For those of us who operate in tech, cyber security is a constant concern. The stakes are high, and are getting ever higher.
Nowhere are they higher than in the industrial spaces where you may be dealing with critical infrastructure. For malicious actors these systems have giant bulls-eyes painted upon them.
In this blog post, I will summarize the various considerations and challenges we face both as a society, and for those of us in these responsible tech positions. I’m not going to lie to you, it is very easy to paint a stark picture, but I will end with some measures organizations can take to protect their critical infrastructure.
But let’s start from the beginning, and briefly outline what is involved in industrial control:
3 concepts involved in industrial control
We cannot discuss cyber security in the industrial control space without first discussing these concepts.
Internet of Things (IoT)
We’re all familiar with this. Smart devices that connect to a network to transmit or receive information, without being a traditional computer. TVs, fridges, cameras, sensors…
These devices are often plagued by security issues. Command injection, weak authentication, and lack of encryption are all commonplace examples.
Operational Technology (OT)
This is the hardware and software that causes a change through direct monitoring and/or control of industrial assets. This includes:
programmable logic controllers
supervisory control and data acquisition (SCADA) systems
distributed control systems
These are all widely used in factory control lines and critical infrastructure, such as refineries, power plants, and water management systems. Sometimes they are referred to as “IT in non-carpetted areas.”
Industrial IoT (IIoT)
While smart devices are becoming commonplace in our homes and offices, they are also finding their way into industrial and infrastructural settings.
Sensors in smart factories and edge-systems on smart-ships are great examples of IIoT, that some of our clients are working on here at Eficode.
You can say that IIoT is where OT meets IoT: Operational technology designed to run critical systems, coupled with the connectivity you need to monitor and control these systems remotely.
And now, let’s have a look at what the current cyber security challenges are across these concepts.
Challenge 1: Old systems clash with the new
Few business areas have a larger timespan of development, deployment and tooling to consider, than areas of critical infrastructure.
For example, Helsinki, Finland, installed its first electrical grid in 1871 and, while I am sure there have been considerable updates since then, you probably see a lot of software over twenty years old, running on hardware thirty or more years old.
If you work in the energy department, you are in the unenviable position of having to connect, and secure, systems that were never intended to be networked in the first place.
As legacy systems merge with the modern, and IoT starts rapidly colliding with OT, a strange Frankenstein-esque shift to IIoT is changing the landscape of technology in critical infrastructure.
Challenge 2: Slowness to adapt to change
In sectors with critical infrastructure, such as power, medical, finance, and law-enforcement, you see the same rapid technological changes of pace as in the rest of the society.
As IoT pushes into our homes — with a close to 42% penetration rate in the US — IIoT is imposing itself upon the world of critical infrastructure.
According to Dr. Stephan Lechner, from the European Commission, who leads the security movement in the energy sector, cyber security acts as the guardrails on our treadmill. As acceleration happens, cyber security is what keeps us on track. The energy sector is still figuring out how to fully determine real attacks and how to react to them.
This is because, historically, these areas of critical infrastructure have been reluctant to change. They have been slow to adapt to advances in their supporting technologies, which leads to this cyber-security deficit that we start to see.
The sobering fact is that critical infrastructure, such as healthcare and the energy sector is vulnerable, and has already been attacked:
Wannacry Ransomware hitting UK hospitals
The prelude to the invasion of Ukraine by cyber attacks against infrastructure
As more and more of these critical systems find themselves online, the attack surface only grows.
In short: critical infrastructure has been attacked. It will be targetted in future too. And it will, at some point, be compromised.
Challenge 3: There is a lack of experience
There is simply no substitute for experience. Any wargames, theoretical attack models, or scenarios will all fall short of an actual attack.
This is depressingly obvious in Russia’s invasion of Ukraine. If you want to know who is dealing with Russian cyber aggression best, look no further than Ukraine. Because unlike other countries, they are not running simulations. They are not generating their scenarios: They are dealing with the daily realities of such attacks.
Bridging the gap between the lack of experience, and knowledge in the IoT and industrial control spaces, will be critical to keep ahead of attackers as they develop over the coming years.
We have not yet reached the tipping point where cyber aggression has overtaken regular attacks in disabling critical infrastructure, but based on the rate of increase, it is coming faster than we expect.
How IIoT threats increase
IoT devices are becoming of more interest to hackers for two main reasons:
IoT devices are everywhere
They are becoming more and more prevalent in the home, at the workplace, in smart-fridges, smart-tvs, smart-houses, smart-factories… Their reach increases with each passing year, to the point where IoT device deployment has started to eclipse non-IoT deployments. A trend we expect to see grow in the coming years.
IoT devices are becoming more powerful
IoT devices used to be small, somewhat powerless things. They had the minimum required resources, small processors, and little storage.
But today this is no longer true.
Devices such as the Jetson TX2 exist. Designed to bring AI applications to edge-locations, the TX2 runs with 256-core NVIDIA Pascal architecture and 8GB memory. As such, it is primed for applications such as coin-mining operations. While the recent cryptocurrency crashes may have temporarily mitigated this problem a little, there are other uses for computing power.
IoT devices are becoming increasingly wide-spread, particularly in one area of critical industry:
The medical industry. It maintains one of the heaviest investments into the IoT space, with 86% of medical facilities operating some form of IoT diagnostics tools. 2021 saw threats in medical record systems, defibrillator control systems, and AI diagnostic systems.
This is one of the primary fronts where cyber security threats can impact lives.
How to protect yourself against cyber attacks in the industrial space
If you operate in the industrial control space and want to know more about how you are doing in terms of cyber security, ask yourself the following three questions.
How are you handling encryption?
A staggering amount of data storage and transfer in the IIoT space is unencrypted. Have you asked yourself how you are handling data storage?
Is it encrypted? If so, does it use strong encryption and follow best practices?
What about transfer? Are you using TLS or some other encryption while your data is in motion?
How are you monitoring your distributed IIoT devices?
One of the larger weaknesses coming from IIoT is the physical distribution. These devices cannot be constrained in the traditional way, stored in a server cabinet behind lock and key. These devices often need to be located in accessible areas.
How you are monitoring your devices themselves?
Can you identify if the device goes down? Or if the device is tampered with physically?
Do you know which processes are running on your device?
Can you identify if a malicious process is spawned, that attaches your IIoT device to a botnet?
How much do you know about your networks?
IIoT suffers from a lack of traditional infrastructure in more ways than one. Normal devices such as servers will be connected to networks in specific ways, with specific sets of cabling attached to secured devices, all behind locked doors.
For IIoT devices that can be spread out in places where it may be difficult to run conventional cabling, wireless access is the order of the day. But this expands the attack surface in more ways than one. So:
How is your network restricted?
Are you running whitelisting based on physical mac-addresses?
Is the network that your IoT devices connect to specifically for that purpose, or do they connect to general-purpose access points?
Do people authenticate using a password or some sort of certificate-based authentication?
Are you monitoring the active devices connected to this network?
Can you remove unknown and unauthorized devices?
Cyber security in IIoT is in its infancy. Simple attack vectors that would be show-stoppers for the more established, traditional style of systems, are frequently shipped in both consumer and industrial IoT devices.
As the IIoT space extends further into areas of critical industry, such as the medical sector or power control systems, suppliers who do not incorporate cyber security into their core principles may find themselves struggling to catch up further down the line.
What better way to wrap this up, than the following quote from Richard Adler, of the Institute for the Future: “Despite continued security problems, the IoT will spread and people will become increasingly dependent on it. The cost of breaches will be viewed like the toll taken by car crashes, which have not persuaded very many people not to drive.”
Published: January 2, 2023