In order to effectively comprehend the scope of IIoT security, we need to keep the divergent operational dynamics and priorities of IT and OT in perspective, and mainly those that have evolved over the past decades. This divergence impacts the approach to security as well. The adoption of standard-based IT technologies in OT environments necessitates the adoption of IT security best practices as well. However, these practices must preserve if not enhance the safety and reliability capabilities of industrial systems, and the ability to protect physical assets and processes. These distinguishing characteristics render IIOT security a considerably challenging feat that we must achieve.
The following diagram illustrates a side-by-side comparison of priorities in IT and OT environments in the context of securing operations:
Figure 1.9: Divergent priorities of IT and OT
In the case of securing ICS and SCADA networks, the protection of the plant, people, and processes takes precedence. Industrial controls involve engineered processes (for example, the opening/closing of valves, turning energy levels higher/lower, and so on). These controls and commands must function in a deterministic fashion. Thus, although industrial controls are not technically integral to a security framework, security measures must align with industrial control requirements.
In IT networks, it may suffice to inspect network layer traffic, but to secure OT environments, industrial firewalls are expected to perform deep-packet inspection to monitor and analyze actual commands in the application layer.
The availability of OT systems and infrastructure is shown next in terms of priority. With the introduction of data-centric models and the Internet of Things, data integrity is arguably more important than availability in certain use cases.
In IT environments, data confidentiality, integrity, and system availability are the main priorities (not necessarily in any particular order, as in some use cases, system availability takes precedence over confidentiality).
Attack surfaces differ considerably in IT and OT environments. IT is characterized by ever-evolving and intertwined technology stacks, which makes the attack surface rather fluid and dynamic. IT data traffic is primarily hierarchical, north-sound bound. The IT cybersecurity approach is usually threat-based, constantly plugging holes for new malware and viruses. The threat actors in IT typically target monetary gains and, as such, range from miniscule to large, organized cybercriminals.
In the case of OT, although the processes and controls are deterministic, the attack surfaces can be vast and scary. Their diverse deployments foster several avenues of intentional and unintentional cyber incidents. An attack surface in the case of OT is laterally spread, as there is not much traffic traversing north-south across the DMZ. OT cyber threats involve a completely different type of adversary. Threat actors in the case of ICS are usually not after money, and often involve nation state actors whose prime motivation is to inflict large-scale disruption in business, national, or political arenas.
The following diagram illustrates the diverse attack surfaces in a typical industrial use case:
Figure 1.10: Attack surfaces in IT and OT domains
Industrial systems are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. This dependency often leads to the interplay of more than one organization or business entity.
In the case of critical infrastructure, this collaborative model is often referred to as a system of systems. The Industrial Internet and Industrie 4.0 further enhance this concept, as IIoT solutions typically involve multiple technologies, systems, and ecosystem collaborators. A failure in any one part of the system of systems can directly or indirectly cascade into other connected systems, thereby intensifying the consequences.
Consider the example of an electric power transmission SCADA system, where a cascading failure can be initiated by disrupting the wireless communications network. In the absence of adequate monitoring and recovery capabilities, such failures could take one or more generating units offline. This event can, in turn, lead to the loss of power at a transmission substation, which could subsequently cause a major imbalance, triggering a cascading failure across the power grid. This would ultimately result in large-scale blackouts and could potentially impact dependent operations such as oil and natural gas production, refinery operations, water treatment systems, wastewater collection systems, pipeline transport systems, and so on, which rely on the grid for electric power.
The following table summarizes the divergent characteristics of IT and ICS security (in a pre-IIoT context) (NIST-800-82r2):
Category | IT system | ICS/OT technology system |
Performance requirements | High throughput and typically less deterministic. Latency and jitter are acceptable in the majority of use cases. | Deterministic industrial control loops require real-time performance with low latency and jitter. Modest throughput is acceptable. |
Availability requirements | Availability deficiencies (for example, reboot, power cycle) can often be tolerated, depending on the system's operational requirements. | Responses such as rebooting may not be acceptable because of process availability requirements. Availability requirements may necessitate redundant systems. Outages must be planned and scheduled days/weeks in advance. High availability requires exhaustive pre-deployment testing. |
Risk management requirements | Data confidentiality and integrity is paramount. Fault tolerance is less important, and momentary downtime is not a major risk. A Major risk impact is the delaying of business operations. | Human and environmental safety are paramount, followed by protection of the processes and other physical assets. Fault tolerance is essential; even momentary downtime may not be acceptable. Major risk impacts are regulatory noncompliance, environmental impacts, loss of life, equipment, or production. |
Security architecture focus | Primary focus is protecting the IT assets, and the information stored on or transmitted between these assets. | Primary focus is the protection of humans/environment and physical assets, for example, plant equipment, field devices, process controllers, supervisory servers, and so on. |
Unintended consequences | Security solutions are designed around typical IT systems. | Security tools must be tested (for example, offline on a comparable ICS) to ensure that they do not compromise normal ICS operation. |
Time-critical interaction | Tightly restricted access control can be implemented to the degree necessary for security. | Response to emergency interaction is critical. Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interaction. |
System operation | Systems are designed for use with typical operating systems. Upgrades are straightforward with the availability of automated deployment tools. | Proprietary operating systems, often without security and upgrade capabilities. Specialized control algorithms, software, and hardware require updates to be carefully made, usually by software vendors. |
Resource constraints | Systems are specified with enough resources to support the addition of third-party applications such as security solutions. | Systems are designed to support the intended industrial process and may not have enough memory and computing resources to support third-party cybersecurity solutions. Additionally, in some instances, third-party security solutions are not allowed due to vendor license and service agreements, and a loss of service support can occur if third-party applications are installed. |
Communications | Standard communications protocols. These are primarily wired networks with some localized wireless capabilities. Typical IT networking practices are followed. | Many proprietary and standard communication protocols. Several types of communication media is used, which include dedicated wire and wireless (radio and satellite). Networks are often high-loss and low-speed, and complex enough to require the expertise of control engineers. |
Component lifetime | Asset lifetime is in the order of 3-5 years. | Asset lifetime is in the order of 15-20 years or more. |
Access to components | In most cases, components are local and easy to access. | Depending on the industry, components could be isolated, remote, and often inaccessible. |
Cybersecurity expertise | IT stack-specific. | Domain-specific. |
Visibility | Usually sufficient visibility into connected assets, servers, and traffic patterns using third-party cyber solutions. | Lacks visibility into assets and traffic. There may be a network connected server with traffic that can maliciously find inroads into the industrial network. |
Security technologies | Off-the-shelf IT firewalls and malware scanners are designed with IT requirements in mind. | Deep packet inspection of ICS traffic and protocol-specific capabilities. Focus is more on traffic across the lateral databus rather than north/south traffic. |
Table 1.1: A comparison of the security priorities in IT and ICS
In spite of these differences, it is important to note that there are areas where IT and OT security overlap and converge. According to Gartner's 80/20 rule of thumb (GART-IIoT), with the growing adoption of IT technologies in OT, 80 percent of the security issues faced by OT are almost identical to IT, while the remaining 20 percent are diverging and involve critical assets such as people, environment, and systems.
On the topic of air-gapping OT environments, here's some comprehensive guidance excerpted from GE-Wurldtech' s research paper (WLT-ICS):
"The common notion that industrial assets are immune to cyber-attacks if parts of them are isolated from the internet (or other vulnerable corporate networks) is no longer practical in a hyper-connected enterprise. Although total air-gapping of an industrial network is possible, there are several reasons why this may not be a reliable security measure for industrial enterprises. For example, Wi-Fi, Ethernet ports, and USB ports present vulnerable attack surfaces. File transfers between the company and outsiders are inevitable as a hacker can infiltrate the organization's network by installing malicious software through such file transfers. An increasing number of companies are encouraging their employees to adopt the bring-your-own-device (BYOD) trend; however, the probability of a cyberattack through compromised personal devices is high. Even if an industrial network is completely air-gapped, it is still vulnerable to potential threats from accidental or intentional damage from its internal workforce. The only way to control this internal attack vector is by continuously monitoring the network and by implementing rigid access control mechanisms."
To summarize this section, the differences in operational dynamics and risk patterns between ICS and IT systems necessitates careful consideration when building IIoT security strategies. To counteract these new attack vectors that have been exposed by IIoT adoption, industrial enterprises need to factor in these differences. Merely applying legacy IT security in OT may cause more problems than what it solves. Vulnerabilities and attack surfaces that are specific to the OT infrastructure need to be assessed; advanced security best practices that exist in the IT side of the house, for example, increased visibility into assets and traffic, need to be adopted. The measurement of "security success criteria" between IT and OT need to be aligned by accounting for human and environmental safety. OT-specific vulnerabilities would need to be prioritized, and existing security gaps would need to be addressed.