Readying IIoT Networks for Today’s Security Challenges
Cyber attacks can often seem like the opening scene of a science fiction movie. The mouse pointer starts gliding across a screen with purpose. A technician, looking up to review data on their monitor, sits motionless, frozen through the shock of what they are seeing. Is this a prank? Then, one by one, ransom demands appear on monitor after monitor of the office, followed by the entire manufacturing facility.
Reviewing recent news reports, it becomes clear that such scenes have been experienced by numerous industrial facilities, with the number of ransomware attacks increasing by 300% between 2019 and 2020. Of 1,100 information (IT) and operational technology (OT) experts questioned, more than 60% claimed to have paid ransoms in such cases. Over half said they’d paid more than $500,000. But it is not just at the bottom line where the pain is felt. Resultant downtime from cyber attacks can result in costs racking up at thousands of dollars per minute.
Recognizing the growing interest of bad actors in disrupting commercial entities and public infrastructure, governments are responding with a range of initiatives. The United States has introduced the National Industrial Security Program (NISP) to ensure the defense industry safeguards classified information in its possession. Furthermore, should a US business suffer a serious cyberattack on their security or operational systems, they are obliged to register it according to the Strengthening American Cybersecurity Act (SACA) of 2022. The European Union has also established the EU Cybersecurity Act, which has strengthened the role of ENISA, the EU Agency for Cybersecurity. Their role ranges from identifying perpetrators and cyber deterrence to providing a cybersecurity certification that is recognized EU-wide.
How industrial cyberattacks unfold
Central to the initiation of SACA was the ransomware attack on the American Colonial Pipeline in the spring of 2021. Access to IT systems was achieved using a password for a virtual private network (VPN) that may have been discovered in a separate data breach. While the attack didn’t touch OT systems, the disruption that resulted meant that the fuel pipeline had to be shut down for six days. This is a common attack approach for cybercriminals, using their IT knowledge against weaknesses in standard operating systems, software, and security implementations to attack industrial complexes. With the expansion of industrial automation, remote sites often operate without personnel, relying on remote access via VPNs to monitor and control equipment, meaning early attack steps can remain unseen.
But the risks rise significantly when attackers additionally have OT knowledge and understand how industrial systems are implemented. Traditionally, OT has been air-gapped from IT, but the need to benefit from the advantages of IIoT means that gap is being removed. And, because industrial equipment, such as programmable logic controllers (PLCs), have traditionally implemented little in the way of security, once in, criminals can cause physical impairment. In one example, a furnace in a steel mill was manipulated so that it could no longer be shut down correctly, resulting in significant damage.
Much OT equipment cannot be re-programmed from afar, with many updates requiring physical access to a unit’s USB interface or a memory card. But, even so, plenty of disruption can be caused just by gaining access to an unprotected Fieldbus network. Ethernet interfaces on some devices have been shown to use fixed, rather than truly random, initial sequence numbers (ISN) in transfer control protocol (TCP) communications. Such weaknesses can be used to inject malicious messages or even deploy a denial of service (DoS) attack. At this point, OT teams must rely on in-built safety mechanisms to protect workers from any resultant chaos.
Thinking about security from the start
Industrial engineering teams already place great significance on safety but now need to consider the additional challenge of security. Like safety, security needs to be baked into products and systems from the very beginning. However, due to the complexity of the systems being built, IIoT security approaches must be holistic. Recognizing the difficulties of getting this right, the International Electrotechnical Commission (IEC) has approved IEC 62443, a four-part standard that addresses cybersecurity for OT. Drawing on expertise from various industrial sectors, it offers a risk-based approach to support various stakeholders, from system and component manufacturers to service providers and operators.
At the implementation level, the standard uses security levels (SL) for assets that can be defined depending on potential attackers’ expected sophistication, motivation, and skills. The SL can also be applied to many devices within a zone demanding common security requirements. At lower SLs, features such as identification and authentication of human users is required, along with defined password strength. Higher SLs demand software identification and authentication, ensuring only authorized equipment can be attached to OT networks and linked with cloud IIoT services. Support of public key infrastructure (PKI), with keys protected in hardware, and symmetric key authentication, provides additional robustness.
Future security challenges
The growing frequency of cyberattacks on industrial facilities emphasizes the importance of a universal approach to IIoT security. IEC 62443 standard assists industrial engineering teams in determining the appropriate security measures for complex systems, from selecting hardware components and software partners to deploying entire systems linked to cloud services. But with the rise in complexity of industrial systems, new security threats are beginning to emerge. The second part of this article, entitled ‘Protecting against new types of threats and attack vectors’ will look into how the industry is readying itself to protect against future security challenges.
About the author
This article was written by Joppe Bos. Joppe is a senior principal cryptographer at the Competence Center for Cryptography and Security at NXP Semiconductors. He also currently serves as the Secretary of the International Association for Cryptologic Research (IACR) and the co-editor of the Cryptology ePrint Archive. His research focuses on computational number theory and high-performance arithmetic as used in applied cryptography.