Cyber-Securing Critical PLC Assets for Best IoT Results

  • June 07, 2016
  • Feature

By Dr. Alex Tarter, Technical Director, Cyber Security Group, Ultra Electronics, 3eTI

The past ten years have marked extraordinary progress in advances to industrial control system (ICS) cyber security. Every industry sector has taken notice of the threats exploiting programmable logic controllers (PLCs) and critical endpoints. Decision makers in the automation industry are pursuing standards and best practices for improved and assured systems safeguards. However, security takes on new dimensions in the industrial Internet of Things (IIoT). In more traditional control and automated systems, the perimeter can be defined and defended. In the IIoT, the perimeter, as such, is no more.  

The Industrial IoT Security Landscape: New Methods of Breaching a Network’s Perimeter

The threat landscape has never seen such a time of change. In the face of IoT, particularly in industrial sectors, machine systems are everywhere, connecting everything. We now enable computers to interact with our daily lives in ways that often are invisible to most of us. The traditional network perimeter is gone. Critical Infrastructure (CI) systems that drive industry -- heating, ventilation, air conditioning, generators, pumps, motors, light bulbs, temperature sensors – are all increasingly over connected networks. Wherever you are in the world, you can reach out, touch and, in effect, be touched back.

With every new technology innovation there always comes unforeseen consequences. For the IoT, where we’re combining and interconnecting computers for functions that require no human involvement, the consequence is increased cyber risk. The devices we are connecting everywhere have little or no security, even while we interact with them using smart phones and computers protected by some of the most sophisticated security available. Why the discrepancy? Why should the human-machine-interface (HMI) have cyber-security protection, but the valve or meter it is communicating with have none? Today’s cyber security technologies have focused almost entirely on the enterprise or the home PC, leaving defenseless the vast majority of devices that make up the IIoT and interact with the physical world.

Shifting Factors Influencing IIoT Cyber Security

When implementing proper cyber security, the approach must be holistic if it is to be comprehensive. This means considering endpoints when devising systems and cyber security programs, and when planning purchases. To illustrate: There is no point in locking your home's front door when the back windows are visibly wide open. All you do is drive an attacker from the strongest point of defense to the weakest. Instead, the entire property must be evaluated. For IIoT management and operations, this means assessing the world of vulnerabilities that impact people, devices, networks, and data.

In the industrial sector, thin margins often drive business decisions. Effective operations lead to more efficient output, which is why operators are increasingly dependent on automation. Process automation is a huge business today and we increasingly see networked control systems and embedded IIoT devices controlling the physical world. Security controls must align with these drivers. A lack of cyber security introduces understood risks to the operation of an IIoT system, but the mitigations need not impact the efficiency of a system to the extent that it ultimately costs more than an attack. The cure can’t be worse than the disease.

Security for the Perimeter-Defined-Enclave -- An Incomplete Fix

The methodology for locking down a fixed, defined network has resulted in a preponderance of superficially secure systems that are essentially segregated enclaves with restricted access to and from public networks such as the Internet. This is fine as long as the attacker remains on the outside of your network. While the Internet is teeming with genuine threats, those most dangerous to the IIoT's automated systems are in many ways indifferent to these perimeter safeguards. IIoT devices by their nature assume that they are operating in a somewhat closed environment. Devices communicate with remote servers, and users interact via HMIs such as PCs, tablets, and mobile devices. All these communications, however, are assumed to be taking place among authorized people and devices.

One of the biggest problems with the above approach is that once attackers are in the system, there is little security to prevent them from doing almost anything. Attackers, like most humans, prefer a path of least resistance, so penetrating a system from a public network using well-known attacks is one of the easiest and least risky ways to crack a system. A feasible best-practice approach would be to install strong perimeter defenses, such as data-diodes or gateway-firewalls to eliminate the external attack vector.

This approach, while logical, is incomplete. It may block a direct attempt to breach a network but is far less likely to fend off a persistent and determined offender. Instead an attacker may try a spear-phishing, watering-hole, or USB based attack to get malicious code into a system. We have already seen multiple examples of this whereby attackers infect the firmware on a vendor’s website, compromise maintenance laptops, or poison configuration files and USB sticks. The vulnerability ultimately isn’t an unauthorized entity (person or malware) controlling the IIoT devices from an external location – it’s that IIoT devices will readily comply with any commands no matter where they originate.

Instead, with every security control or architecture design, we should be asking if the security feature actually mitigates a vulnerability from being exploited, or if it merely prevents a specific attack vector. In many industrial control systems, an attacker targets an embedded device’s lack of robustness. IIoT devices are tested for reliability when legitimate commands are sent, but are almost never tested for what happens when an intentionally illegitimate command is sent. When operated correctly, an embedded IIoT device such as a PLC is one of the most reliable devices in operation, yet if challenged by a non-standard operation or command, it often fails or malfunctions. If an attacker wants to cause physical damage or impact IIoT operations, the preferred tactic will involve interfering with device-related communications.

In the IIoT, far more opportunities emerge for exploiting vast and distributed interconnected clusters of embedded-device based systems than for attacking the user devices. These can include HMIs or centralized servers often protected by enterprise security tools. The exploit opportunities are fostered by the ineffectiveness of standard firewalls and other such cyber-defenses typically relied on by operators of automated systems.

Implementing End-to-End Cyber Security Efficiently for the IIoT

This is why cyber security, particularly in the IIoT, is ultimately implemented as risk management. Risks are identified, evaluated, and the mitigations weighed against the impacts. It is not quality assurance, and there is no way to move all the assets into one place and pronounce that all is secure. With risk management, every situation, system and risk profile is unique.

The best way to implement end-to-end risk management is to first understand an individual and acceptable level of risk. Operators need to understand how an attacker could succeed, then determine how best to implement security for optimum risk mitigation. Doing so entails deploying proven risk-mitigation strategies that leverage accepted industry standards, and using technologies that have been independently validated to ensure you are not introducing even more vulnerabilities.

With the need to operate more efficiently, today’s decisions have to be smart and in real-time. As a result data must be available from a diverse set of systems, obliging companies to connect a variety of legacy and new systems to the enterprise which in turn creates fresh cyber security challenges. Solutions are available to help businesses securely connect those systems, whether legacy or new, to the enterprise without introducing unacceptable cyber-risks.

The industrial automation sector can and should demand solutions that address and accommodate the IIoT's myriad dynamics. The most sound security architectures will protect all devices and the data within a network no matter if they are PCs, smartphones, servers, or embedded devices and controllers.


About the Author

The author, Alex Tarter is an expert and thought leader on new technologies and solutions for industrial and commercial applications for the protection of critical infrastructure. In addition to the work he does developing security solutions, Alex performs vulnerability and cyber security work for military and industrial applications, having prepared more than 50 reports on various aspects of security, cryptography, and situational awareness for industry, UK MoD, and US DoD. He holds a PhD from Lancaster University, and a Master's of Engineering from Imperial College London, and is a certified specialist in ISA 99/IEC 62443 cyber security fundamentals. He serves as a civilian advisory expert to NATO on Cyber Defense for the Industrial Resources and Communications Services Group. 

About Ultra Electronics, 3eTI

3eTI, an Ultra Electronics company, is a cyber technology company with products and systems that secure critical infrastructure (CI) and improve operational efficiency. The company delivers military-grade, certified solutions that protect and connect critical systems for the defense, government, utilities, and industrial markets worldwide. 3eTI’s net-centric and OEM product portfolio includes robust WiFi and industrial wireless mesh networks, centralized facility and infrastructure management, and systems for cyber and physical security, all of which are approved for use by the US government. 

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..