Security issues in the connected and PC-dominated world are nothing new. With thousands of IoT devices connected every year, companies and security providers have increased their understanding of how to deal with new threats.
Industrial IoT companies, however, should not approach security with the traditional PC-based strategy, says Tom McKinney, business development manager of HMS Industrial Networks.
Yes, security is a clear and present threat to Industrial IoT, but generalised, scary security stories from traditional enterprise IT consultants, cause concern to become over-hyped and disproportional. Companies instead need to focus on their functional connectivity needs and ensure they select proven penetration test IoT devices and platforms that have the features required to support and maintain a secure solution.
As organisations look to the increasing volumes of IoT hardware being deployed and the growing number of services that are being brought to market, it’s clear that security is going to be a significant issue in the further development of IoT. The climate of fear that is surrounding secure IoT is diverting attention from the real security issues the industrial market place faces. “We see a tremendous amount of security-driven companies that are pitching fear-based propositions,” confirms McKinney. “These companies want to imply all security challenges in the traditional PC networks are applicable to the manufacturing environments which simply don’t see a significant amount of security breaches and, when they do occur, it’s often because people are misusing systems such as by not updating passwords.”
The systems therefore are fit for purpose, it’s the processes surrounding them that need more attention in IoT manufacturing environments. “Human interaction is the biggest threat,” adds McKinney. “The one thing that will make IoT more secure will be increased reliance on things that don’t require human interaction such as log-ins.”
McKinney also points out that most devices in manufacturing environments are highly specific items of equipment that have been designed to have only limited functionality. “When you consider devices that could be penetrated by a hacker it’s important to recognise that manufacturing equipment is not the same as PCs,” he explains. “PCs are designed to run software applications, they don’t know if that software is Microsoft Word or malware, it’s just code. The PC will attempt to execute any software package it is given. That’s hard to defend against and servers are very similar to PCs in the sense that they’ll run third party software as well.”
However, in specialised areas such as manufacturing, PCs and servers typically have higher levels of access control than in general enterprise IT environments. “Servers in manufacturing environments have traditionally had higher levels of access control and the types of software they’ve been able to run is very limited,” he adds. “Manufacturing PCs often run only a handful of applications. The universe of apps is very small relative to a work PC and that makes them less likely to have malware loaded on to them.”
McKinney also believes cloud environments, particularly with the emergence of virtualisation, can be easier to secure because systems can be designed to only allow a single app to be run. That singularity means machines can be less vulnerable and this, coupled with the embedded systems that are typically used for IoT, mean that systems are less susceptible to attacks and are very secure when used properly.
“At the edge of the manufacturing network most I/O exists to convert information from the digital world (Computers and IT) to the analogue world of sensors and actuators. These I/O modules are very simple devices. Dumb devices.” says McKinney. “There’s agreement among the IT and automation community that a device based on a microcontroller executing firmware and a simple operating system has no security risk. There is no way to run third party software so there are no paths to attack these devices. Of course, one could get physical access to the device and reflash it, for example. This is a problem solved by physical security.”
Moving up the food chain on the factory floor there are devices that contain general purpose operating systems and can execute third party code. Security for these devices must be thought of at the design stage. “As the design community becomes more comfortable with utilising open source software, we’ll see more simple embedded devices running Linux, making these devices effectively, small PCs,” explains McKinney. “This introduces a path for malware which providers have to become very aware of. However, by limiting the number of features supported, security can still be achieved.”
McKinney gives the example of using Yocto to build a Linux software developer kit (SDK) that only supports the functions needed by the embedded system application. “Off the shelf Linux offers support for web, ftp and different types of serial communication. However, the most security conscious manufacturers are going to realise these generic builds offer too many features. They will create their own Linux recipes with non-essential features removed and leave just what is necessary,” he adds. “Of course organisations will need to verify that unnecessary services have been removed in order to ensure security. Penetration testing tools, such as Achilles from Worldtech, provide a means for organisations to verify that an engineering team has removed extraneous services. These testing systems also execute known attacks against hardware to identify any susceptibilities. The test platforms are updated on a regular basis to incorporate new attacks as they are identified.”
The Target breach that occurred in 2013 is excellent example of an organisation using off the shelf software without recognising the risk of extraneous functionality. In this case, a web server used only for uploading and downloading documents was utilised to gain access to Target’s corporate network. Functionality included in the web server, but not required for the application, provided the attack path.
Secure IoT platforms
IT security should encompass the entire system so, while it is valid to consider device and server side security, the whole picture must be considered in order to achieve a more secure environment. “When we start talking about secure IoT platforms, we’re talking about the entire system including data moving to the cloud and user consumption of that data,” says McKinney.
There are substantial challenges to address how security is administered and how organisations can change their cultures to manage security more effectively. “You have to actively manage the user account set: an IoT platform must allow an administrator to create user accounts and delete user accounts as necessary independently of the user set,” he adds. “It’s important accounts are independent so a user is not an administrator. An administration account should be the only account type capable of adding or removing users and should be used infrequently.”
“There are scenarios, for example a man-in-themiddle attacks, that could compromise one’s credentials. The way to address this risk is to minimise administration account usage, using it only from the corporate office and not while in the field,” he says. “User access control configuration should also be included in the admin account. Allowing an administrator to determine which IoT devices and data a user has access to. User access needs to be managed over time as employees’ roles and responsibilities change. ”
Part of this prevention relies on the continuous and comprehensive logging of security affecting events. “Every IoT system component should be logging user activity. Server and device logs can act as a deterrent to insecure activity,” says McKinney. “The end goal of many attackers is not to damage a system, it is to capture data. Individuals or companies looking for information they can convert to cash. Manufacturing information may not appear valuable at first for example, counting every unit manufactured via an assembly line. But, that information could be valuable to a financial analyst trying to determine how many units are being produced. That information could drive a newsletter that in turn is sold to stock traders. A firm that maintains the material handling machines in an iPhone assembly line could determine how many devices are being manufactured daily. An inside user could access this information on a regular basis, logs are one way to identify and document this type of breach.”
Creating a digital paper trail is an excellent way to ensure users are on their best behaviour. Employees that know their activities are being logged are less likely to use the system inappropriately.
Coming back to the point that human interactions represent the weakest point in many secure environments, McKinney emphasises that organisations must eliminate their users’ abilities to short circuit security protocols. “Everybody wants to make it easy to remember their passwords but it is vital our passwords are reasonably complex, the company name or 123456 is not acceptable,” he says. “IoT solutions must confirm users’ passwords are complex and update periodically in such a way that users are forced to comply.”
McKinney doesn’t want to appear to be casual about securing IoT, particularly in manufacturing environments, but he does feel some of the risks are overstated and that’s to the detriment of deploying good and appropriate security in these environments. “A lot of vendors benefit from creating anxiety around security,” he says. “When evaluating security risks, you have to consider how interesting a given business is to a cybercriminal?”
“Companies should assess how attractive their particular manufacturing location in terms of its potential for hackers to use it for financial gain or publicity,” he adds. “After an attack, what’s the headline the next day? If we are talking about a dog food manufacturer maybe it is ‘Dogs go hungry for 3 hours’. Does that justify the investment required to attack your facility? Put simply, the absence of a benefit to hackers is one of the reasons we don’t see a lot of highly publicised security breaches in manufacturing. The access doesn’t offer the opportunity to generate press or financial gain.”
It’s vital that amid all the security hype, measured approaches to security are taken, but that also involves considering the nature of the risks and the likely impacts an attack would garner. There are softer targets which can suffer greater impacts out there than organisations in the manufacturing industry. Added to that, the nature of existing systems which are fixed function embedded systems, often in physically secure environments provides further protection.
McKinney emphasises that manufacturing organisations should still devote substantial attention to their security and deploying the right policies and processes to protect their businesses. This is critical for the responsible operation of any business. However, there is a substantial gulf between the headline-grabbing, fear-mongering of security consulting vendors from the traditional internet world and the highlyspecific applications and technologies of IoT. The challenges here are easier to contain and have significantly less potential impact. “Now is not the time to let security fears limit your IoT initiatives,” McKinney advises. “Work with your vendors to verify their security strategy and safely unlock the value of IoT.”
