Careful Connections are Key to Mitigating Cyber-Attacks on IIoT Systems

n the past, the only way to do this was to drop bombs on them.

Today, attacks against critical infrastructure can be just as disruptive when launched in cyberspace.

The threat of cyber-attacks against Industrial Internet of Things (IIoT) is very real. For instance, a cyber-attack on a Ukrainian power station in 2015 caused a loss of power affecting 225,000 customers.

Cyber-attacks against critical network infrastructure can have severe consequences and this has put world governments on high alert.

In the U.S., the Department of Homeland Security (DHS) has raised concerns over the growing number of cyber-attacks on industrial control networks.

In fact, the DHS takes the situation so seriously that they recently published guidelines to “provide a strategic focus on security and enhance the trust framework that underpins the IoT ecosystem.”

The document is the first attempt to provide clear cybersecurity guidance to organizations implementing IIoT and calls for a combined approach.

Among the measures discussed are “considered connectivity” and “defense in depth".

The Federal Trade Commission (FTC) has named and shamed numerous companies whose data privacy and security procedures have fallen short of good practice.

One example is a company called Lifelock who failed to ensure employees had adequate security on computers they were using to access the network remotely.

The FTC also made an example of Premier Capital Lending who they say provided a remote login account so that one of their clients could access consumer reports. Unfortunately, they did this without auditing their client’s security which allowed hackers to steal online passwords and consumer personal information.

Failure to properly secure third-party access was also featured in the case of Dave & Buster. On this occasion, the third party had been granted more access than it needed. The absence of restricting connections to specified IP addresses or imposing time limits was said to have allowed an intruder to connect to the network causing a leak of personal information.

The question of whether to put similar limits on industrial IoT connections lies at the heart of what the DHS means by “considered connectivity”.

It is not unusual for an IIoT component in a networked environment to fail or suffer from some kind of service disruption.

The DHS guide asks organizations to consider very carefully and deliberately the risks following a possible breach or device failure compared with the costs of limiting Internet connectivity.

For instance, continuous network access may be convenient but is it strictly necessary in the context of what the device does? A nuclear reactor having a continuous connection to the Internet carries too great a risk because it also opens the door to a network intrusion.

IIoT organizations are advised to adopt a defense in depth approach to help them stay ahead of privacy and security risks. Defense in depth comprises three steps:

Understand exactly what the device does – Without a full appreciation of the function and scope of each individual device, organizations run the risk of activating direct connections to the Internet when they are not strictly needed.
Make a conscious decision about every IIoT connection – Sometimes connecting to a local network to allow the content of critical information to be analyzed before it is sent is sufficient. Industrial Control Systems (ICS) are complex and critical and it is essential to protect them using defense in depth principles.
Build in remote management capability – Manufacturers, critical network infrastructures and service providers must be able to disable network connections or specific ports remotely when needed.

Despite their vital contribution, IIoT systems often have to be installed in some of the remotest and most inaccessible places imaginable.

They are also highly attractive to cybercriminals who regard them as the most vulnerable point in the network.

Protection of remote connections on IIoT systems is best managed with Virtual Private Network (VPN) software. VPNs form a secure connection at the remote IIoT gateway, integrating seamlessly with existing infrastructure and encrypting all data traffic passing to and from individual devices.

To achieve defense-in-depth, NCP engineering recommends IIoT organizations give careful consideration to on-demand/always-on access along with command line or API control.

Additionally, authentication in the form of software/hardware network certification and central management for remotely configuring devices are advisable.

In summary, the stance taken by regulators on the subject of IIoT or machine-to-machine (M2M) security has focused on organizations taking adequate precautions to manage and protect data privacy.

By following some basic ground rules and securing every necessary remote connection with VPN Management, it should be possible for companies to stay ahead of cybersecurity threats.

For good measure, it is advisable to keep things under constant review and give clear instructions for IT operatives to follow in depth privacy and security practices.