tashatuvango - Fotolia
The merging of industrial IoT and industrial control systems has made organizations vulnerable to security threats that teams must address by building security into every process and product.
Attackers increasingly target industrial control systems (ICS) using a variety of tactics. In recent years, attacks have targeted ICS using malware, including the cyberattack on the Kudankulam Nuclear Power Plant in India, the Crash Override attack on the Ukrainian electrical grid and the Triton attack announced by FireEye. The attackers in each of these events attempted to cause major disruptions and physical damage to the industrial systems, which can face increased risks when combined with industrial IoT (IIoT).
Historically, organizations have relied upon a separation of their operational technology networks from the internet to keep systems secure, Walter Haydock, product manager of IoT security at PTC, said during a breakout session of PTC's annual LiveWorx conference on June 9. Some organizations use the Purdue model for industrial control systems to understand the interaction of ICS with IoT devices and intermediate levels of infrastructure. IIoT has prompted an IT/OT convergence, which means the networks no longer remain separated, and organizations become more vulnerable to attacks. With the introduction of IIoT, ICS has merged with IoT gateways, edge devices and cloud platforms.
"[With IIoT], it's possible to jump the Purdue model that has previously been thought of as protecting industrial control systems against malicious actors," Haydock said. "Just because some of the historical measures that you may have used [worked before]-- whether they be firewalls or air gaps to protect your ICS against hackers -- doesn't necessarily mean in the new context with the IT/OT convergence that is happening that you are going to be safe."
It's not only the security experts' or administrators' responsibility to protect systems; end users, vendors and manufacturers all share the responsibility to keep systems secure, starting with the design of products and platforms and concluding with the end of product lifecycles.
"The idea is that you incorporate security -- you build in security as part of your process. And you introduce this early on because it's going to be a lot less costly if we identify issues with either the design that might lead to a security flaw or with potentially how you're going about the design, your coding scheme," said Oscar Ornelas, director of enterprise application security at PTC, during the breakout session. "It's about trapping or blocking or identifying and addressing any issues early on."
Organizations can apply six cybersecurity processes to building, using or configuring software to ensure ICS IoT security. These processes can be used by vendors selling software as a product, equipment manufacturers and organizations using the software for their ICS and IIoT devices.
Understand the cyber kill chain
Even though the kill chain process was originally created for the U.S. military, organizations can use it as a security framework to understand how an attacker might exploit a vulnerability and to make decisions to prevent attacks. In 2011, Lockheed Martin took the concept and adapted the framework to cybersecurity, with networking attacks in mind specifically.
The Cyber Kill Chain includes seven stages to enhance visibility into an attack and understand an adversary's tactics, techniques and procedures, Ornelas said.
Organizations can apply the kill chain whether they are purchasing a software platform and customizing it or they are an OEM adding value to their product.
Plan defense in depth
Organizations must always ensure that the software or product they deploy has a defense-in-depth model. This strategy uses defense mechanisms to protect the confidentiality, integrity and availability of data.
"What you want to do is have a layer of defenses," Haydock said. "Different people in the IoT ecosystem are responsible for different parts. Making sure that everybody is playing their role is really critical to helping defend against these more advanced attackers."
Each layer of defense requires different security measures. For example, phishing awareness training will teach users not to click on malicious links in emails. The layers should include:
- Physical access. Biometrics, security guards and locked doors.
- Perimeter. Demilitarized zone, firewall and VPNs.
- Internal network. Protected with a network-based intrusion detection system and intrusion prevention system, network segmentation, network access control, and network-based antivirus protection.
- Host. Harden the host with the latest patches and blocking services that shouldn't be exposed by doing port control, host-based antivirus protection.
- Application. Conduct input validation and follow best practices to protect applications, harden the application, and have access control and authentication for applications.
- Data. Encrypt data, prevent data loss or leakage, and have backups for data. Always test the data backups.
Implement device lifecycle management
Organizations need device lifecycle management for IIoT devices to account for the security of industrial infrastructure at every stage.
"Understanding how to securely deploy these devices as an end user is extremely important," Ornelas said. "There are things that the vendor can do to help the customer [by making it] easier to manage the lifecycle of these devices."
IT administrators should start by creating an inventory of all the devices that plug into the network and keep it up to date when they add new devices. Next, admins must register and configure the devices and ensure they have the latest firmware and software versions or patches. Admins should implement basic security practices, including checking that default passwords are not used and disabling any unnecessary communications to or from the device.
Once devices are integrated into the day-to-day operations and connected to back-end systems, they should be able to transmit and read data from the field. Even though the devices are now plugged into the system, security teams must monitor the device continuously to make sure the device doesn't conduct any malicious activities. The device lifecycle is not complete until each device is unplugged from the network and wiped clean of sensitive data.
Have a secure software supply chain
The software supply chain is a sequence of processes that organizations can use to protect software from the time designers create it to when it is available to the end user, Omelas said. A basic software supply chain has four parts, with each presenting opportunity for attacks. During this supply chain process, a software supply chain attack could insert malicious code into the software products to transmit malware to compromise the software customers. At each step in the supply chain, organizations can implement different security practices.
Oscar Omelasdirector of enterprise application security, PTC
In the development phase, organizations should create a list of approved development tools and SDKs, which should be the only ones used. Developers should not download tools from third-party websites.
In the continuous integration/continuous delivery (CI/CD) development pipeline, organizations can mitigate attacks by limiting access to the pipeline and distribution systems. Admins must block IPs and URLs that attackers use to communicate between CI/CD servers and external systems.
Next, organizations must protect their build servers through limited access to supply chain management and the servers. IT admins can use an access management program and network segmentation to build in security functionality and should continue monitoring for unusual activity.
At the end of the pipeline, admins must secure the application download site. They can do this by limiting access to software-hosting servers, conducting malware scans, using endpoint protection software and implementing a patch management program.
Secure the software development life cycle
OEMs and organizations using an IoT platform that allows customization should follow the secure software development lifecycle (SDLC) framework. This set of guidelines defines the process during application development. Secure SDLC is the process of providing security practices for each of the SDLC phases from training to response. Organizations must have core security training and establish security requirements.
For example, in the design phase, developers want to establish design requirements and implement threat modeling and analyze attack surfaces. In the implementation phase, organizations want static analysis and to deprecate unsafe functions. In the verification phase, organizations should implement dynamic analysis, testing and attack surface review. In the release phase, organizations should have the incident response plan and a final security review. In the response phase, they should execute the incident response plan.
Conduct threat modeling
Threat modeling -- a key part of secure SDLC frameworks -- is an analysis used to understand which characteristics of a system should be modified to minimize the security risks and help organizations understand the various types of threats attackers could use to target them.
"[Threat modeling] will allow you to identify potential security flaws early on," Ornelas said. "Discovering potential security vulnerabilities on paper or on a whiteboard is much less costly than identifying the same vulnerability as you move down into the build pipeline or, even worse, post-deployment."
Organizations must complete three overarching activities in threat modeling. First, they need to create a data-flow diagram to identify endpoints and processes in the system. Next, they need to analyze the potential threats found based on the data flow. Finally, organizations must mitigate each of the threats they identified.
"Threat modeling is one of the most important and underused security activities in any secure SDLC and that really needs to change," Ornelas said.