Connectivity & Cybersecurity Part 3 of 3: IIoT Devices

Summary

The first article in this three-part series covered the convergence of manufacturing operational technology (OT) and information technology (IT) systems, and the second showed why a single plant security system is necessary to properly protect all assets and industrial internet of things (IIoT) data. This third and final article takes a closer look at the importance of cybersecurity policies and practices for industrial automation organizations using distributed IIoT devices with the cloud to gain advanced functionality such as reachability of remote devices.
 
At the simplest level, all these connected sources provide opportunities for gathering, transmitting, storing, and accessing vast amounts of data, which can be viewed and analyzed so users can obtain the insights necessary to optimize operations. This information also enables new business models, but the new models must take into consideration additional security risks. A well thought out and implemented cybersecurity policy and procedures can help deliver both connectivity and cybersecurity.
 
As a collaborative effort to bring insights from different viewpoints, this article is written from the perspective of two experienced experts: one with over 26 years in IT security, and the other with over 26 years in OT and industrial automation.
 

Escalating problems

Worldwide cybercrime is increasing and as more individuals work remotely, the potential exposure of corporate IT and OT also increases (Figure 1). Cybercriminals will exploit any operational gaps existing between IT, OT, or remote workers or devices, looking for an organization's weakest link to make them their next victim.
 

• Sending phishing emails.

• Exploiting software or hardware vulnerabilities.

• Taking advantage of an organization’s poor cyber ‘hygiene’, for example by not securing Remote Desktop Protocol (RDP).

 RDP is a proprietary Microsoft protocol that allows users to connect to a system remotely over a network connection. RDP compromises are a common attack vector for cybercriminals.
 
Earlier this year Microsoft released several security updates to patch vulnerabilities to on-premises Microsoft Exchange Server. The software vulnerability, called ProxyLogon, was being exploited as part of an attack chain allowing cybercriminals to create a web shell to hijack the system and execute commands remotely. Any organization using on-premises Exchange Server 2013, 2016, or 2019 should implement these updates immediately.
 
Software is not the only asset on a network that can have vulnerabilities. Hardware must also be monitored for vulnerability. Recently, the Microsoft 365 Defender Research Team found a vulnerability in Netgear's DGN2200, an ADSL modem-router combo box. This vulnerability allows remote attackers to take over the router².
 
Correcting vulnerabilities in home routers can be troublesome, especially since many home routers are long past the manufacturers end-of-service dates. Out of date routers are far from a new problem, as highlighted in a PC World article from a decade ago ³. A vulnerability in a home router could make a remote IT worker’s laptop visible to attackers. Any vulnerability in that remote IT worker’s laptop could provide a path for an attacker to reach the corporate IT network.
 
IIoT devices may also be vulnerable to stealthy malware. For example, in a famous 2015 case two hackers demonstrated remote access of a Jeep vehicle. They were able to remotely control the steering wheel, brakes, accelerator, wipers, and the car’s entertainment system. In this case, they were just showing how they could take control of a remote device and not maliciously infecting the car with malware.
 
AIG has stated that ransomware has grown 150% since 2018 ⁴ and Cybersecurity Ventures predicts that by 2025, global cybercrime could amount to $10.5 trillion from data damage or destruction, stolen money, lost productivity, theft of intellectual property and personal or financial data, fraud, and reputational harm ⁵. The number of organizations impacted by ransomware has also surged by 102% from 2020 to 2021 ⁶.
 
All organizations need to be concerned about cyberattacks and ransomware because it is not just infrastructure or large companies that are being affected by cyberattacks. Cybersecurity Ventures predicts a ransomware attack will occur every 11 seconds in 2021, which is up from every 40 seconds in 2016 ⁷. Yet cybersecurity budgets within organizations are not growing at the same rate as cybersecurity crimes. Organizations need to make cybersecurity a corporate priority.
 
A three-pronged approach to combating cybercrime and ransomware is recommended, consisting of policies, technical tools, and education (Figure 2).

Policies

All organizations need a comprehensive cybersecurity plan to keep networks safe and secure no matter the level of outside attacks, and a cybersecurity policy that employees will follow if an attack or hack occurs.
 
Many times, these two documents are combined in one document called the cybersecurity policy. An organizations’ cybersecurity policy should cover the most likely threats to the network and the best way to minimize those threats. A good beginning is to create a complete inventory listing all assets on the IT and OT network—along with all software and software versions on each machine—including PLCs, controllers, sensors, edge devices, and HMIs. The goal is to identify every susceptible item that must be protected from access by malicious third parties.
 
The cybersecurity policy should also cover any laws and regulations applicable to the business such as Sarbanes–Oxley, FDA, and HIPAA. In the United States, federal and state governments are addressing cyber threats and creating new laws and regulations focused on various industries. Depending on the organization's industry segment, there may be other laws and regulations that must be addressed in the cybersecurity policy.
 
Industrial automation organizations should also consider standards such as IEC 62443, Security for Industrial Automation and Control Systems, and NIST Special Publication 800-82 revision 2 “Guide to Industrial Control Systems (ICS) Security”. These standards provide guidance to reduce the control systems' vulnerability to malicious attacks, while still addressing the unique performance, reliability, and safety requirements for industrial automation. In addition, the Cybersecurity & Infrastructure Security Agency (CISA) has resources and recommended practices specifically for securing industrial control systems⁸. These resources are available here.
 
Cybersecurity policies should also cover IIoT and remote devices. How does the organization secure remote updates? How does it secure the access from the industrial device to the satellite connection and to the cloud? How does it manage all the remote sensors, IIoT, and industrial devices? With remote industrial devices such as a pump, it is easier to address many of these concerns because of the physical hardening of the network. IIoT devices are more difficult because they are usually not kept in a secure location, but must be exposed in the field to accomplish the task.
 
The cybersecurity policy should also define roles and responsibilities for maintaining the assets within the organization. For example, who is responsible for:

• Keeping the firewall up to date.

• Patching the HMI software.

• Approving vendor requests to open a port in the OT network.

 Cybersecurity should involve the whole organization including top management such as the CEO, CTO and CFO. Generally, the cybersecurity policy will be more closely followed by all within the organization if upper management endorses, communicates, and promotes the importance of cybersecurity.
 
An Acceptable Use Policy (AUP) should be part of the cybersecurity policy document. The AUP section defines the permittable and non-permittable usage on the IT and OT networks. It should include statements about bringing devices from home or portable drives, and if these devices are permitted, then what process and security procedures must be followed. The AUP should also address whether the internet or emails can be used for personal matters.
 
The COVID-19 pandemic has shifted the way we work and conduct business. Many employees not required to be in the office are continuing to work from home. The cybersecurity policy must address security while working from home and accessing the corporate network.
 
Lastly, a cybersecurity policy and plan should provide best practices on how to utilize protective controls to promote integrity, availability, and confidentiality, all without affecting the functionality and usability conditions.
 
Remember that it does not matter how robust a cybersecurity policy program is if even one vendor has been compromised which in turn compromises the organization's network environment. Once a threat actor has a foothold in a company’s network, it will attempt to move laterally to escalate their privileges and gain control of the organization's systems. Some bad actors lie dormant for months collecting and exfiltrating data. Continuitycentral.com stated that the average dwell time in small and mid-sized organizations for malware is 798 days, well over two years⁹.
 

Technical tools

One way to mitigate cybercrime is to implement Zero Trust architecture. Zero Trust is rooted in the notion that an organization "never trust, always verify." The old security model assumed that everything within the organization is trusted. Zero Trust architecture segments the network and prevents lateral movement. The Zero Trust model is very useful in slowing an attacker who has compromised a remote worker's work laptop. The old security model that relied on corporate security layers generally disappear when an employee becomes a remote worker. The corporate security layers are replaced by a single layer, often an unpatched home router.
 
The Zero Trust model requires organizations to identify the most critical and valuable data, assets, applications, and services. The items that are most critical to an organization's operations become the Protect Surface.
 
With the Protect Surface identified, organizations can now restrict how the traffic and users access the Protect Surface. Understanding these interdependencies allows organizations to put fortifying controls in place to protect data, assets, applications, and services (Figure 3).
 

Education

A strong security awareness training program can have a major positive impact on the way in which employees respond to cyber-attack attempts. Generally speaking, any attack which seeks to trick someone into providing sensitive information or performing actions is called social engineering. To defend systems against the human element, educational methods are necessary to:

• Help users be aware of common attack techniques and report suspicious activity.

• Encourage best practices for examining emails: senders, attachments, hyperlinks, and domain name URLs before acting.

• Use strong time sensitive non-guessable passwords and a different password for every website and service.

 
Security awareness training is an important part of protecting the corporate environment. Phishing is often used to penetrate organizations. Phishing is when individuals unwittingly volunteer personal details or click on a link within an email. According to the Verizon, over 90% of all cyberattacks begin with phishing, indicating humans are often the weakest link ¹³. With appropriate security awareness training, humans can move from being the weakest link to being part of a strong defense.
 
Whaling is a phishing technique that is aimed at senior executives masquerading as a legitimate email designed to encourage them to perform a secondary action, such as initiating a wire transfer of funds. An example of a whaling phishing attack is the 2016 incident of FACC, an Austrian aerospace manufacturer that lost 42 million euros because of a targeted email attack. The offending emailed looked like it came from the company's president, prompting an accounting department employee to transfer money to an account for a fake acquisition project.
 
Employees need to inspect every email, attachment, link, and URL before acting. Training should include the proper procedure to discover the true senders email address, the URL domain name review procedure for misspellings, proper hyperlink and URL protocol. Email attachments also need careful examination and should only be opened if the sender is known and the file is expected, because attachments are the most common mechanism for malware infections.
 
If emails are pressuring users to act immediately, this is usually a sign of a cybercrime attempt. Pushing for immediate action often makes users panic, and panicked people use poor judgement. In these situations, users need to be trained to take a moment to think about whether this person would really be requesting this information urgently, and then contact the person to verify the request.
 
Users should also be cautious about accepting friend requests on social media from people or organizations that they do not know, or about requests asking the user to install a program to run a video or other extension received from unknown sources. Users should be taught to select non-guessable passwords and to use different passwords for every website and service. Password history policy should be enforced with a minimum password age policy. When a password is changed it should be tracked for potential security problems.
 
One last consideration is that if a user is compromised, they need to be trained to report it. Employees should not fear reporting an issue. Quickly identifying, addressing, and removing the compromised system helps protect the remaining network's integrity. Having a strong incident and response plan is essential to address these and other issues.
 

Conclusion

A Russian proverb states people should “Trust, but verify.” Security is every employee’s responsibility because every organization, regardless of industry, can fall victim to cybercrime. It only takes one click to compromise an entire network. However, cyber attackers are only as effective as organizations allow them to be.
 
Security requires diligence from users, key stakeholders, and the entire corporation to foster a truly secure environment. A structured cyber security program and plan must be in place, using tools and techniques to combat intruders. Periodic audits must be conducted, along with education and training for everyone in the company on the importance of security. If an organization is attacked by a cybercrime, it is crucial to perform a postmortem because the experience gained can be used to enhance future security.
 
Understanding the points raised in this three-pronged approach, and then acting accordingly, will greatly improve an organization’s cybersecurity posture. The goal is to make an organization very difficult to penetrate by threat actors, causing them to instead pursue other more vulnerable targets.
 
Figures, all courtesy of ADISRA
 
References

1. Security Intelligence. Singleton, C., Kiefer, C., Villadsen, O. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide.

2. The Register. Halfacree, G. (2021, July 1). Microsoft warns of serious vulnerabilities in Netgear's DGN2200v1 router.

3. PCWorld. Broida, R. (2012, October 5). How to know when it's time to replace your router.

4. AIG US. (n.d.). Ransomware: a call for enhanced resiliency.

5. Cybercrime Magazine. Freeze, D. (2021, April 27). Cybercrime To Cost The World $10.5 Trillion Annually By 2025.

6. Cyware Labs. (2021, May 18). Breaking Down the Ransomware Trends in 2021: Cyware Hacker News.

7. Cybercrime Magazine. Freeze, D. (2021, January 8). Top 5 Cybersecurity Facts, Figures, Predictions, And Statistics For 2021 To 2025.

8. Cybersecurity and Infrastructure Security Agency CISA. (n.d.). Recommended Practices.

9. Continuity Central. (2019, July 16). Cyber threat ‘dwell time’ in small and mid-sized organizations explored

10. Techcommunity.Microsoft.com. Weinert, A. (2021, November 10). It's Time to Hang Up on Phone Transports for Authentication.

11. Microsoft.com. (n.d.). Microsoft Authenticator.

12. Okta.com. (n.d.). Okta Verifty.

13. Verizon Business. (n.d.). 2021 DBIR Master's Guide.