2019: Getting serious about IIoT security
As 2018 draws to a close, industry would be wise to acknowledge the now-urgent necessity of prioritizing security across the industrial internet of things.
Since the Industry 4.0 movement began sweeping across the globe, it’s been firmly established that IIoT initiatives generate enormous efficiencies and cost savings in everything from government infrastructure to manufacturing to energy production. But several factors indicate that shortcomings in IIoT security threaten the upward trajectory of connected automation, casting a pall over the positive potential of deployments moving forward. In 2019, it’s time to get serious about IIoT security.
Industrial cybersecurity firm CyberX recently released its second annual “Global ICS & IIoT Risk Analysis Report” detailing the state of industrial control systems and IIoT deployments. The study spans all sectors and analyzes data obtained from over 850 production networks assessed from September 2017 to September 2018 across North and South America, EMEA and Asia-Pacific. The results paint a grim picture of IIoT networks that are easy pickings for cybercriminals and malicious intrusion. Among the findings:
- 84% of industrial sites have at least one remotely accessible device
- 69% of sites have plaintext passwords traversing their networks
- 57% of sites aren’t running feasible antivirus protections
- 40% of industrial sites have at least one direct connection to the public internet
- 16% of sites have at least one wireless access point
Separately, the cybersecurity firm Vectra coordinated observations and data for the 2018 Black Hat Edition of the “Attacker Behavior Industry Report,” which reveals attack behavior in networks from more than 250 opt-in customers in manufacturing and eight other industries. The report examines cyberattack trends sampling more than 250 Vectra customers with over four million devices and workloads from nine different industries. It noted a sharp threat increase in 2018 from 2017, with an average of 2,354 attacker behavior detections per 10,000 devices. Drilling down, examination of IIoT networks in its “2018 Spotlight Report on Manufacturing” found that:
“The monthly volume of attacker detections per 10,000 host devices in the manufacturing industry shows a much higher volume of malicious internal behaviors [than in other industries]. In many instances, there is a 2:1 ratio of malicious behaviors for lateral movement over command-and-control. These behaviors reflect the ease and speed with which attacks can proliferate inside manufacturing networks due to the large volume of unsecured IIoT devices and insufficient internal access controls.”
The report further concluded that “IIoT devices collectively represent a vast, easy-to-penetrate attack surface that enables cybercriminals to perform internal reconnaissance, with the goal of stealing critical assets and destroying infrastructure.”
And if easy IP theft and infrastructure interference and/or damage aren’t warning enough on their own, government is now also entering the fray.
While the United States federal bill known as the IoT Cybersecurity Improvement Act of 2017 remains stalled in committee, one state just enacted the first U.S. law mandating IoT device manufacturing security provisions, effective as of January 1, 2020. California’s SB 327 states:
“A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following: appropriate to the nature and function of the device; appropriate to the information it may collect, contain or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”
A “reasonable security feature” for any connected device equipped with a means for authentication outside a local area network requires either that preprogrammed passwords are unique to every device manufactured or that the device contains a security feature that forces a user to generate a new means of authentication before access is granted to it for the first time. While the legislation has been criticized for superficiality, neglecting encryption and failing to address the myriad underlying bad practices identified in the aforementioned cybersecurity reports, it reflects a new reality. This is the first U.S. law stipulating security specific to “things,” and more are sure to follow.
There is hope on the horizon. Blockchain technology, for example, works as a distributed database that cryptographically and immutably records every “block” of data moving through a system — and it may point to a more secure future for our connected devices. As cybersecurity firm Trend Micro noted, “Given its decentralized nature, blockchain, in theory, can prevent a vulnerable device from pushing false information and disrupting the network environment, whether it’s a smart home or a smart factory.” There are experiments already underway using blockchain to validate and secure smart city functions in Europe. On a separate front, in the semiconductor space, there are new chip designs being explored aimed at layering or injecting artificial intelligence functionality into devices and applications that include better security at every point of computation from the edge to the cloud.
These are promising developments, but they don’t negate the present danger. Serious review, investment and a renewed commitment to security best practices are required across IIoT now. That’s a 2019 resolution worth making — and keeping.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.