The Industrial IoT Attack Surface
The average lifespan of industrial manufacturing machinery is around 20 years. To put that in context; 20 years ago, Windows 98 & Visual Basic 6.0 had just been released by Microsoft, Google had just hired their first employee and US Robotics started selling the first 56k modem. The Intel Pentium II 400MHz CPU was newly available at only $1124, XML became a W3C standard and the movie, Titanic became the highest-grossing film of all time. 20 years ago, the third industrial revolution was at full steam and when Windows XP was released in 2001, many plant and equipment manufacturers jumped to embed XP and a tremendous amount of PC technology in their products or run automation, inspection and SCADA systems. Now, in 2018, the implications of those decisions are becoming clear.
Problem 1: Embedded Windows OS.
Hindsight is a wonderful thing and it’s hard to claim that these manufacturers should have predicted the future–but intrinsically combing computer technology with a lifecycle of two years and industrial technology with a lifecycle of 20 years was a poor architectural decision. The constant stream of security patching and OS updates combined with the need for virus and malware detection software installed throughout the environment mean that, best case the manufacturing environment is hard to manage and worst case, it’s an unmaintained attack surface. Segregated networks, VPNs and industrial firewalls help until the inevitable USB stick or infected third party laptop connects to the environment - at which point you are in recovery mode.
The constant stream of security patching and OS updates combined with the need for virus and malware detection software installed throughout the environment mean that, best case the manufacturing environment is hard to manage and worst case, it’s an unmaintained attack surface.
Problem 2: Enterprise Strength Software
The introduction of user friendly operating systems, simple to learn programming languages and easily deployable databases opened new doors for equipment manufacturers. The SCADA, DCS and MES markets exploded with offerings from 100s of industrial device companies and while many were successful and served a purpose—other slacked consideration for cybersecurity basics such as protocol/packet level authentication, data encryption, buffer overflow checking and other secure coding methods. Even PLC’s, historically “secure through obscurity”, were suddenly under attack after the StuxNet virus targeting the Siemens S7 PLC protocol was developed in 2010 in a cyber-warfare attack against an Iranian nuclear plant. Industrial control systems were rapidly becoming a cyber-battle ground.
Problem 3: Ecosystem Security
In most cases, industrial manufacturing environments were not designed with the prospect that they would one day need to run mini IT datacenters. The IT closets are frequently not equipped with the infrastructure necessary for secure and reliable operations, the physical and cyber security policies are immature compared to core datacenter locations and cyber penetration testing typically reveal at least one or two nasty surprises. In addition, the technologies used on the manufacturing shop floor are not those typically supported by an IT organization which leads to heavy dependencies on vendor support, that in turn requires remote access directly to the manufacturing core–and that carries plenty of risk. Like the Target credit card breach in 2013, equipment support portals can quickly become back doors into the environment from which bad actors can easily navigate throughout the network. And although every organization in the world is at risk from phishing related attacks, the risk in a manufacturing environment still running on large numbers of unsupported and unprotected operating systems is particularly high-and the damage can be physical and catastrophic.
Problem 4: The Shifting Technology Landscape
Industry 4.0 and the Internet of Things are dramatically changing the technology footprint of the manufacturing shop floor. Legacy SCADA protocols like Profibus and Modbus are making way for TCP/IP based communications; Centralized on-premise, two tier architectures are evolving to decentralized edge/cloud multi-tier solutions; And SCADA systems are increasingly interconnected with MES, ERP and analytics platforms. The larger solution providers are investing heavily and evolving their products rapidly. The smaller niche players have a multi-decade legacy of outdated technologies that will take many years to modernize and solutions will be vulnerable until that is done. To complicate matters further, finding IT talent with knowledge of industrial controls technology is increasingly rare, and the population that built the previous generations of industrial control platforms are now approaching retirement age.
The Industrial controls domain is a time bomb. Aging technology responsible for critical equipment, vulnerable to cyberattacks in an increasingly connected world, with a multi-year remediation timeline, a talent shortage and closely tied to physical equipment that gets replaced every 20 years or so… It sounds like the trailer from a blockbuster disaster movie. In the meantime, IT teams can take the following steps:
1. A complete audit of the Operational Technology environment including SCADA systems, embedded controllers, kiosks to assess the technology landscape.
2. Engage with plant & equipment vendors directly to understand technology upgrade roadmaps, patch availability, disaster recovery planning and assess their own access and cyber security policies
3. Implement segregated VLAN and manufacturing firewalls to serve as bi-directional protection of malware that could get into the environment. Update policies & controls where possible.
4. Develop quarantine procedures for any devices entering the manufacturing VLAN and ensure those processes are understand throughout the Operations teams
Manufacturing Enterprise Security will be heavily dependent on edge defenses for at least the next 5-10 years as plant equipment manufacturers re-architect and redevelop their control systems in line with today’s technologies and cyber security standards. IT, who have been historically quite disconnected from Operational Technology, will need to ensure they are including manufacturing environments.