- By Patrick Bedwell
- June 02, 2021
- Nozomi Networks
Understand these factors to protect mixed ICS and IoT environments. This article comes from the Ebook Automation 2021: OT/ICS Cybersecurity.
Conventional wisdom among some security experts is that there are separate operational technology (OT) and information technology (IT) networks. However, today’s industrial control system (ICS) networks are very different from the automation networks of 10 years ago. They now include many IT systems and Internet of Things (IoT) devices like cameras, tablets, asset management sensors, environmental monitoring devices, and other field-level sensors.
IoT technologies bring huge benefits to critical infrastructure and industrial organizations, including cost reduction and safety improvements. But these assets also create security gaps when operators do not have the capabilities to monitor and protect them.
These security gaps will only increase over the next few years as industrial organizations deploy thousands or hundreds of thousands of IoT assets in their global operations. Juniper Research predicts that there will be 83 billion IoT connections by 2024, a 130% increase over 2020. The industrial sector, including manufacturing and agriculture, will account for more than 70% of all IoT connections by 2024.
Engineers, automation experts, and managers need to understand IoT-based risks and challenges to ensure they can meet future production, safety, and digital transformation targets. Let’s take a look at why organizations are deploying IoT assets, and what to keep in mind when implementing processes and tools to protect mixed ICS and IoT environments.
IoT adds value to any ICS-intensive business
There are use cases for IoT in practically every industry. In manufacturing, for example, the top three IoT use cases are to improve automation, increase quality and compliance, and improve production planning.
By gaining visibility into production equipment performance, manufacturers can identify problems and take action to prevent maintenance-related disruption. They can also use detailed operations data to improve safety and inventory management and adapt quickly to changing demand.
In the oil and gas industry, another purpose is to reduce unplanned disruptions. With improved monitoring enabled by IoT, operators have better visibility of the status of pumps and pipelines. Similarly, in the energy sector, IoT devices can improve visibility into every stage in the transmission and consumption of electricity, from the power plant to an individual meter.
Unlimited use cases in every industry
- Agriculture: Increase productivity by measuring ground humidity, precipitation, and amount of sunlight.
- Airport: Improve passenger experience by monitoring security queue and baggage handling; reduce operational costs by optimizing fleet, power grid and building management.
- Building Automation Management: Reduce costs by optimizing energy consumption and maintenance operations.
- Energy: Reduce disruptions by monitoring every stage in transmission and consumption of electricity, from substation to individual meter.
- Manufacturing: Reduce downtime by monitoring raw material supply chains; reduce maintenance-related disruptions by measuring equipment performance in production processes.
- Maritime/Ports: Improve flow of containers by monitoring location of vehicles and goods, status of cargo, local terminal parking and traffic congestion.
- Mining: Improve the accuracy of ore data during drilling to increase production efficiency; automation fleet operations with driverless trucks to haul ore.
- Oil & Gas: Reduce unplanned disruptions through improved monitoring of pumps and pipelines.
- Pharma: Reduce manufacturing disruptions by monitoring production and disruption supply chain.
- Transportation Fleet Management: Lower costs and reduce maintenance disruptions by monitoring fuel efficiency and engine performance; improve safety record by monitoring driver behavior.
IoT assets can expose operational networks to a range of challenges related to seeing all assets, assessing their risks, and detecting and mitigating threats.
What drives the IoT security gaps in industrial networks?
Limited visibility of assets and behaviors. The IoT assets in your industrial environments communicate with different protocols than ICS assets, which can create monitoring challenges for your operations teams. Most ICS network monitoring and security controls are designed to analyze the proprietary protocols and device behavior of ICS assets—they are not designed for IoT protocols or IoT device behavior. Consequently, teams may have limited visibility of IoT assets on the network.
Conversely, security solutions for IoT networks provide little value to operations teams. These tools frequently lack understanding of ICS protocols, device behavior, and processes, preventing them from identifying assets and detecting malicious or anomalous behavior.
Limited security. Alongside visibility and monitoring, it is equally important to secure both ICS and IoT assets. And this needs to be done in a threat landscape where threat actors are targeting industrial networks more frequently.
In 2019, IBM Security reported a 2,000% increase in incidents targeting ICSs. Meanwhile, Nozomi Networks Labs reported that 2020 saw an increase in IoT botnet, ransomware, and COVID-19-themed attacks on ICS and IoT networks. A larger attack surface combined with a higher number of threats means your vital control systems are more at risk than ever.
IoT devices often add to security teams’ challenges, because they are characterized by:
- vulnerable firmware that cannot accept patches
- weak default passwords
- limited capacity that prevents installation of endpoint protection agents
- nonhardened operating systems that are susceptible to code insertion
- unknown software component supply chains subject to vulnerabilities
In their 2020 survey of 200 organizations in North America and Europe that had deployed IoT assets, Syniverse/Omdia reported that “50% of enterprises report that ensuring data, network, and device security is their biggest challenge when adopting IoT solutions.”
The top three IoT security concerns were:
- protect against malware/ransomware (58%)
- protect against theft of data/financial loss (55%)
- prevent accidental leakage of confidential data/intellectual property (52%)
Those concerns had a direct effect on the success of IoT initiatives. The same survey found that “86% of enterprises using IoT reported their IoT deployments have been delayed or constrained by security concerns.”
Additionally, not following best practices in the deployment of IoT devices can create significant risks. In a SANS survey, 32% of respondents stated that their industrial IoT assets connect directly to the Internet, bypassing traditional security layers.
Limited scalability. On-premises monitoring and security technologies are increasingly lacking the capacity to analyze all the data generated by widespread deployment of IoT sensors. This scalability problem will only escalate with the adoption of 5G technology. It will increase asset capacity from approximately 100 K per square kilometer under 4G LTE technology to approximately 1 million per square kilometer under 5G, with higher data transfer speeds (up to 100 times faster than 4G) and lower latency.
Adapting security processes for IoT
Now that we have described the IoT security gap, let’s consider how your operations and security teams need to adapt their cybersecurity processes.
Provisioning: In addition to traditional provisioning requirements, IoT devices require secure authentication to gain access to the network. The authentication method used (such as SSO or 2FA) will depend on the devices and protocols used, but a common IoT best practice for ICS environments includes enforcing device security at the individual sensor level during initial deployment.
Configuration: The configuration management function is about to get more complex. Your organization needs to determine how you can continuously and automatically update your Configuration Management Database (CMDB) with data on potentially thousands of devices in a single location.
Monitoring: Similar to configuration management, device monitoring will become much more complex. Operators will need to monitor potentially hundreds of thousands of devices deployed globally for operational anomalies caused by maintenance issues as well as cyberthreats.
Maintenance: IoT devices create a challenge for deploying patches and firmware updates without disrupting operations. Your organization will likely have to reimagine your patch deployment workflows due to the sheer volume of IoT devices in its networks.
Identity and access management: Given the expanded attack surface that exists with high IoT adoption, your teams need to be particularly diligent about access control. Traditionally ICS environments have had weak credential management. Examples include using the same passwords that were set up when equipment was deployed years ago, using vendor-default passwords, or providing access for former employees or contractors.
In the IoT era, this lack of basic security workflows leaves the door wide open, so even an unsophisticated threat actor can hack in. In a recent example of such a situation, a hacker gained access to a water treatment facility in Oldsmar, Fla., through a remote-access application. Even though the application was no longer in use, it was still on the network, allowing the hacker to increase chemicals in the water to a dangerous level.
Achieving OT + IoT visibility and security at scale
Another security problem to overcome is how to achieve complete visibility of your assets and network, as well as detect and respond to threats. The scarcity of tools that correctly identify and understand the behaviors of both ICS and IoT assets is a complicating factor here. This is a foundational requirement for robust visibility and security. In addition, as your digital footprint expands, you need a solution that readily scales to meet your needs.
Visibility: Mixed environments require a tool that centrally monitors all ICS environments and accurately identifies the OT, IoT, and IT assets connected to them. To protect uptime and safety, this tool should be passive, with no agents required, and be continually updated with asset profiles. IoT devices are proliferating, and it is important to have up-to-date asset information to ensure both visibility and security.
Security: To properly secure ICS networks, the network monitoring tool must understand the unique assets, communications, and processes of control networks. Doing so allows the solution to not only detect threats, but also identify anomalous behavior that could indicate a cyberattack or a process or equipment problem.
At the same time, the tool requires extensive knowledge of IoT devices and communications, and needs to consider the dynamic nature of IoT behavior. The key is to eliminate alerts caused by benign anomalous behavior and know when “new” or “different” is not a risk, focusing your attention on “true” incidents.
Other important capabilities are the use of current threat intelligence and a comprehensive approach that covers vulnerabilities assessment, risk monitoring and threat and anomaly detection.
Scalability: The proliferation of IoT devices means the amount of data generated might be impossible to process even if you deploy the most powerful on-premises appliances. The alternative is a cloud-based approach, which not only scales faster, but provides the computing power necessary to quickly analyze data in more sophisticated ways, providing operational and security insights.
Closing the IoT security gaps in your ICS
To protect your operational processes, ensure safety, and transform your business to stay competitive, it is necessary to close the IoT security gaps in your ICS networks. Doing so requires adapting security and operational processes to deal with a very high volume of devices and continuous improvement in cybersecurity best practices. It also requires exceptional network visibility and threat detection that is effective for both ICS and IoT devices, and that scales to protect any number of devices.
The scalability requirement alone is enough to require a cloudbased software as a service (SaaS) security solution. Such a solution also brings other benefits, including lower costs, faster and more streamlined deployment, and the ability to see all the data in a single pane of glass. Leveraging the cloud can reduce partner and vendor access points to critical networks and improve analytics for predictive maintenance and production planning.
According to Gartner, since the start of the COVID-19 pandemic, there has been “an acceleration of cloud adoption and an increase in trust of cloud solutions amongst organizations around the world. Cloud adoption is the de facto new normal.”
This trend is happening in OT as well as IT, and today OT security is part of comprehensive digital security that enables digital transformation.
As an ICS professional, after years of fighting rogue Internet connections from production networks, cloud-based OT security and monitoring might feel counterintuitive. However, as the pandemic has shown us, it is time for new, safe approaches, enabled by connectivity and cutting-edge cybersecurity technologies.
This article comes from the Ebook Automation 2021: OT/ICS Cybersecurity.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe