This is not an unfounded concern, as we can read in media, a growing number of cyber attack cases over industrial plants making the infrastructures useless or even alter their operationwith the risk that this entails.
It was in 2010, when we became for the first time familar with industrial cybersecurity, when Stuxnet a malware described for some as the first cyber weapon, was introduced in a Iranian nuclear power plant with the objective to delay Iran’s nuclear programme. This malware managed to control the valves and pressure sensors of the enriched uranium centrifuges.
In the past year industrial cyber attacks over critical infrastructures have grown considerably, attacking thermal power plants, electrical substations, water treatment plants, or oil pipelines such as the one orchestrated recently against Colonial Pipeline or against a water treatment plant in Florida, that supplies water to a large population.
Security risks lay in IoT devices
The Internet of Things (IoT) is a set of technologies that enables the physical world to be linked to the digital world. Through sensors, actuators and other so called IoT devices, information is collected from what happens in the physical world and processed digitally afterwards. Making an analogy with the human body, IoT is the senses of the digital world and the first step towards digital transformation for many industrial companies, that seek to transform their business model by digitising processes and exploiting data.
The first step is to collect data. Through IoT deployments, now companies can connect to their industrial equipments and gather data to make informed decisions. Many of these IoT devices have advanced computing capabilities and can operate industrial equipment remotely; that is precisely why it is so important to properly secure these devices.
IoT devices are however, the most vulnerable element in the whole cyber security chain and the reason behind it, is the lack of firmware updates.
You might want to read:
In mature sectors such as personal computers and mobile phones, it is very common for devices to receive notifications of new versions and security patches, that once downloaded and installed, protect smartphones and laptops against the latest vulnerabilities.
However, in the Industrial World this is far from the norm, and it is very common that, once IoT devices are deployed in their physical environment they are never updated, which greatly increases the risk of falling into a cyber attack. There are mainly two reasons why IoT devices are not being updated in the same way that our phones or computers are:
1. The immaturity of the Industrial IoT market means that cybersecurity is not perceived as a primary need
If we were to put all the needs that motivate a company to undertake an IoT project into a sort of Maslow’s pyramid, there are other concerns that come before cybersecurity, and that is preciselty the big mistake. Worrying about IoT security after the project has been developed, instead of doing it from the start, from the design stage.
2. The complexity of managing a distributed, remote and tremendously heterogeneous environment
The very concept of IoT is based on the existence of a multitude of distributed «things». Being able to ensure that all these devices can be updated in an efficient and scalable fashion, makes it essential to have a secure remote management system. Otherwise, the cost of having to periodically update IoT devices locally would make any project of a certain size unfeasible.
In addition, the lack of standards in the development of IoT devices complicates this management, and leaves it up to each supplier to respond (or not) to this need.
Industrial IoT security: recommendations for protecting IoT edge devices
The most common vulnerabilities in IoT revolve around the following aspects:
- The use of weak or embedded passwords
- Insecure network services
- Use of insecure interfaces
- Lack of update mechanisms
- Lack of data storage and transfer security
- Inadequate device management
In the face of this list of typical vulnerabilities, organisations such as OWASP publishes guidelines on their website indicating which aspects should be taken into account when developing IoT solutions and which protection measures should be taken.
Along these lines, Barbara IoT has compiled a cybersecurity guide outlining the regulations, standards and recommendations that should be followed to ensure the integrity of any IoT solution that a company decides to adopt. If you are interested in this article and want to know more about how to secure your IoT delployment, do contact us!