The Industrial IoT Attack Surface
By Matt Griffiths, CIO, Stanley Black & Decker Industrial
Across the Industrial Manufacturing sector, the average plant & equipment lifespan is around 20 years. To put that in context; 20 years ago, Windows 98 & Visual Basic 6.0 had just been released by Microsoft, Google had just hired their first employee and US Robotics started selling the first 56k modem. The Intel Pentium II 400MHz CPU was newly available at only $1124, XML became a W3C standard and the movie, Titanic became the highest-grossing film of all time. 20 years ago, the third industrial revolution was at full steam and when Windows XP was released in 2001, many plant and equipment manufacturers jumped to embed XP and a tremendous amount of PC technology in their products or run automation, inspection and SCADA systems. Now, in 2018, the implications of those decisions are becoming clear.
Problem 1: Embedded Windows OS.
Hindsight is a wonderful thing and it’s hard to claim that these manufacturers should have predicted the future–but intrinsically combing computer technology with a lifecycle of two years and industrial technology with a lifecycle of 20 years was a poor architectural decision. The constant stream of security patching and OS updates combined with the need for virus and malware detection software installed throughout the environment mean that, best case the manufacturing environment is hard to manage and worst case, it’s an unmaintained attack surface. Segregated networks, VPNs and industrial firewalls help until the inevitable USB stick or infected third party laptop connects to the environment—at which point you are in recovery mode.
Problem 2: Enterprise Strength Software
The introduction of user friendly operating systems, simple to learn programming languages and easily deployable databases opened new doors for equipment manufacturers. The SCADA, DCS and MES markets exploded with offerings from 100’s of industrial device companies and while many were successful and served a purpose–other slacked consideration for cybersecurity basics such as protocol/packet level authentication, data encryption, buffer overflow checking and other secure coding methods. Even PLC’s, historically “secure through obscurity”, were suddenly under attack after the StuxNet virus targeting the Siemens S7 PLC protocol was developed in 2010 in a cyber-warfare attack against an Iranian nuclear plant. Industrial control systems were rapidly becoming a cyber-battle ground.
"The constant stream of security patching and OS updates combined with the need for virus and malware detection software installed throughout the environment mean that, best case the manufacturing environment is hard to manage and worst case, it’s an unmaintained attack surface"
Problem 3: Ecosystem Security
In most cases, industrial manufacturing environments were not designed with the prospect that they would one day need to run mini IT datacenters. The IT closets are frequently not equipped with the infrastructure necessary for secure and reliable operations, the physical and cyber security policies are immature compared to core datacenter locations and cyber penetration testing typically reveal at least one or two nasty surprises. In addition, the technologies used on the manufacturing shop floor are not those typically supported by an IT organization which leads to heavy dependencies on vendor support, that in turn requires remote access directly to the manufacturing core–and that carries plenty of risk. Like the Target credit card breach in 2013, equipment support portals can quickly become back doors into the environment from which bad actors can easily navigate throughout the network. And although every organization in the world is at risk from phishing related attacks, the risk in a manufacturing environment still running on large numbers of unsupported and unprotected operating systems is particularly high—and the damage can be physical and catastrophic.
Problem 4: The Shifting Technology Landscape
Industry 4.0 and the Internet of Things are dramatically changing the technology footprint of the manufacturing shop floor. Legacy SCADA protocols like Profibus and Modbus are making way for TCP/IP based communications; Centralized on-premise, two tier architectures are evolving to decentralized edge/ cloud multi-tier solutions; And SCADA systems are increasingly interconnected with MES, ERP and analytics platforms. The larger solution providers are investing heavily and evolving their products rapidly. The smaller niche players have a multi-decade legacy of outdated technologies that will take many years to modernize and solutions will be vulnerable until that is done. To complicate matters further, finding IT talent with knowledge of industrial controls technology is increasingly rare, and the population that built the previous generations of industrial control platforms are now approaching retirement age.
The Industrial controls domain is a complex challenge. Aging technology responsible for critical equipment, vulnerable to cyberattacks in an increasingly connected world, with a multi-year remediation timeline, a talent shortage and closely tied to physical equipment that gets replaced every 20 years or so…It sounds like the trailer from a blockbuster disaster movie. In the meantime, the NIST framework applies well in the Industrial IoT environment:
1. Identify: A complete audit of the Operational Technology environment including SCADA systems, embedded controllers, kiosks & mobile devices to assess the technology landscape.
2. Protect: Implement segregated VLAN and manufacturing firewalls to serve as bi-directional protection of the environment. Develop quarantine procedures for any devices entering the manufacturing VLAN and ensure those processes are understand throughout the Operations teams.
3. Detect: Ensure devices are running anti-virus and malware solutions and are free from infection & patched. Devices that do not support virus/ malware detection should be isolated again on separate subnets.
4. Respond: Engage with plant & equipment vendors directly to understand technology upgrade roadmaps, patch availability, disaster recovery planning and assess their own access and cyber security policies.
5. Recover: Ensure the BCRP plan is well documented and understood, master images are current and accessible, and 3rd party equipment manufacturers are positioned to react quickly.
Manufacturing Enterprise Security will be heavily dependent on edge defenses for at least the next 5-10 years as plant equipment manufacturers rearchitect and redevelop their control systems in line with today’s technologies and cyber security standards. IT, whom in many cases have historically watched the Operational Technology evolution from afar, will need to ensure they are including manufacturing environments in their core scope of responsibilities if the enterprise as a whole is to remain secure.