The Industrial Internet of Things (IIoT) is revolutionising manufacturing and critical environments. Its benefits are already being felt across industries as equipment such as sensors, gateways, processors and actuators continuously communicate with each other via the internet, enabling faster production and optimised processes. This is driving down costs and generating energy efficiencies.
That said, despite the range of benefits the IIoT has delivered, its rise has also led to an array of security weaknesses in such environments. At Applied Risk, we are still identifying multiple vulnerabilities in various devices used in environments such as water, oil & gas, power and manufacturing plants that could lead to modifications of process values by changing device settings and sending arbitrary commands to field devices.
Best practice security – are your devices trustworthy?
The ramifications of not adhering to best practice security requirements for industrial devices are alarming and should act as an eye-opener for industry. An example of the potential dangers comes from the newly discovered Autosploit, a tool that couples Shodan and Metasploit to make it easier for amateur cyber criminals to hack vulnerable IoT devices. It is predicted that this will result in a proliferation of new IIoT attacks.
Furthermore, following the discovery of the original Mirai botnet in 2016 that was used to take over hundreds of thousands of IoT devices, a new variant was found only last month that can turn IoT devices into proxy servers to protect the identity of hackers. More Mirai-based bots are now expected to emerge, with new methods of monetisation.
To ensure IIoT device trustworthiness, it is imperative for suppliers and end users to work together to investigate the security of legacy and new connected devices to determine their risk profile. Applied Risk recommends the following six basic security requirements for manufacturers and industrial end users when designing and implementing IIoT connected devices:
- Secure interface – It is essential to understand a device’s architecture and review its associated interfaces, software and hardware, for vulnerabilities.
- Software/Firmware integrity – It is crucial that IIoT devices first and foremost have the ability to perform updates regularly while maintaining cryptographic checks from a trusted source.
- Access Control – Firms must review the various access controls to determine whether a device allows for the separation of roles, strong passwords and the sufficient protection of credentials.
- Network services – Product manufacturers should ensure only necessary ports are available and exposed.
- Backdoors – An IoT device should not have undocumented functions or hidden entry points that can be easily exploited by the device vendor or any other third parties.
- Security configuration – An attacker will often utilise the lack of granular permissions to access data or controls on a device. Manufacturers must scrutinise devices for sufficient security hardening by restricting user privileges.
From the IEC 62443 standard to the EU Directive on Security of Network and Information Systems (commonly known as the NIS Directive), all industries are facing an increasing amount of regulatory burdens. Adopting security best practices and engaging capable security advisors to test and evaluate the security of equipment is crucial in order to detect and prevent a security breach before it has the chance to significantly impact a plant.
Visit Applied Risk’s Industrial Security Services to find out what steps you can take today to secure your industrial assets.