IIoT devices are often insecure, and networks are frequently configured to allow for rapid, easy deployment and communication. Security is typically an afterthought until something goes wrong, or isn’t addressed with the right approach and toolkit.
In this post, we’ll briefly cover what IIoT is and then assess the general threat situation. Then we’ll talk about specific IIoT threats, how to begin securing your IIoT networks, and what to look for in an IIoT security partner.
First, introducing the Industrial Internet of Things:
IIoT, the Industrial Internet of Things, consists of networks of connected devices that can receive and transmit data. They do this in two ways. First, some devices turn real-world information into digital data, such as weighing products or noting the arrival and departure of containers, while others turn digital instructions into real-world actions. Second, they transmit data both laterally (between each other) and vertically to and from centralized command centers. IIoT is being used to digitize production, warehousing, distribution, and retail.
IoT is a general description of networks of connected devices. IIoT is a specific type of IoT, where the focus is on industrial applications such as production in factories or distribution in warehouses. That contrasts with the most common IoT applications, which are for virtual assistants and cameras in homes.
IIoT devices and networks have different requirements, operate in a different environment, and aim to achieve different goals than consumer-level IoT tools.
Typically, IoT devices operate as part of small local networks: think of smart thermostats or doorbell cameras. They connect via an internet connection to back-end control systems, but don’t connect to many other devices in the home.
IIoT devices often connect to large numbers of other devices locally, using technology such as BLE (Bluetooth Low Energy) communication. Thus, the networks present a very different security environment. Since they are part of systems designed to create value (as part of a business) rather than home or leisure applications for consumers, they are also much more tempting targets.
The IIoT security situation is changing very rapidly as new IIoT implementations come online, new use cases are explored, and networks grow and interlock. Gartner’s research director, Jenny Beresford, warned that: ‘The IoT will expand rapidly and extensively, continually surfacing novel and unforeseen opportunities and threats.’ That’s even truer of the IIoT.
Connected devices are targets, local networks are targets, and the controlling IT networks that lie back of the IIoT network are particularly tempting targets. As Martin Geiss warned Control Engineering’s readers in 2021, ‘any device… can be hacked.’ The majority of traffic across IIoT networks — as much as 98% — is unencrypted, meaning it can be ‘sniffed’ with minimal equipment and injection attacks are possible. 57% of devices are vulnerable to mid-or high-severity attacks.
IIoT suffers from some specific threat types, including:
Many IIoT devices are insecure. Bought and deployed in bulk, they’re often running unpatched operating systems and firmware that hasn’t been updated. In many cases they’re using the default login credentials, meaning hacking them is trivially easy.
When one device is hacked, the attackers can gain control of large numbers of devices if they’re allowed to communicate with each other laterally. That lateral communication can become a vector that allows attackers to easily seize control of all the devices connected to that sector of the network.
Worse, such attacks can allow attackers easy, poorly-secured entrance to the organization’s core IT network. Such networks are connected to IIoT networks of connected devices, but they should be segregated and firewalled. When they’re not, the whole network — including databases, financial and productivity tools and personal information on customers and staff — is only as secure as the least secure IIoT device.
The SolarWinds attack deserves attention for three reasons. First, it was carried out by a nation state rather than by smaller, less-organized threat actors. Second, it was an attack on a target that few people think about when they discuss IIoT: the application layer that actually controls an IIoT implementation. And third, the attack exposed the degree of vulnerability introduced into global systems by insufficient attention to IIoT security.
SolarWinds had developed a software tool whose end users included departments of the US government and numerous major private companies. When SolarWinds’ software was attacked by agents of the Russian state, they gained access to thousands of organizations; while only a few eventually received malicious payloads, and the eventual insured damage was estimated at around $90 million, the potential was there for a much more disruptive attack. Targets of the SolarWinds attack included a nuclear stockade, as well as companies like Microsoft.
The most famous botnet attack to date was 2016’s Mirai/Dyn attack, a DDoS (Distributed Denial of Service) attack launched from a botnet assembled by the Mirai malware. Mirai infected computers, then caused them to continually search the internet looking for connected devices. When it found them, it connected to them with default passwords and usernames, then infected them. Most of these devices were security cameras, which are among the least secure devices in most businesses; they’re often ignored by IT and treated simply as cameras, but they can offer hackers entry to your whole IT system.
The network of infected devices so assembled was used to send huge numbers of requests to selected websites, including the Guardian newspaper and the website of cybersecurity expert Brian Krebs.
Ransomware attacks typically hold companies to ransom for their networks. An office’s PCs might stop working until a certain number of Bitcoin is handed over, for instance. In the IIoT, that might mean stopping production, cutting refrigeration to warehousing, or halting transportation. In a world defined by agile, just-in-time supply chains, this can be hugely damaging, rippling out across the economy. Handling the ransomware request can cause regulatory and other problems, while companies can hardly afford to refuse.
Meanwhile, ransomware attacks are evolving, often using more sophisticated tactics and maintaining a network presence after being paid in order to do further harms later. They might also steal data from a company, which in some cases can represent a catastrophic loss and bring its own regulatory issues.
Where there is a security aspect to work, communities of researchers and practitioners form. These communities do vital deep research, but they also act as news centers, releasing information about urgent threats first. They’ll usually know what’s going before the news media do, because in most cases, they’re the sources journalists get their stories from.
However, the IIoT security community is nebulous, and still in the process of forming. Where should companies look for up-to-date information? CISA, the Cybersecurity and Infrastructure Security Agency, has a recent announcement page. It’s worth checking daily for news on your industry or for the IoT tools you’re using. IIoT attacks don’t always come in predictable forms, so check up on the key cybersecurity outlets too: start with Kaspersky and Brian Krebs.
Disaster recovery isn’t limited to extreme weather events. It’s vital for the cybersecurity of your IIoT too. Look for two things: how you’ll cope while your network isn’t useable, and what you can do to get it operational again safely and quickly. There are often no true failovers for IIoT networks, so when things go wrong, no one knows what to do and the organization is starting from a dead stop. Don’t let this be you. Develop ways to alert your clients and suppliers, and to replace the most mission-critical elements of the network if needed. Depending on economic and technical factors it may even be worth duplicating crucial parts of the physical network so you can fail over to them in case of attack.