Thank you for Subscribing to CIO Applications Weekly Brief
The Industrial IoT Attack Surface
Matt Griffiths, CIO, Stanley Black & Decker Industrial
Problem 1: Embedded Windows OS
Hindsight is a wonderful thing and it’s hard to claim that these manufacturers should have predicted the future– but intrinsically combing computer technology with a lifecycle of two years and industrial technology with a lifecycle of 20 years was a poor architectural decision. The constant stream of security patching and OS updates combined with the need for virus and malware detection software installed throughout the environment mean that, best case the manufacturing environment is hard to manage and worst case, it’s an unmaintained attack surface. Segregated networks, VPNs and industrial firewalls help until the inevitable USB stick or infected third party laptop connects to the environment - at which point you are in recovery mode.
Problem 2: Enterprise Strength Software
The introduction of user friendly operating systems, simple to learn programming languages and easily deployable databases opened new doors for equipment manufacturers. The SCADA, DCS and MES markets exploded with offerings from 100’s of industrial device companies and while many were successful and served a purpose –others lacked consideration for cybersecurity basics such as protocol/ packet level authentication, data encryption, buffer overflow checking and other secure coding methods. Even PLC’s, historically “secure through obscurity”, were suddenly under attack after the StuxNet virus targeting the Siemens S7 PLC protocol was developed in 2010 in a cyber-warfare attack against an Iranian nuclear plant. Industrial control systems were rapidly becoming a cyber-battle ground.
Problem 3: Ecosystem Security
In most cases, industrial manufacturing environments were not designed with the prospect that they would one day need to run mini IT datacenters.
Problem 4: The Shifting Technology Landscape
Industry 4.0 and the Internet of Things are dramatically changing the technology footprint of the manufacturing shop floor. Legacy SCADA protocols like Profibus and Modbus are making way for TCP/IP based communications; Centralized on-premise, two tier architectures are evolving to decentralized edge/ cloud multi-tier solutions; And SCADA systems are increasingly interconnected with MES, ERP and analytics platforms. The larger solution providers are investing heavily and evolving their products rapidly. The smaller niche players have a multi-decade legacy of outdated technologies that will take many years to modernize and solutions will be vulnerable until that is done. To complicate matters further, finding IT talent with knowledge of industrial controls technology is increasingly rare, and the population that built the previous generations of industrial control platforms are now approaching retirement age.
The Industrial controls domain is a complex challenge. Aging technology responsible for critical equipment, vulnerable to cyberattacks in an increasingly connected world, with a multi-year remediation timeline, a talent shortage and closely tied to physical equipment that gets replaced every 20 years or so…It sounds like the trailer from a blockbuster disaster movie. In the meantime, the NIST framework applies well in the Industrial IoT environment:
1. Identify: A complete audit of the Operational Technology environment including SCADA systems, embedded controllers, kiosks & mobile devices to assess the technology landscape.
2. Protect: Implement segregated VLAN and manufacturing firewalls to serve as bi-directional protection of the environment. Develop quarantine procedures for any devices entering the manufacturing VLAN and ensure those processes are understand throughout the Operations teams.
3. Detect: Ensure devices are running anti-virus and malware solutions and are free from infection & patched. Devices that do not support virus/malware detection should be isolated again on separate subnets.
4. Respond: Engage with plant and equipment vendors directly to understand technology upgrade roadmaps, patch availability, disaster recovery planning and assess their own access and cyber security policies.
5. Recover: Ensure the BCRP plan is well documented and understood, master images are current and accessible, and 3rd party equipment manufacturers are positioned to react quickly.
Manufacturing Enterprise Security will be heavily dependent on edge defenses for at least the next fine to 10 years as plant equipment manufacturers rearchitect and redevelop their control systems in line with today’s technologies and cyber security standards. IT, whom in many cases has historically watched the Operational Technology evolution from afar, will need to ensure they are including manufacturing environments in their core scope of responsibilities if the enterprise as a whole is to remain secure.