IIoT devices are often insecure, and networks are frequently configured to allow for rapid, easy deployment and communication. Security is typically an afterthought until something goes wrong, or isn’t addressed with the right approach and toolkit.
In this post, we’ll briefly cover what IIoT is and then assess the general threat situation. Then we’ll talk about specific IIoT threats, how to begin securing your IIoT networks, and what to look for in an IIoT security partner.
First, introducing the Industrial Internet of Things:
IIoT, the Industrial Internet of Things, consists of networks of connected devices that can receive and transmit data. They do this in two ways. First, some devices turn real-world information into digital data, such as weighing products or noting the arrival and departure of containers, while others turn digital instructions into real-world actions. Second, they transmit data both laterally (between each other) and vertically to and from centralized command centers. IIoT is being used to digitize production, warehousing, distribution, and retail.
How is IIoT different from IoT?
IoT is a general description of networks of connected devices. IIoT is a specific type of IoT, where the focus is on industrial applications such as production in factories or distribution in warehouses. That contrasts with the most common IoT applications, which are for virtual assistants and cameras in homes.
IIoT devices and networks have different requirements, operate in a different environment, and aim to achieve different goals than consumer-level IoT tools.
Typically, IoT devices operate as part of small local networks: think of smart thermostats or doorbell cameras. They connect via an internet connection to back-end control systems, but don’t connect to many other devices in the home.
IIoT devices often connect to large numbers of other devices locally, using technology such as BLE (Bluetooth Low Energy) communication. Thus, the networks present a very different security environment. Since they are part of systems designed to create value (as part of a business) rather than home or leisure applications for consumers, they are also much more tempting targets.
The IIoT security situation: overview
The IIoT security situation is changing very rapidly as new IIoT implementations come online, new use cases are explored, and networks grow and interlock. Gartner’s research director, Jenny Beresford, warned that: ‘The IoT will expand rapidly and extensively, continually surfacing novel and unforeseen opportunities and threats.’ That’s even truer of the IIoT.
Connected devices are targets, local networks are targets, and the controlling IT networks that lie back of the IIoT network are particularly tempting targets. As Martin Geiss warned Control Engineering’s readers in 2021, ‘any device… can be hacked.’ The majority of traffic across IIoT networks — as much as 98% — is unencrypted, meaning it can be ‘sniffed’ with minimal equipment and injection attacks are possible. 57% of devices are vulnerable to mid-or high-severity attacks.
IIoT suffers from some specific threat types, including:
Many IIoT devices are insecure. Bought and deployed in bulk, they’re often running unpatched operating systems and firmware that hasn’t been updated. In many cases they’re using the default login credentials, meaning hacking them is trivially easy.
When one device is hacked, the attackers can gain control of large numbers of devices if they’re allowed to communicate with each other laterally. That lateral communication can become a vector that allows attackers to easily seize control of all the devices connected to that sector of the network.
Worse, such attacks can allow attackers easy, poorly-secured entrance to the organization’s core IT network. Such networks are connected to IIoT networks of connected devices, but they should be segregated and firewalled. When they’re not, the whole network — including databases, financial and productivity tools and personal information on customers and staff — is only as secure as the least secure IIoT device.
SolarWinds: the application layer
The SolarWinds attack deserves attention for three reasons. First, it was carried out by a nation state rather than by smaller, less-organized threat actors. Second, it was an attack on a target that few people think about when they discuss IIoT: the application layer that actually controls an IIoT implementation. And third, the attack exposed the degree of vulnerability introduced into global systems by insufficient attention to IIoT security.
SolarWinds had developed a software tool whose end users included departments of the US government and numerous major private companies. When SolarWinds’ software was attacked by agents of the Russian state, they gained access to thousands of organizations; while only a few eventually received malicious payloads, and the eventual insured damage was estimated at around $90 million, the potential was there for a much more disruptive attack. Targets of the SolarWinds attack included a nuclear stockade, as well as companies like Microsoft.
Botnet attacks: attacks from the IIoT
The most famous botnet attack to date was 2016’s Mirai/Dyn attack, a DDoS (Distributed Denial of Service) attack launched from a botnet assembled by the Mirai malware. Mirai infected computers, then caused them to continually search the internet looking for connected devices. When it found them, it connected to them with default passwords and usernames, then infected them. Most of these devices were security cameras, which are among the least secure devices in most businesses; they’re often ignored by IT and treated simply as cameras, but they can offer hackers entry to your whole IT system.
The network of infected devices so assembled was used to send huge numbers of requests to selected websites, including the Guardian newspaper and the website of cybersecurity expert Brian Krebs.
Ransomware attacks typically hold companies to ransom for their networks. An office’s PCs might stop working until a certain number of Bitcoin is handed over, for instance. In the IIoT, that might mean stopping production, cutting refrigeration to warehousing, or halting transportation. In a world defined by agile, just-in-time supply chains, this can be hugely damaging, rippling out across the economy. Handling the ransomware request can cause regulatory and other problems, while companies can hardly afford to refuse.
Meanwhile, ransomware attacks are evolving, often using more sophisticated tactics and maintaining a network presence after being paid in order to do further harms later. They might also steal data from a company, which in some cases can represent a catastrophic loss and bring its own regulatory issues.
IIoT security solutions
There are already some solutions to the risks posed to IIoT networks.
Reset defaultsDefault passwords are assigned to every product in the same range, and they’re regularly leaked and shared online. This was how the Mirai botnet was able to spread so quickly: IT departments weren’t consulted about the installation of security cameras with network access, so their default passwords weren’t changed. For production and warehousing networks, where fleets of identical connected devices are employed, the problem could be catastrophic: the key to your whole operation could already be in the hands of bad actors. Each device should be assigned a secure password, and these should be stored securely and encrypted. This simple fix would have stopped the Russian state from its deep penetration of US government and business assets.
Update and patchPatches and updates should always be implemented for all firmware, software and operating systems on all devices. Any device whose firmware, locally installed software, and operating system cannot be updated, should not be deployed or connected to the network. If they can’t be updated without downtime, seek alternatives. (Sometimes, updates to IIoT networks require specialist technical skills.)
Network segregationWhen a person is infected with a disease, we isolate them to prevent the disease spreading. If all devices in an organization can communicate directly with each other, they form one big ‘room’ — a hacker who gets through the first door can help themselves. Networks should be laterally segregated by task, physical location and other parameters, so that only small groups of devices can be infected by lateral communication between devices. They should also be vertically segregated, with the organization’s core IT network separate from the IIoT implementation and communication between the two closely monitored.
Port managementMost devices come with open ports as standard. They’re designed to communicate, after all. But since these ports are known, they’re a favorite access point for hackers. Organizations should sweep their systems for open ports in devices that shouldn’t be communicating outside their local network, and close them. Local IIoT networks functioning primarily through lateral communication need not be connected to the internet at the device level; a separate layer should be used instead.
Endpoint access controlAuthentication and authorization should be applied to access points and endpoints, to prevent their use as ingresses to the wider system.
Network securityIIoT networks should have the same security measures as other networks: firewalls, encryption, and intrusion detection systems.
Reinforce security at the application layerIIoT attacks sometimes seek to leverage the computing power of connected devices, creating botnets that can go on to attack websites or even infrastructure. However, this isn’t the only form of attack. Often, access to the device network is a staging post for access to the core network and its applications; once web apps are compromised, malware and malicious actor presence can spread across the application layer between organizations. Solutions include:
- Using a VPN to mask web traffic
- Deliberately selecting plugins and software without known security vulnerabilities, and with good security reputations
- Emphasizing security hygiene during the QA phase of application development, and during implementation
Work with reliable trusted partnersCarry out your IIoT implementation or application development with experienced, professional support. Look for partners with track records in the field, and make sure they regard security as a core concern rather than an afterthought. It’s always cheaper and safer to build something securely, than to try to secure it afterward.
Managing evolving threatsIIoT networks are a lucrative target; as they’re integrated more into businesses, they become more attractive to bad actors. The result is another version of the same arms race we’ve already experienced between security and attackers on the internet. How can organizations keep up with emerging IIoT threats and ensure the safety of their networks into the future?
Updates from the security community
Where there is a security aspect to work, communities of researchers and practitioners form. These communities do vital deep research, but they also act as news centers, releasing information about urgent threats first. They’ll usually know what’s going before the news media do, because in most cases, they’re the sources journalists get their stories from.
However, the IIoT security community is nebulous, and still in the process of forming. Where should companies look for up-to-date information? CISA, the Cybersecurity and Infrastructure Security Agency, has a recent announcement page. It’s worth checking daily for news on your industry or for the IoT tools you’re using. IIoT attacks don’t always come in predictable forms, so check up on the key cybersecurity outlets too: start with Kaspersky and Brian Krebs.
Testing and hardeningIf you have the resources, carry out penetration tests on your IIoT network or hire a company to do it for you. IIoT security is typically quite poor, so you can improve performance above the norm and sharply reduce the likelihood of a successful attack. Where vulnerabilities have been discovered, work to make your network a harder target by addressing them.
Disaster recovery isn’t limited to extreme weather events. It’s vital for the cybersecurity of your IIoT too. Look for two things: how you’ll cope while your network isn’t useable, and what you can do to get it operational again safely and quickly. There are often no true failovers for IIoT networks, so when things go wrong, no one knows what to do and the organization is starting from a dead stop. Don’t let this be you. Develop ways to alert your clients and suppliers, and to replace the most mission-critical elements of the network if needed. Depending on economic and technical factors it may even be worth duplicating crucial parts of the physical network so you can fail over to them in case of attack.
How AndPlus can helpAt AndPlus, we’ve supported partners as they adopt IIoT across industries, verticals, and different levels of exposure to the new technology. We’ve created custom mobile applications for IIoT applications like building climate control, traffic modeling, and more. And we’ve developed secure, reliable software for our partners, then gone on to support them with installation, onboarding, and maintenance. If you’re looking for a way to enter the IIoT space securely and with confidence, or you’d like to threatproof your existing IIoT infrastructure, AndPlus can help.
- Best practice is enough to give you an edge. Change passwords, update firmware, and manage endpoint access.
- Segregate networks to prevent lateral and vertical spread that can have catastrophic consequences. Attack vectors are different for IIoT than for traditional networks, and while some of the same tools work, a different approach is needed.
- IIoT networks that aren’t correctly configured and maintained present an irresistibly large and vulnerable attack surface.
- IIoT decisions, from which devices to deploy to how to structure networks, should all be taken on the understanding: you will be attacked.