By Smit Kadakia, Chief Data Scientist, Seceon Inc.
Internet of Things (IoT) and Industrial IoT (IIoT) are not just buzzwords anymore. The broad use of these devices and their impact on our society and modern businesses is changing our everyday life in a way that was unimaginable even a decade ago. Always-on visibility of intruders to your home, precise control of your energy use, and the remote control of your garage and car doors are some examples of consumer use of the IoT’s technological advances. Such broad adoption of IoT and IIoT also increases the cybersecurity attack surface exposure for society and businesses. Most non-technical people and businesses are unaware of the risk that this poses and are likely to be caught off-guard, potentially resulting in substantial damage to them. So, what are these risks and how do you manage them?
IoT and IIoT Security Risks and Challenges
Security exposure for any IoT and IIoT device is a multi-dimensional problem referred to in the industry as the attack surface. These attack surfaces are directly proportional to the age of the IoT device, for the most part, the older the device generally means the bigger the attack surface. Sometimes a recently manufactured device with a dated design can mislead the buyer about the built-in security of the device. Beyond the common-sense view of better security offered by contemporary devices, one needs to think about the inherent security risks of these devices as well.
Many of these devices operate in an environment of a customized special purpose hardware and software platform. The platform’s operating system is typically a stripped-down popular OS such as Windows or Linux. The underlying assumption is that such devices, the corresponding platform, and the application will operate in a closed environment and do not need to be hardened for full security, as offered by a non-stripped standard OS. Lack of hardening is a risk that the modern-day attackers understand well and have figured out how to leverage.
The other dimension to the security risk is the outdated OS such as Windows 95, NT, Windows 7, XP or similar older versions of Linux. The lack of upgrade to these OS from the OEM and lack of connectivity from these devices to the OEM adds to the hardening risk.
The third dimension to the security risk is the arcane but field-proven utilities. Based on their age and the design parameters for security, the risk should be assessed. Some of the obvious insecure utilities use unencrypted data such as FTP and sh instead of sftp and ssh.
Information Technology (IT) is traditionally known as the technology that deals with information to make decisions to operate and protect its own infrastructure. In the world of IoTs the Operational Technology (OT) is employed and architected along with IT.
OT is used to monitor and control the IoT/IIoT devices through a good understanding of the device which generates events and takes appropriate actions based on the generated event. OT operations on their own with no other outside connection is generally quite safe. However, IT and OT are inherently interconnected making it easier to pass inherent risks and benefits of each architecture to the combined infrastructure. OT acts as a bridge that increases the security risk to the IoT/IIoT infrastructure through expanded connectivity to the attackers. IT is traditionally more agile and less rigorous, requiring much more sophisticated security risk management. OT is inherently different on both fronts, the agility and rigor adding significant security risk while facilitating easier operations.
To get a sense of heightened security risks, a Kaspersky analysis of its telemetry from honeypots in the 1st half of 2021, more than 1.5 billion IoT attacks were detected during the period. These were up from 639 million during the previous half. The rate of growth of attacks on the IoT/IIoT devices and the infrastructure has more than doubled causing increased attention to security.
Dated data management
Information Technology is considered data-centric whereas Operations Technology is considered management-oriented. This is a good functional description and de-emphasizes the importance of data in Operations Technology. Most cyber security attacks are centered around the data and a lack of emphasis on data in Operation Technology is fundamentally a risk.
Common risk metrics for these can be viewed from a couple of perspectives. One is how is the data accessed or is the data in transit encrypted? This is critical to ensure that even if someone accessed the data, can they do anything with it to take detrimental activities such as creating operational disruptions, imposing physical harm, or raise financial liability to name a few? The other aspect revolves around data protection in the case a breach really occurs. This is referred to as data encryption at rest. This is generally not thought through during the system design of an IoT devices-based infrastructure such as control systems.
There are many other risks that exist and we can probably go over them in the next installment of this article. To provide a glimpse of those risks, some of the standard proactive threat prevention methods can help us enumerate them and plan accordingly to mitigate them. These methods include authentication services, device manufacturer parameters such as default and maintenance access communication among collaborating devices and systems, operator errors or lack of security knowledge to name a few.
Additionally, there is a class of industry-specific risks. For example, fraud in financial IoTs is a commonplace occurrence. Similarly, the utility/energy companies have risks of service disruptions in the middle of the critical consumption period, overloading the inputs to permanently damage the entire infrastructure and literally stealing the outputs such as electricity, gas or water to cause huge financial damage.
Now that we know about the risks and challenges, let’s review the key components of risk mitigation and management. The saying “Intellectuals solve problems, geniuses prevent them” conveys the best approach from the design perspective, while the saying “An ounce of prevention is worth a pound of cure” describes the financial savvy of an organization.
Similar to the concept of healthy eating habits will prevent sickness while enhancing the longevity, security hygiene will help significantly in thwarting the attacks and hence provides one of the most effective mitigations. Some of this security hygiene include employing firewalls and Intrusion prevention systems to access Operations Technology Infrastructure and for Operation technology infrastructure to access physical devices infrastructure. This can also be augmented with modern authentication systems with safeguards such as multi-factor authentication to prevent unauthorized accesses. There are many other dimensions to security hygiene such as allowing encrypted traffic and reducing access levels down to need-to-know basis. The important aspect is to pay special attention to Security Hygiene as an important foundation for the security architecture and sharpening the focus on proactive security controls.
One of the key aspects of security management in the IT industry is to not keep key access information static. This is accomplished by reducing the lifespan of such information as short as possible without making it operationally difficult. Common example is to employ forced periodic change of important credentials and employing multi-factor authentication as a requirement. The security education of employees is a key aspect that many organizations ignore due to lack of staffing and the perception of education. The recent pandemic has accentuated this difficulty and has required organizations to hire reduced skilled staff and spending education bandwidth on imparting productivity related skills at the expense of important security awareness. Management buy-in of the security aspect is extremely important, this foresight shows a forward looking and business sustainability driven management style to external stakeholders.
Simulating any of the emergency scenarios such as fire drills are considered very important, and laws are enforced in many communities to make sure they take place and are regularly tested. The Importance of security breach testing should be like a fire drill, simulating security attacks through penetration testing plays an important role in the overall security posture of an organization. Pen Testing will surely provide a good assessment on how well your current security measures are protecting you. However, it can also be designed to assess the organizational readiness in case of real attack. The assumption that we all will be attacked at some point and the question is when? helps organizations prepare for the actual attack or breach and will tremendously improve the preparedness to react in such situations rapidly and effectively. Such readiness will be certainly appreciated by all internal and external stakeholders as well as clients. On the contrary, lack of readiness in the event of a real attack can potentially put the entire organization out of business and leave a bitter taste in the community and individuals associated with the business.
Layered Security System
Modern security infrastructure has evolved to counter sophisticated threats and attackers. The overall approach should certainly provide a proactive defense against all known attacks and also offer a very good defense against unknown attacks. Layered security systems built on security hygiene with machine learning (ML) and artificial intelligence (AI) are needed. The security hygiene generally consists of silo solutions like perimeter firewalls, authentication systems such as Windows Active Directory and proxy services. The threat response should be proactive and in near real-time. Note that we are referring to response and not just the detection.
Given the lack of skilled security professionals availability, it is imperative that automation that minimizes or eliminates manual operations is needed. The industry has started to coin the term XDR (extended detection & response) to describe this, but one will find various vendors using different combinations of the products to promote their version of XDR. Let’s look at XDR from the purpose driven approach.
The security system (XDR) should be unified and is expected to include Security Information and Event Management (SIEM), Machine Learning, Artificial Intelligence, User and Entity Behavior Anomaly (UEBA), Network Traffic Analytics (NTA), Security Orchestration and Automated Response (SOAR), Endpoint Detection and Response (EDR) and Vulnerability Assessment (VA). XDR in a single platform is essential for the practical and effective security posture for IoT and IIoT environments. Such a system has to provide flexibility and efficiency for the security operations center (SOC) to effectively mitigate any attack proactively and in minutes.
Operation Technology and Information Technology (OT and IT) used in a reasonable size Industrial environment for monitoring and control must be augmented by an XDR that builds upon basic security hygiene and includes SIEM, ML, AI, UEBA, NTA, VA and SOAR. Proactive security planning, readiness in case of attack, business continuity plan, and security awareness are critical ingredients for the modern organization to sustain themselves in the dangerous world that we all operate in.
About the Author
Smit Kadakia is the Chief Data Scientist of the Seceon Inc. He has been an executive leader overseeing business growth and technology differentiation in the Cybersecurity Industry at Seceon for over 7 years. He heads Seceon’s Data Science and Machine learning team in the creation of the state-of-the-art aiXDR solution. Prior to Seceon, he was an executive member at Tradepoint Systems which was later acquired by Kewill Systems. At Kewill, Smit helped grow the business multi-fold by addressing broader global markets while shortening the revenue cycle. Technologically he helped transform the legacy supply chain products into a modern, competitive, and cost-effective SaaS platform. Prior to that, Smit was the Engineering Director at Upspring Software, which was later acquired by MKS. Smit holds a B.S from Victoria Jubilee Technical Institute (VJTI), Mumbai, an MS in Computer Science from Indian Statistical Institute (ISI), and an MBA from Southern New Hampshire University (SNHU).