As IT, cloud, and industrial networks come together in industrial environments like shipping ports, oil refineries, and factories, organizations are facing new security threats.
In fact, Cisco says 35% of its customers mention security as a top obstacle to IoT. In addition, in the report “The State of Industrial Security in 2022" from Barracuda Networks, 93% of businesses reported that an IIoT/OT security project had failed.
In an Industrial IoT (IIoT) environment, networks, switches, routers, and wireless equipment connect to sensors on physical machinery. Because IIoT networks incorporate automation, they could bring new efficiencies by collecting data at the edge and enabling visibility into issues ahead of time. This process is called the Fourth Industrial Revolution, or Industry 4.0.
“Industrial IoT is basically bringing the [operational technology (OT)] and the IT together to get deeper insights in process telemetry and to use that to really improve the efficiency or deliver new services,” explains Anand Oswal, senior vice president and general manager of network security at Palo Alto Networks, in an interview.
These devices are typically built on a flat Layer 2 segmented architecture, according to Oswal. Flat networks link devices to a single switch rather than separate switches, and Layer 2 is the data layer in the International Organization for Standardization (ISO) reference model for system interconnection.
As “things” get connected, network operators must pay more attention to the attack surface, Oswal notes.
“Threats move laterally, and exposure of formally isolated OT systems may cause potential cyber threats from the IT domain and back and forth,” Oswal says. “Many of these IoT systems are part of larger operations. If these systems are disrupted, there could be loss of important data telemetry that lead to production decisions, poor analytics, or stoppage of operations,” Oswal notes. It could also lead to loss of life.
The Pace of Patching in Industrial IoT
Industries like manufacturing and oil and gas use older legacy systems that are lacking in security systems and were not designed for patching, explains Larry Trowell, director at penetration-testing company NetSPI.
“While these systems get the job done well when maintained, they were not necessarily built with modern security in mind,” he says.
Patching devices from different manufacturers also brings fewer maintenance windows, according to Oswal.
“The system is not geared toward frequent patching,” Oswal says. “One often has to wait for many weeks, if not months, before there's a real maintenance window where these OT and IIoT devices can be patched.”
Patching for IIoT systems is behind other enterprise systems, according to Bryon Black, IT manager for the South Coast Water District, which provides water service to about 35,000 residents and 1,000 businesses in South Orange County, California.
"With IIoT systems, especially in the world of infrastructure utilities, the patching frequency is generally slower than enterprise systems," Black tells Network Computing. "Patching for IIoT systems in utilities are generally multiple versions (months and sometimes years) behind the current patching. Patching occurs after the IIoT manufacturers certify (allow) patching to a certain level or release."
Although unpatched utilities elevate cybersecurity risk, it can be “tolerable,” according to Black. He recommends securing them as needed without harming or damaging production systems.
“Generally, uptime and system reliability win out, but with a nod to securing as best as possible,” Black says.
Network operators cannot afford IIoT smart sensors going down for patching and updating because they need to keep running around the clock. This is a familiar scenario for Black at SCWD.
“Certainly, this scenario occurs from time to time," Black says. "Most systems have multiple cybersecurity measures in place—think multiple layers of protection. Patching is only one of the layers. Depending on the situation, patching is often the fourth or fifth in the line of defenses."
Misconfigurations, alert fatigue, and ransomware threaten IIoT networks
Security threats can trigger downtime on an IIoT system and compromise critical infrastructure. Networks are vulnerable because IIoT devices cannot be scanned due to the potential for crashes and disruption of normal operations, according to Oswal.
When the SCWD experienced misconfiguration issues due to patching outside of the IIoT manufacturer’s recommendations, the water district reverted and restored its system from backup, Black said.
Finding security professionals with the expertise to fix misconfigurations is difficult amid a talent shortage, according to Trowell.
“Professional development and training in these industries are paramount as the consequences of downtime or compromise within critical infrastructure become much more dramatic,” he says.
Companies such as NetSPI conduct security reviews to investigate the configuration of systems in OT processes as part of a “defense in depth” strategy.
Additional threats include alert fatigue. A growing tech stack brings an increase in alerts, Trowell says.
“Sorting and validating alerts has become a tedious second job for many network security teams and has made it difficult to identify the alerts that warrant attention—like finding a needle in a haystack,” Trowell says.
When an alert occurs on an IIoT system, turning them off or ignoring them is unacceptable, according to Black.
“Alert fatigue does occur from time to time,” Black says. “The larger issue here is giving operator staff appropriate training to recognize that alerts that are overfiring need to be escalated up the chain of command.”
In addition, Oswal explains that cybercriminals target industrial IoT systems with ransomware attacks, looking to disrupt critical infrastructure in exchange for payments. Bad actors insert malware into an IIoT system, triggering a denial of service (DoS) or preventing access to key files in exchange for a ransom to reacquire access. A ransomware attack can even hijack the login for the IIoT gateway, override its password, and update firmware with a malicious version.
How to effectively mitigate vulnerabilities on industrial IoT networks
Industrial IoT devices run on “bespoke” connections as well as 4G or 5G cellular, Oswal says, so it takes a holistic approach to secure these networks. That encompasses the zero-trust security model, according to Oswal.
It also involves “least-privilege” segmented policies that specify which machines can communicate, Oswal says.
A holistic approach also involves “understanding the asset management of all your devices, ensuring that every connection that goes from an industrial IoT device to the outside world first has least-privileged access, but monitored on a continuous basis for command-control connections for malware and for threats on an ongoing basis,” Oswal says.
Attacks on IIoT systems show the danger of third-party systems being granted access and malware slipping through, Trowell says.
To address vulnerabilities on IIoT networks, organizations require real-time communications and an accurate asset inventory, according to Trowell.
“This way, not only do teams know if anything goes offline, but they can monitor the type of traffic going across the network, confirm no traffic is getting in from outside, and that nothing can penetrate the network,” Trowell says.
Asset inventory is important when industrial devices or endpoints come from many different vendors, Oswal notes.
Commercial monitoring systems and open-source tools help organizations with asset inventory.
“Attack surface management (ASM) tools can support these efforts greatly,” Trowell says.
He recommends continuous testing of assets to identify exposure on a network and view a picture of the attack surface.
“Given the criticality of these networks, an ASM solution that has a human penetration testing component or works alongside your pen-testing program is ideal,” Trowell says.
As network managers get visibility into the devices on an IIoT network, they should use automation to implement segmentation processes dynamically, Oswal advises.
Segmentation is also one of the steps of a zero-trust policy, which includes the principle of least-privilege access, Oswal notes.
He recommends a next-generation firewall to secure IIoT devices. They provide good visibility into assets on a network and allow network managers to implement policies on which devices can talk to each other.