Many industrial automation systems have been in place for years, but now they're being connected to the public internet they're becoming exposed. The more devices you connect to the internet, the more vulnerable they become, which is exactly what's happening to the Industrial Internet of Things.
"The IoT cuts across different sectors and embraces multiple devices and networks," says Professor Jon Howes, Technology Director at analysts Beecham Research, who thinks the era of machine-to-machine applications that were easy to secure is over. "Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link," he adds.
In this article, we're going to explore the security issues surrounding Industry 4.0, looking at what devices might be at the most risk, and how attacks will likely occur.
What needs to be secured?
Industry 4.0 needs a security makeover. "Everything connected to the company network needs to be secured, from wearables and smart motion sensors to assembly line machinery and automation systems," advises Catalin Cosoi, Chief Security Strategist at Bitdefender.
Anything with a sensor or a data connection, which can be everything from factory machinery, automated robots, railways, medical equipment and security cameras to jet engines, oil rigs, pipelines and even military hardware. All increasingly have sensors, and send back data via proprietary systems that connect to the internet for remote control, often via apps. This new approach – dubbed Industry 4.0 – is designed to encourage efficiency, or to automate decisions on whether to increase or decrease production. It's at the edge of these networks where the predictive data analytics software sits.
"Many of the endpoint devices that are implemented as part of IoT projects are actually very simple – normally they are based on sensors connected up to networks through controllers like Arduino or Raspberry Pi," says Amol Sarwate, Director of Engineering at manufacturing and system control applications company Qualys, who conducts research into industrial internet and SCADA security. "However, these controllers can have open USB ports or other connections built in that can then be accessed."
Open ports are a gift-wrapped invitation to hackers. "Open ports are the first thing that external hackers will try and take advantage of when breaking into a network," says Sergio Galindo, general manager, GFI Software.
The entire IoT is at risk, though devices that power financial transaction and critical infrastructure systems will likely be prime targets for hackers.
What kind of devices might be at most risk?
For industrial IoT devices, the most at-risk devices include sensors, programmable logic controllers (PLCs), human machine interfaces (HMIs) and distributed control systems (DCS). "These are the kind of things that make industrial systems run, and as these devices are upgraded, connected to IP networks, and become accessible to an increasingly inter-connected world, the risk of being exploited grows," says David Meltzer, Chief Research Officer at Tripwire.
However, anything connected to the internet is a source for concern. "All IP-enabled connectivity and web services, historians, advanced analytics software, intelligent field devices and digital field networks need to be secured," says Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk. "This includes smart sensors/transmitters, analysers, embedded systems, smart gateways, smart machines, controllers/safety controllers, mobility devices, human machine interfaces, wearable devices, radio-frequency identification (RFID) tags, control networks and field devices."
For IT staff, the to-do list is long – and manual rather than automated patching is likely needed for IoT devices, too.
How does an external attack work?
"Software hacking and port hacking – taking advantage of open ports that cut through the firewall – will be the most likely attack vectors," says Galindo, who advises that switches, routers and Wi-Fi access points should be correctly configured, made secure, and that network ports are closed. "Companies and IT administrators need to be aware of built-in network capabilities that can make any device a potential backdoor into enterprise networks, aiding in data exfiltration or even denial of service attacks," adds Catalin Cosoi.
Not only does the IoT bring the spectre of a remote attack via the internet, but some embedded systems gather data from thousands of sensors on devices deployed in public places. Each is physically accessible to everyone in that vicinity.
"The threat actors will usually focus on compromising the security of an embedded system in order to gain elevated access to fully control the system," says Bouhdada. "Since most of these products use the same embedded technologies the effect becomes significant in the case of these technologies being hacked." From a user point of view, disruption from hackers takes four distinct forms: Denial of Control (DoC), Loss of Control (LoC), Loss of View (LoV) and Manipulation of View (MoV).
Hackers can access an IoT device, then use it to gain entry to the backend data collection platform, and from there, compromise an entire enterprise IT infrastructure.
Are there safety implications?
Some think that a cyber-attack that causes deaths is imminent. In June 2015 there was an accident in Baunatal, Germany, where a robot at a Volkswagen plant killed a worker. It was accidental, but it clearly demonstrated why the IIoT needs to be more secure.
"The biggest concern right now is safety," says Sarwate. "An attacker gaining access to a system and intentionally causing harm to an individual, or creating a larger scale incident is a real threat – we know there are terrorists out there that are increasingly making use of the internet, and that we have systems being connected to networks that are vulnerable to attack."
However, it does depend on the industry in question. "The impact of [an attack] can be sizeable, including significant financial loss, and the potential loss of life and injuries in the case of explosions in the oil and gas, and chemical sectors," says Bouhdada. "There is also the possibility of the loss of assets and environmental damage in the case of the release of toxic gas."
The hardware problem
Many IoT devices are not up to the job because there are no minimum specifications for security. Moreover, most don't have visual displays, so don't show any signs of trouble even if they are taking part in an attack. Are manufacturers of electronics, components and personal devices taking security seriously?
"There is an international ISO/IEC 29192 standard, which was devised to implement lightweight cryptography on constrained devices," says Dr Kevin Curran, Technical Expert at the IEEE, though he insists that most IoT devices have too limited a memory size and are built around processors that are simply too weak for traditional heavy cryptography.
"As the devices become more commonplace in the organisation, there's also a growing need for a more joined up approach to security between IT teams and procurement," says Nick Pollard, Senior Director, Professional Services at Guidance Software. He believes that organisations are increasingly insisting on having access to the operating code of any internet-enabled device before they purchase it, so that they can monitor it with their own technology for any potentially suspicious behaviour.
With the Industrial IoT expected to be worth $320 billion (around £205 billion, or AU$435 billion) by 2020, security will be at the core of whether Industry 4.0 succeeds.