level of obsolescence as consumers upgrade to the latest and greatest while recycling or disposing of the older devices. This means that the cybersecurity of the consumer IoT space will probably slowly improve, assuming vendors continue to incorporate modern security practices in their product lifecycle.
In contrast, the lifespan of an IIoT device is seven to 10 years. This means that security exploits in the IIoT space have a far longer lifespan than in the consumer space.
For example, an IIoT ransomware campaign that disables sensors on offshore oil pumps until a payment is received could repeatedly be used against companies if there is no means of updating the software running on those sensors for a decade.
The potential environmental and economic damages of an offshore oil pump malfunctioning due to a ransomware campaign would encourage rapid payments to third-party attackers.
There are at least two apparent solutions in this space. First, manufacturers might add encryption to IIoT devices. The trade-off in adding even light encryption is that the added processing will shorten battery life.
This can be mitigated by either providing higher-capacity batteries and increasing costs, or by forcing obsolescence, which would be an inelegant and expensive way to force updates into the IIoT ecosystem.
The alternate strategy is for companies purchasing IIoT devices to treat them the same as any other endpoint device connecting to the corporate network. Reasonable organizations now require that laptops, desktops, smartphones, and virtual desktop infrastructure (VDI) all support software updates with minimal downtime.
Incorporating a requirement that new IIoT devices support remote discreet software updates will help manage the risk of deploying hundreds of thousands of devices with unknown security vulnerabilities.
Third-party attackers may inject false data or tamper with existing data
One of the major trends in IIoT is to focus on reducing break-fix maintenance costs with preventative maintenance. Some studies cite up to a 30% reduction in costs associated with this model.
For example, a service that diagnoses and predicts aircraft maintenance issues based on sensors deployed from the tip to the tail of the airplane can help reduce “unscheduled maintenance,” that dreaded phrase heard by frequent flyers the world over.
Similarly, a service that predicts hardware failures on farm machinery can help to improve operational efficiencies by scheduling maintenance when the machinery is not in use.
Companies subscribing to these services will receive these benefits, however, only if the data being sent to the remote monitoring service has not been tampered with. This tampering can happen in at least one of two ways.
In the first scenario, attackers with physical access to the monitored hardware — airplane, tractor, oil pump, etc. — would need to introduce a device that would transmit falsified data into the monitoring service.
The alternate attack vector is to compromise and modify the central store of monitoring data. Although this is a remote exploit, it is not novel. Companies have been breached and found evidence of tampering in their files and data after the fact.
There are at least three visible solutions to this threat. The first, and most obvious, is to not rely solely on remote monitoring services instead of physical inspections whenever workable.
A second solution is to conduct periodic and rigorous inventories of deployed IIoT devices to ensure that no new and previously unknown devices have been deployed.
For example, if all deployed engines have an average time between maintenance of 6,000 hours that is detected using an IIoT sensor, an engine running at 6,200 hours with sensors reporting “all clear” could require manual inspection despite the lack of a “check engine” light calling attention to this.
The proliferation of IIoT devices is no excuse to stop segmenting networks
It might seem expedient to skip network configuration and limit network connectivity to IIoT devices when deploying potentially thousands of devices under an accelerated time frame.
Allowing connectivity to speed up deployment, however, carries the risk of allowing unwanted network connections from third-party attackers. The Shodan search engine makes it particularly easy for both legitimate security researchers and third-party attackers to identify IIoT devices that acknowledge their connectivity to the public Internet.
As noted earlier, from a cybersecurity and policy perspective, organizations should not treat IIoT devices differently than any other computing device. An unprotected IIoT device can serve as an initial bridgehead for part of a larger cyberattack by a dedicated third-party attacker.
Alternatively, third parties might avoid the trouble of exfiltrating company manufacturing data and instead focus on mining cryptocurrency, an attack that would be visible only as a performance degradation on the IIoT devices.
The aforementioned risks pertaining to IIoT are preventable given sufficient thought and secure hardware. The modern reality of cybersecurity is that third-party attackers are running illegitimate businesses and face the same budget, staffing, and time constraints as legitimate enterprises.
Most third-party attackers will pursue those companies that do not focus on securing their IIoT and other computing devices. This is the same rationale that burglars use when evaluating mansions with security systems and guard dogs in comparison with residential homes with unlocked front doors. Companies need to deploy these simple solutions to stop the next watershed moment in IIoT security.
About the Author:
Kayne McGladrey is an IEEE member and the information security services director at Integral Partners with 20+ years of experience in cybersecurity and identity and access management across financial, healthcare, retail, government, and manufacturing organizations. He has been interviewed by HITInfrastructure, CSHub, ESecurityPlanet, DZone, CSO Online, USA Today, Fast Company, Quartz, the Insider Threat Podcast, and Cheddar. McGladrey’s writing has been featured in (IN)Secure Magazine, ISSA Journal, and PSVillage. He has presented on cybersecurity to IEEE-USA and the Clear Law Institute. He created the first industry-recognized online class about the fundamentals for professional services management.