Tackling Security Vulnerabilities in Our Growing IIoT Networks
October 11, 2022
At its core, the industrial Internet of Things (IIoT) offers an always-on collection of process data, a cloud of analysis capability, and dashboards full of actionable insights. With access to such information, teams can increase efficiency and product quality, speed up decision-making, and reduce equipment downtime and operating costs. However, a sometimes haphazard approach to rollout has left these systems open to cyberattacks because security is often an area that companies do not want to invest in until it is too late.
Traditionally, Fieldbus-connected equipment was linked to PLCs and human-machine interfaces in closed networks, with an air gap between operational technology (OT) and information systems (IT) (Figure 1). Because IIoT relies on access to OT data, that air gap has been removed, but it hasn’t always been implemented with an appropriate assessment of the security implications.
Figure 1: The air gap between information systems (IT) and operational technology (OT) has been removed to support the goals of IIoT.
Industrial systems are often seen as an attractive and easy target for cybercriminals because of the broad attack surface coupled with a lack of joined-up security policies. Many such attacks have already occurred, targeting everything from manufacturing facilities to critical infrastructure, such as electricity distribution and water treatment plants. In an independent survey of security professionals, 60% of those questioned said they had paid a ransom after a cyber attack, with payments reaching beyond $500,000 USD in half of those cases.
Understanding the Attack Surface
The entry points used are wide and varied, and the severity of an attack depends on the intent and capability of the attackers. Most are executed by cybersecurity experts, using their knowledge to target poorly protected and outdated Windows platforms or older Linux installations for which vulnerabilities are known. This results in days of downtime as systems are reinstalled or backups are restored to ensure that the system is cleaned of malware and administrator accounts created by the criminals.
Common sense implies that anti-virus software and patch updates should protect IT systems. However, patches are often only released after weaknesses are found and, of course, are only useful if they are installed. There are many reasons why organizations are frequently behind on installing security patches, often because of time and money restraints. Furthermore, this is a reactive response to security rather than a proactive one. It is not a surprise that strategies for comprehensive cyber resilience and recovery are quickly becoming a widespread requirement.
Other cybercriminals have additional expertise in engineering and the equipment used to control the plant. With physical access to a site gained, regardless of whether it is through legal or illegal means, their understanding of Programmable Logic Controllers (PLC) and site functionality allow them to cause damage. This may involve operating actuators to mix liquids inappropriately or changing limits on process pressures or temperatures that put operators at risk and damage or destroy processed materials.
Generally speaking, attacks rarely start at OT equipment. The initial entry to systems is typically achieved through IT systems using social engineering, such as phishing emails, from where the remainder of the attack using OT is bootstrapped.
Results of Attacks Initiated from the OT Environment
The results of an attack range from annoying to destructive. Attackers have taken over access control systems to deploy denial of service (DoS) attacks, or reprogrammed PLCs to transmit erroneous data to the equipment they control. Some early equipment communicating over the transfer control protocol (TCP) failed to generate random initial sequence numbers (ISN), enabling DoS and malicious message injection. Losses resulting from such cyberattacks have been reported to accumulate at $1,000 USD per minute (Figure 2).
Figure 2: 60% of security professionals have paid ransoms, half of which were more than $500,000. Downtime resulting from attacks can cost $1,000 per minute.
Another core issue lies with software running on OT equipment. Unlike PCs and laptops, many don’t run Windows- or Linux-like operating systems that support updates. Instead, once installed, they will probably not receive any new revision to their firmware unless a maintenance team explicitly performs one. This requires physical access to the device to replace a memory card or perform an update. Although such updates require physical access to hardware, the firmware itself is unlikely to be checked for authenticity, risking the introduction of malware. Furthermore, new devices added to OT networks aren’t required to prove their identity unless security has been implemented. Thus, compromised hardware could be installed that provides a backdoor to OT system for cybercriminals.
Governments and Industry Fight Back
Like safety, security needs to be addressed as a core tenet of industrial control systems from the outset of system design. This is something that governments and standards organizations, aware of the risks associated with attacks on public infrastructure, have worked to address. In the European Union, the EU Cybersecurity Act has strengthened the role of ENISA, the EU Agency for Cybersecurity. Their role ranges from identifying perpetrators and cyber deterrence to providing a cybersecurity certification that is recognized EU-wide. The United States has initiated a similar effort with its National Industrial Security Program, or NISP. Backed up by the Strengthening American Cybersecurity Act (SACA), it requires that significant cyberattacks on critical infrastructure and any ransom payments are reported.
Of course, legislation alone doesn’t improve the situation unless equipment manufacturers and system developers are also provided with guidance on tackling the issues. The International Electrotechnical Commission (IEC) has spearheaded a response to this challenge, bringing experts in industrial automation and security together, including NXP. Approved in 2021, IEC 62443 provides a four-part standard that addresses cybersecurity for OT. It uses a risk-based approach to prevent and manage security risks for the different stakeholders, from operators and service providers to component and system manufacturers.
Security Features Baked into Semiconductor Solutions
Companies like NXP have a long history of expertise in security features for integrated circuits (IC). Features range from protecting the intellectual property (IP) of firmware in a device’s memory to capabilities that fulfil Common Criteria (ISO/IEC 15408) that describe the rigor and depth of security evaluation with Evaluation Assurance Levels (EAL). Such capabilities enable stakeholders dealing with equipment and systems based upon such ICs to address security risks more efficiently.
Microcontrollers (MCU) and system-on-chip (SoC) devices are at the core of PLCs and industrial PCs. These are available with security features that support original equipment manufacturers (OEMs) to comply with IEC 62443. A typical starting point is a secure boot mechanism with an immutable hardware root-of-trust. Trust for communication and access to parts of the device must be backed up with secure key storage. Many solutions use physical unclonable functions (PUF) that rely on naturally occurring variations in the transistors on the chip to provide a unique identity.
Programmable ICs have to provide an interface that allows developers to download and check the functionality of their code. Such debug ports provide access to all MCU and SoC features to the same level of authority as the internal processors. To ensure this access point isn’t used maliciously, secure devices use certificate-based authentication before granting debugging capability, much like establishing secure Internet communications between two trusted parties.
With connectivity at the core of IIoT, the algorithms supporting established public key infrastructure (PKI) must operate efficiently. These are typically implemented in hardware using crypto-accelerators for AES-256, SHA2-256, ECC, and RSA. True random number generation is at the core of good security, another core capability of secure silicon and something application code can use to resolve the ISN generation weakness described earlier.
Adding Security with Secure Elements
Not all applications can justify the costs associated with large MCUs and SoCs. Some require power-optimized processors for extended battery life, such as wireless remote sensors. Other products simply need to authenticate themselves, such as supplier-approved replacement parts. The compact MCUs used in these types of applications typically lack the wealth of security features of their larger cousins.
Secure Elements (SE) are stand-alone ICs that can provide the same level of security as on-chip solutions. They are placed next to and connected with the MCU requiring enhanced security. These ready-to-use solutions come complete with software support packages for integration with the MCU’s firmware and can also support Linux, Windows, and Android systems. Pre-integrated security simplifies compliance with IEC 62443, offering products a secure identity for IIoT authentication, cloud onboarding, and other similar tasks (Figure 3).
Figure 3: Secure silicon design coupled with silicon vendor support during manufacture and after product deployment simplifies fulfilment of IEC 62443 for IIoT solutions.
A core challenge for OEMs is managing the keys and certificates needed by the SE, making sure that attackers cannot harvest them for future attacks before the product has made it to market. Semiconductor vendors like NXP provide services to support IIoT pre- and custom provisioning of SEs, and cloud platforms for over-the-air device identity management and removal and revocation of keys and certificates of the product’s entire life cycle.
The outcome of cyberattacks in the form of ransomware costs businesses a lot of money. However, the damage cybercriminals can cause to manufacturing complexes and critical infrastructure could result in severe safety or environmental consequences, revenue loss, and damaged reputation that can quickly ripple through the supply chain. IIoT delivers incredible benefits to OEMs and society, making innovations more broadly available thanks to new manufacturing techniques and at more affordable prices. However, this cannot be at the expense of poor security. The security required is readily available, with semiconductor vendors providing hardware and services and the required expertise to implement it correctly. With appropriate analysis of the risks, the right technical solutions, and support, the security challenges of IIoT are surmountable.
For more information, download NXP’s Securing Industrial IoT white paper here.