As the clock ticks towards a massive and preventable cyberattack on IIoT devices, manufacturers and companies deploying them must address three challenges.<\/p>\n
IIoT device exploits last longer than exploits against IoT devices<\/h2>\n
Mirai, Reaper, and other IoT botnets have flourished due to poor security controls, like hard-coded passwords, and a lack of encryption on consumer-grade IoT devices such as baby monitors, security cameras, and DVRs.<\/p>\n
Manufacturers of consumer IoT devices, however, assume a level of obsolescence as consumers upgrade to the latest and greatest while recycling or disposing of the older devices. This means that the cybersecurity of the consumer IoT space will probably slowly improve, assuming vendors continue to incorporate modern security practices in their product lifecycle.<\/p>\n
In contrast, the lifespan of an IIoT device is seven to 10 years. This means that\u00a0security exploits<\/a>\u00a0in the IIoT space have a far longer lifespan than in the consumer space.<\/p>\n For example, an IIoT ransomware campaign that disables sensors on offshore oil pumps until a payment is received could repeatedly be used against companies if there is no means of updating the software running on those sensors for a decade.<\/p>\n There are multiple approaches to securing IIoT devices such as robots.\u00a0Source:<\/em>\u00a0ClipArt.com<\/p>\n<\/div>\n The potential environmental and economic damages of an offshore oil pump malfunctioning due to a ransomware campaign would encourage rapid payments to third-party attackers.<\/p>\n There are at least two apparent solutions in this space. First,\u00a0manufacturers might<\/a>\u00a0add encryption to IIoT devices. The trade-off in adding even light encryption is that the added processing will shorten battery life.<\/p>\n This can be mitigated by either providing higher-capacity batteries and increasing costs, or by forcing obsolescence, which would be an inelegant and expensive way to force updates into the IIoT ecosystem.<\/p>\n The alternate strategy is for companies purchasing IIoT devices to treat them the same as any other endpoint device\u00a0connecting to the corporate network<\/a>. Reasonable organizations now require that laptops, desktops, smartphones, and virtual desktop infrastructure (VDI) all support software updates with minimal downtime.<\/p>\n Incorporating a requirement that new IIoT devices support remote discreet software updates will help manage the risk of deploying hundreds of thousands of devices with unknown security vulnerabilities.<\/p>\n One of the major trends in IIoT is to focus on reducing break-fix maintenance costs with preventative maintenance. Some studies cite up to a 30% reduction in costs associated with this model.<\/p>\n For example, a service that diagnoses and predicts aircraft maintenance issues based on sensors deployed from the tip to the tail of the airplane can help reduce \u201cunscheduled maintenance,\u201d that dreaded phrase heard by frequent flyers the world over.<\/p>\n Similarly, a service that predicts hardware failures on farm machinery can help to improve operational efficiencies by scheduling maintenance when the machinery is not in use.<\/p>\n Companies subscribing to these services will receive these benefits, however, only if the data being sent to the remote monitoring service has not been tampered with. This tampering can happen in at least one of two ways.<\/p>\n In the first scenario, attackers with physical access to the monitored hardware \u2014 airplane, tractor, oil pump, etc. \u2014 would need to introduce a device that would transmit falsified data into the monitoring service.<\/p>\n The alternate attack vector is to compromise and modify the central store of monitoring data. Although this is a remote exploit, it is not novel. Companies have been breached and found evidence of tampering in their files and data after the fact.<\/p>\n There are at least three visible solutions to this threat. The first, and most obvious, is to not rely solely on remote monitoring services instead of physical inspections whenever workable.<\/p>\n A second solution is to conduct periodic and rigorous inventories of deployed IIoT devices to ensure that no new and previously unknown devices have been deployed.<\/p>\n The third potential solution is to\u00a0leverage artificial intelligence<\/a>\u00a0to identify<\/a>\u00a0anomalous or aberrant data trends that would be submitted to a human analyst for attention.<\/p>\n For example, if all deployed engines have an average time between maintenance of 6,000 hours that is detected using an IIoT sensor, an engine running at 6,200 hours with sensors reporting \u201call clear\u201d could require manual inspection despite the lack of a \u201ccheck engine\u201d light calling attention to this.<\/p>\n It might seem expedient to skip network configuration and limit network connectivity to IIoT devices when deploying potentially thousands of devices under an accelerated time frame.<\/p>\n Now\u2019s the time to add cybersecurity to IIoT devices.\u00a0Source:<\/em>\u00a0ClipArt.com<\/p>\n<\/div>\n Allowing connectivity to speed up deployment, however, carries the risk of allowing unwanted network connections from third-party attackers. The Shodan search engine makes it particularly easy for both legitimate security researchers and third-party attackers to identify IIoT devices that acknowledge their\u00a0connectivity to the public Internet<\/a>.<\/p>\n As noted earlier, from a cybersecurity and policy perspective, organizations should not treat IIoT devices differently than any other computing device. An unprotected IIoT device can serve as an initial bridgehead for part of a larger cyberattack by a dedicated third-party attacker.<\/p>\n Alternatively, third parties might avoid the trouble of exfiltrating company manufacturing data and instead focus on mining cryptocurrency, an attack that would be visible only as a performance degradation on the IIoT devices.<\/p>\n The aforementioned risks pertaining to IIoT are preventable given sufficient thought and secure hardware. The modern reality of cybersecurity is that third-party attackers are running illegitimate businesses and face the same budget, staffing, and time constraints as legitimate enterprises.<\/p>\n Most third-party attackers will pursue those companies that do not focus on securing their IIoT and other computing devices. This is the same rationale that burglars use when evaluating mansions with security systems and guard dogs in comparison with residential homes with unlocked front doors. Companies need to deploy these simple solutions to stop the next watershed moment in IIoT security.<\/p>\n![\"Cybersecurity](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/10\/109780097-300x300.jpg?resize=300%2C300&ssl=1\")
<\/p>\nThird-party attackers may inject false data or tamper with existing data<\/h2>\n
More on IIoT and Cybersecurity:<\/h3>\n
\n
The proliferation of IIoT devices is no excuse to stop segmenting networks<\/h2>\n
![\"Now's](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/10\/109748373-300x300.jpg?resize=300%2C300&ssl=1\")
<\/p>\n![\"Kayne](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/10\/Kayne-McGladrey-300x300.jpg?resize=300%2C300&ssl=1\")
<\/p>\nAbout the Author:<\/h3>\n