- By Chip Coy & Marcia Gadbois
- July 22, 2021
To provide cybersecurity for the many devices and connections encompassing industrial automation and IIoT systems, organizations should follow a three-pronged approach based on the right policies, technical tools, and education.
The first article in this three-part series covered the convergence of manufacturing operational technology (OT) and information technology (IT) systems, and the second showed why a single plant security system is necessary to properly protect all assets and industrial internet of things (IIoT) data. This third and final article takes a closer look at the importance of cybersecurity policies and practices for industrial automation organizations using distributed IIoT devices with the cloud to gain advanced functionality such as reachability of remote devices.
At the simplest level, all these connected sources provide opportunities for gathering, transmitting, storing, and accessing vast amounts of data, which can be viewed and analyzed so users can obtain the insights necessary to optimize operations. This information also enables new business models, but the new models must take into consideration additional security risks. A well thought out and implemented cybersecurity policy and procedures can help deliver both connectivity and cybersecurity.
As a collaborative effort to bring insights from different viewpoints, this article is written from the perspective of two experienced experts: one with over 26 years in IT security, and the other with over 26 years in OT and industrial automation.
Worldwide cybercrime is increasing and as more individuals work remotely, the potential exposure of corporate IT and OT also increases (Figure 1). Cybercriminals will exploit any operational gaps existing between IT, OT, or remote workers or devices, looking for an organization's weakest link to make them their next victim.
Ransomware is a type of malware, also known as extortion software, that infects computers and mobile devices. IBM Security X-force reviewed ransomware attacks in 2020 and found that 40% of all ransomware was targeted at organizations with OT networks1. These OT networks are often connected to IT networks, which in turn are frequently connected to the internet, and then through the internet to individual worker’s home networks. If the worker’s home network or the connected IT network is not secured, then cyber actors can pivot from the IT network to the OT network.
Ransomware restricts or deletes data unless a ransom is paid, typically via untraceable cryptocurrency. The most common methods cybercriminals use to infiltrate an organization with ransomware are:
Sending phishing emails.
Exploiting software or hardware vulnerabilities.
Taking advantage of an organization’s poor cyber ‘hygiene’, for example by not securing Remote Desktop Protocol (RDP).
RDP is a proprietary Microsoft protocol that allows users to connect to a system remotely over a network connection. RDP compromises are a common attack vector for cybercriminals.
Earlier this year Microsoft released several security updates to patch vulnerabilities to on-premises Microsoft Exchange Server. The software vulnerability, called ProxyLogon, was being exploited as part of an attack chain allowing cybercriminals to create a web shell to hijack the system and execute commands remotely. Any organization using on-premises Exchange Server 2013, 2016, or 2019 should implement these updates immediately.
Software is not the only asset on a network that can have vulnerabilities. Hardware must also be monitored for vulnerability. Recently, the Microsoft 365 Defender Research Team found a vulnerability in Netgear's DGN2200, an ADSL modem-router combo box. This vulnerability allows remote attackers to take over the router2.
Correcting vulnerabilities in home routers can be troublesome, especially since many home routers are long past the manufacturers end-of-service dates. Out of date routers are far from a new problem, as highlighted in a PC World article from a decade ago 3. A vulnerability in a home router could make a remote IT worker’s laptop visible to attackers. Any vulnerability in that remote IT worker’s laptop could provide a path for an attacker to reach the corporate IT network.
IIoT devices may also be vulnerable to stealthy malware. For example, in a famous 2015 case two hackers demonstrated remote access of a Jeep vehicle. They were able to remotely control the steering wheel, brakes, accelerator, wipers, and the car’s entertainment system. In this case, they were just showing how they could take control of a remote device and not maliciously infecting the car with malware.
AIG has stated that ransomware has grown 150% since 2018 4 and Cybersecurity Ventures predicts that by 2025, global cybercrime could amount to $10.5 trillion from data damage or destruction, stolen money, lost productivity, theft of intellectual property and personal or financial data, fraud, and reputational harm 5. The number of organizations impacted by ransomware has also surged by 102% from 2020 to 2021 6.
All organizations need to be concerned about cyberattacks and ransomware because it is not just infrastructure or large companies that are being affected by cyberattacks. Cybersecurity Ventures predicts a ransomware attack will occur every 11 seconds in 2021, which is up from every 40 seconds in 2016 7. Yet cybersecurity budgets within organizations are not growing at the same rate as cybersecurity crimes. Organizations need to make cybersecurity a corporate priority.
A three-pronged approach to combating cybercrime and ransomware is recommended, consisting of policies, technical tools, and education (Figure 2).
All organizations need a comprehensive cybersecurity plan to keep networks safe and secure no matter the level of outside attacks, and a cybersecurity policy that employees will follow if an attack or hack occurs.
Many times, these two documents are combined in one document called the cybersecurity policy. An organizations’ cybersecurity policy should cover the most likely threats to the network and the best way to minimize those threats. A good beginning is to create a complete inventory listing all assets on the IT and OT network—along with all software and software versions on each machine—including PLCs, controllers, sensors, edge devices, and HMIs. The goal is to identify every susceptible item that must be protected from access by malicious third parties.
The cybersecurity policy should also cover any laws and regulations applicable to the business such as Sarbanes–Oxley, FDA, and HIPAA. In the United States, federal and state governments are addressing cyber threats and creating new laws and regulations focused on various industries. Depending on the organization's industry segment, there may be other laws and regulations that must be addressed in the cybersecurity policy.
Industrial automation organizations should also consider standards such as IEC 62443, Security for Industrial Automation and Control Systems, and NIST Special Publication 800-82 revision 2 “Guide to Industrial Control Systems (ICS) Security”. These standards provide guidance to reduce the control systems' vulnerability to malicious attacks, while still addressing the unique performance, reliability, and safety requirements for industrial automation. In addition, the Cybersecurity & Infrastructure Security Agency (CISA) has resources and recommended practices specifically for securing industrial control systems8. These resources are available here.
Cybersecurity policies should also cover IIoT and remote devices. How does the organization secure remote updates? How does it secure the access from the industrial device to the satellite connection and to the cloud? How does it manage all the remote sensors, IIoT, and industrial devices? With remote industrial devices such as a pump, it is easier to address many of these concerns because of the physical hardening of the network. IIoT devices are more difficult because they are usually not kept in a secure location, but must be exposed in the field to accomplish the task.
The cybersecurity policy should also define roles and responsibilities for maintaining the assets within the organization. For example, who is responsible for:
Keeping the firewall up to date.
Patching the HMI software.
Approving vendor requests to open a port in the OT network.
Cybersecurity should involve the whole organization including top management such as the CEO, CTO and CFO. Generally, the cybersecurity policy will be more closely followed by all within the organization if upper management endorses, communicates, and promotes the importance of cybersecurity.
An Acceptable Use Policy (AUP) should be part of the cybersecurity policy document. The AUP section defines the permittable and non-permittable usage on the IT and OT networks. It should include statements about bringing devices from home or portable drives, and if these devices are permitted, then what process and security procedures must be followed. The AUP should also address whether the internet or emails can be used for personal matters.
The COVID-19 pandemic has shifted the way we work and conduct business. Many employees not required to be in the office are continuing to work from home. The cybersecurity policy must address security while working from home and accessing the corporate network.
Lastly, a cybersecurity policy and plan should provide best practices on how to utilize protective controls to promote integrity, availability, and confidentiality, all without affecting the functionality and usability conditions.
Remember that it does not matter how robust a cybersecurity policy program is if even one vendor has been compromised which in turn compromises the organization's network environment. Once a threat actor has a foothold in a company’s network, it will attempt to move laterally to escalate their privileges and gain control of the organization's systems. Some bad actors lie dormant for months collecting and exfiltrating data. Continuitycentral.com stated that the average dwell time in small and mid-sized organizations for malware is 798 days, well over two years9.
One way to mitigate cybercrime is to implement Zero Trust architecture. Zero Trust is rooted in the notion that an organization "never trust, always verify." The old security model assumed that everything within the organization is trusted. Zero Trust architecture segments the network and prevents lateral movement. The Zero Trust model is very useful in slowing an attacker who has compromised a remote worker's work laptop. The old security model that relied on corporate security layers generally disappear when an employee becomes a remote worker. The corporate security layers are replaced by a single layer, often an unpatched home router.
The Zero Trust model requires organizations to identify the most critical and valuable data, assets, applications, and services. The items that are most critical to an organization's operations become the Protect Surface.
With the Protect Surface identified, organizations can now restrict how the traffic and users access the Protect Surface. Understanding these interdependencies allows organizations to put fortifying controls in place to protect data, assets, applications, and services (Figure 3).
A frequent entry point used by threat actors is unpatched systems. Patch management is a continuous process of identifying, prioritizing, remediating, and reporting on security vulnerabilities. Companies need to have good patching policies in place. Additionally, aging assets can put an organization at risk because the hardware or software may no longer be supported, so patches for known security issues are not available.
Vulnerability scans should also be run to locate and identify vulnerabilities within the organization. Overlooking vulnerabilities in printers, IIoT devices, or other devices could put the organization at risk by allowing threat actors to gain entry into the network. Misconfigurations can also be found using vulnerability scans. Misconfiguration does account for some cybercrime, but not as much as unpatched software, or users falling victim to social engineering attacks (described in the next section).
Multi-factor authentication (MFA) is viewed as secure. However, in the Fall of 2020, Microsoft was trying to get users to move away from SMS or voice activated MFA because these technologies rely on the publicly switched telephone network (PSTN), which can be vulnerable. With SMS, there is security built-in, but the messages are not encrypted. This means that organizations can be susceptible to man-in-the-middle attacks. A man-in-the-middle attack is when the bad actor intercepts the victim's communication, and usually victims are unaware that they have been compromised.
Microsoft still recommends using MFA but accessing it through applications10. MFA through a smartphone app, such as the ones from Microsoft 11, Okta 12, and others provide a more secure path than the SMS or voice call methods. The Microsoft solution is used by many organizations with Microsoft Active Directory. The Federal Center for Medicare and Medicaid Services (CMS) recently adopted the Okta Verify solution for verification of states accessing CMS data.
It is recommended to use the least-permissive permissions. Least-permissive permissions limits users' access rights to only what are strictly required to do their jobs. Users should not need to login to their device as admin or root. There should not be a requirement for services to be login as admin or root. When websites or shared drives are set-up, they are using the least-permissive permissions.
IIoT and remote industrial devices requires the implementation of endpoint device security. A good practice is that before deploying new devices that they are secure by design. Secure by design is an approach to hardware and software where security is built-in from the beginning.
Other best practices for IIoT security are to deploy end-to-end encryption, strong login credentials, update both hardware and software as available, disable unused features on the device, and make sure to keep track of your IIoT device.
There are also various organizations that have security frameworks for IIoT devices such as industrial internet consortium and National Institute of Standards and Technology (NIST) Cybersecurity framework.
Finally, organizations should use spam filters, antivirus software, firewalls, network segregation, endpoint protection, content filtering, and other legacy security solutions. However, this is clearly not enough, as organizations need to invest in educating their employees on security matters.
A strong security awareness training program can have a major positive impact on the way in which employees respond to cyber-attack attempts. Generally speaking, any attack which seeks to trick someone into providing sensitive information or performing actions is called social engineering. To defend systems against the human element, educational methods are necessary to:
Help users be aware of common attack techniques and report suspicious activity.
Encourage best practices for examining emails: senders, attachments, hyperlinks, and domain name URLs before acting.
Use strong time sensitive non-guessable passwords and a different password for every website and service.
Security awareness training is an important part of protecting the corporate environment. Phishing is often used to penetrate organizations. Phishing is when individuals unwittingly volunteer personal details or click on a link within an email. According to the Verizon, over 90% of all cyberattacks begin with phishing, indicating humans are often the weakest link 13. With appropriate security awareness training, humans can move from being the weakest link to being part of a strong defense.
Whaling is a phishing technique that is aimed at senior executives masquerading as a legitimate email designed to encourage them to perform a secondary action, such as initiating a wire transfer of funds. An example of a whaling phishing attack is the 2016 incident of FACC, an Austrian aerospace manufacturer that lost 42 million euros because of a targeted email attack. The offending emailed looked like it came from the company's president, prompting an accounting department employee to transfer money to an account for a fake acquisition project.
Employees need to inspect every email, attachment, link, and URL before acting. Training should include the proper procedure to discover the true senders email address, the URL domain name review procedure for misspellings, proper hyperlink and URL protocol. Email attachments also need careful examination and should only be opened if the sender is known and the file is expected, because attachments are the most common mechanism for malware infections.
If emails are pressuring users to act immediately, this is usually a sign of a cybercrime attempt. Pushing for immediate action often makes users panic, and panicked people use poor judgement. In these situations, users need to be trained to take a moment to think about whether this person would really be requesting this information urgently, and then contact the person to verify the request.
Users should also be cautious about accepting friend requests on social media from people or organizations that they do not know, or about requests asking the user to install a program to run a video or other extension received from unknown sources. Users should be taught to select non-guessable passwords and to use different passwords for every website and service. Password history policy should be enforced with a minimum password age policy. When a password is changed it should be tracked for potential security problems.
One last consideration is that if a user is compromised, they need to be trained to report it. Employees should not fear reporting an issue. Quickly identifying, addressing, and removing the compromised system helps protect the remaining network's integrity. Having a strong incident and response plan is essential to address these and other issues.
A Russian proverb states people should “Trust, but verify.” Security is every employee’s responsibility because every organization, regardless of industry, can fall victim to cybercrime. It only takes one click to compromise an entire network. However, cyber attackers are only as effective as organizations allow them to be.
Security requires diligence from users, key stakeholders, and the entire corporation to foster a truly secure environment. A structured cyber security program and plan must be in place, using tools and techniques to combat intruders. Periodic audits must be conducted, along with education and training for everyone in the company on the importance of security. If an organization is attacked by a cybercrime, it is crucial to perform a postmortem because the experience gained can be used to enhance future security.
Understanding the points raised in this three-pronged approach, and then acting accordingly, will greatly improve an organization’s cybersecurity posture. The goal is to make an organization very difficult to penetrate by threat actors, causing them to instead pursue other more vulnerable targets.
Figures, all courtesy of ADISRA
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe