As we saw in the previous section, any discussion of IIoT security needs to factor in the pillars of information assurance (IA), in addition to physical safety and resiliency. In IIoT, the confidentiality and integrity of data is as relevant as the resiliency of controls and the safety of physical assets and people. In this context, let's define the pillars of IIoT security as follows:
- Confidentiality: Protecting sensitive information from disclosure and maintaining data privacy
- Integrity: Information is not modified, accidentally or purposefully, without being detected
- Authentication: Data is accessed by known entities, while making sure that that data belongs to a known identity or endpoint (this generally follows identification)
- Non-repudiation: Ensuring that an individual or system cannot later deny having performed an action
- Availability: Ensuring that information is available when needed
In addition to these pillars, the disciplines of resiliency and safety are defined as:
- Resilience: Ensuring the industrial control system maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature
- Safety: Ensuing in the event of an attack that the affected system does not cause injury, harm, or damage to the environment or people
In the foundation of these tenets of IIOT security, let's examine the typical threats, vulnerabilities, and risk factors that are pertinent to connected industrial systems.
A threat can be defined as the potential of an exploit for a given system. Threat actors refers to the adversaries who trigger or inflict the exploit. In the case of an industrial system, such as a wind turbine, a threat actor could be either natural or man-made.
In the IIoT context, threats impact both the information and physical domains. The privacy and integrity of machine data—both control and payload—have the potential to be exploited. Unauthorized access and manipulation of IoT platforms, software, and firmware are also potential threats. On the other hand, IoT devices and control systems are exposed to physical reliability, resilience, and safety threats. Control system transfer functions, state estimation filters, sensing, feedback loops, and so on can also be targeted by malicious players. For example, manipulating a sensor/actuator system can cause a control valve to transmit dangerous levels of chemicals that may damage the immediate environment or interdependent system.
There is no silver bullet for industrial security, even though some brands lay claim to it. The adoption of digital technologies expose new types of attack vectors, and newer attack surfaces. A practical approach for IIoT security is to adopt a defense in depth strategy for security, wherein each defense mechanism makes it so much more formidable for the attacker.
Defense in depth (also known as the Castle Approach) is a concept found in IA, where multiple layers of security controls (defense) are placed throughout the architecture to be protected. Its intent is to provide redundancy in the event if any one security control fails or a vulnerability is exploited, the system will still be protected. These defenses can cover aspects of personnel, procedural, technical, and physical security for the duration of the system's life cycle. For any specific use case, system architects need to consider how the data flows and how to secure the data flow. Determining which data is important and needs protection within a given context is also vital.
Threat actors, in the case of IIoT systems, include:
- Cyberattackers: The sophistication of attacks is growing worldwide and monetary gains associated with the dark web are also on the rise. Even if no monetary gains are involved, a cyberattacker may spy, spoof, inject malicious malware, or launch a DDoS attack.
- Bot-network operators: These actors launch coordinated attacks to distribute phishing schemes, spam, malware leading to DDoS, or ransomware attacks.
- Criminal and terrorist groups: Nation state actors, international corporate spies, and organized crime organizations also pose a threat and could take control of processes, identity, and so on, and are often motivated by geopolitical interests.
- Insiders: Exploits from insiders can be both intentional and unintentional. While disgruntled insiders can be threat actors causing serious damage, Wi-Fi/Ethernet/USB ports/BYOD can unintentionally result in a malicious event. In fact, unintentional human errors contribute to a high percentage of incidents in enterprises.
Other threat actors include phishers, spammers, malware/spyware authors, industrial spies, and so on.
Vulnerabilities refer to the software and hardware weaknesses that are inherent in the system and can expose the system to threats. System vulnerabilities can be the outcome of how it was designed, implemented, tested, or is operated. While vulnerabilities are unavoidable, proper assessment and proactive remediation techniques need to be employed to combat them.
Vulnerability in any part of the deployment can be subject to an exploit. Experienced cyberattackers are aware of potential vulnerabilities. This makes the attack surface complex and scary. In subsequent chapters, IIoT security strategies and countermeasures will deal with this topic in greater depth.
The following subsections contain a categorized list of common vulnerabilities that are applicable to any cyber-physical IoT security plan (NIST-800-82r2).
The following is a list that gives some insight into policy and procedure vulnerabilities:
- Inadequate ICS security policy
- Lack of formal ICS security training and awareness program
- Inadequate security architecture and design
- Lack of documented security procedures that have been developed based on ICS security policy
- Absent or deficient ICS equipment implementation guidelines
- Lack of administrative mechanisms for security enforcement
The following is a list that gives some insight into platform vulnerabilities:
- OS and vendor software patches may not be developed until after security vulnerabilities are found
- OS and application security patches are not maintained
- OS and application security patches are implemented without exhaustive testing
- Critical configurations are not stored or backed up
- Inadequate authentication and authorization, inadequate testing of security changes
- Inadequate physical protection (location, unauthorized access) for critical systems
- Insecure remote access on ICS components
- Lack of redundancy for critical components
The following is a list that gives some insight into software platform vulnerabilities:
- Buffer overflow and installed security policies are not enabled by default, including Denial of Service (DoS), lack of password encryption, and the mishandling of undefined, poorly defined, or "illegal" conditions.
- Detection/prevention software not installed, lack of sandboxing, inadequate authentication and access control for configuration and programming software, intrusion detection/prevention software, insufficient logging, incidents not detected, and so on.
The following list explains the main considerations regarding network vulnerability:
- Vulnerable legacy protocols with insufficient security capabilities
- Weak network security architecture
- Network device configurations not stored or backed up
- Unencrypted passwords, lack of password expiration policies
- Inadequate access controls applied
- Inadequate physical protection of network equipment
- Unsecured physical ports
- Non-critical personnel have access to equipment and network connections
- Lack of redundancy for critical networks
- No security perimeter defined, firewalls not used adequately, and control networks used for non-control traffic
- Lack of integrity checking for communications
- Inadequate data protection between clients and access points:
Figure 1.11: The flow sequence of threat and risk assessment; Source: Practical IoT Security Book, Packt Publishing
Risk can be defined as the probability of a successful exploit and the associated loss thereafter. While a security vulnerability is innate to a platform, risk refers to the chances of that vulnerability being exploited to cause the anticipated damage. For example, an industrial computer used to process accounting data may be running an application with known authentication and remote access control defects. If this computer is air-gapped, the risk associated with these defects is almost negligible. However, when connected to the internet, the associated risk increases by a great degree (IOT-SEC).
Risks can be managed by using threat modeling (which will be described in Chapter 2, Industrial IoT Dataflow and Security Architecture), which helps to ascertain the possible exposure, impact, and overall cost associated with an exploit. It also helps to estimate the importance of the exposure to the attackers, their skill levels to launch the attack, and so on. Risk management practices help to deploy mitigation strategies proactively.
Some examples of ICS risks that have been introduced by brownfield IoT deployments are:
- The adoption of open-standard protocols and technologies with known vulnerabilities
- The connectivity of the control systems to external networks and data centers
- Insecure and rogue connections
- Widespread availability of technical information about control systems