It used to be that security for industrial sensors and actuators meant physical security, padlocks, locked doors and tall fences. The disadvantage of these unconnected sensors was that people needed to walk out into the factory or into the field to read gauges, open valves and throw switches.
Within the gates of these factories and refineries, the next step forward was to connect the individual sensors to internal proprietary networks or networks developed by programmable logic controller (PLC) manufacturers such as Modbus developed by Schneider Electric or DeviceNet developed by Allen-Bradley. This period of PLC-based networks is often referred to as Industry 3.0.
These original PLC networks have evolved to become open-source communication standards compatible with both Ethernet and the standard TCP/internet protocols (IPs). Dozens of manufacturers now make industrial computers, controllers and sensors compatible with one or more of these open source industrial communication standards.
For industrial communication standards, cybersecurity threats are minimal...
These industrial networks are secure against routine intrusion because they typically have limited, controlled connections to the internet, while their unfamiliar architecture makes hacking them unprofitable for cybercriminals.
The topology of these networks means that at most they have one or two connections to the internet through their control and monitoring applications running on corporate servers. These connections to the internet are primarily used for firmware upgrades or for remote access to the network.
Even if a hacker gains access to the industrial network through one of these connections, the network and PLC architectures are different enough that the malicious code developed to attack corporate servers will not necessarily cross over to the industrial networks. Since “standard” hacking tools often do not work on industrial networks, the costs developing specific tools for hacking industrial networks is high, and there is little payoff for the cybercriminals.
National intelligence agencies do occasionally use the firmware update vector to hack an internal PLC-based network. The most famous incident is the sabotage of the Iranian Uranium enrichment centrifuges in 2010.
...but cybersecurity is a major issue for IIoT
To the outside world, an industrial IoT (IIoT) sensor is no different than a corporate laptop in that it is a computer connected to the internet with an IP address that can send and receive data from another computer anywhere in the world. However, a corporate laptop is typically secured behind a corporate firewall. The IT group in the organization typically tests and then pushes out regular security updates from Apple or Microsoft.
Apple and Microsoft for their part, have large teams of cybersecurity professionals who constantly look for and fix security gaps in their laptop and server OS. Yet corporate computer systems are still regularly hacked either to steal data or to ransom it.
An IoT sensor, on the other hand, is often developed by a small company using either their own software stack or an unpatched open-source version of Linux. Firmware updates are infrequent or non-existent. The sensor may or may not be behind the corporate firewall depending on where it is located. Even if it is on the corporate network, IT may not consider IoT devices their responsibility. Consequently, IoT devices are an easy target for hackers.
IoT devices are usually hacked for three reasons:
1. They are used as botnets for denial of service attacks. Some security analysts believe that IoT devices comprise most botnets used in these denial of service attacks. This means that the IoT process temperature sensor may be busy attacking a corporate website rather than monitoring the process temperature.
2. They are collateral damage. A ransomware attack on the corporate servers could inadvertently lock up the IoT management server, making the data for those sensors unavailable. The ransomware might also unintentionally infect the IoT devices themselves as it rampages through the corporate servers.
Malware targeted at one company may get out in the wild and attack bystander organizations. The international shipping company Maersk was shut down for weeks in 2017 when malware targeted at Ukrainian accounting software was introduced into Maersk’s network. As every server in the company shut down, IoT card readers stopped working, locking employees out of buildings The gates at the Maersk shipping terminals also went down, preventing thousands of container trucks from passing in and out of the company’s terminals for weeks.
3. They are an attack vector to launch ransomware attacks. IoT devices are a vulnerable entry point into corporate networks. Malware introduced into IoT devices can then upload the malware and infect the corporate servers if the IoT devices are not properly secured behind a firewall designed to prevent such uploads.
Where do attacks come from?
Attackers of IoT devices often reverse engineer the devices to find security weaknesses in the device software, because for many manufacturers of IoT devices, software security is often far down their list of concerns.
Another common attack is to hack the device manufacturer. Because the IoT device manufacturers themselves do not have good internal security, bad actors will penetrate the manufacturer’s network and compromise firmware patches to install malware on the device. It sounds farfetched, but a compromised software update from internet security company SolarWind led to a massive national security breach last year.
The last vulnerability is the management software used to monitor and control the IoT devices. In the attack on the Ukrainian power grid in 2015, hackers simply took control of the management software, first locking out legitimate users, and then simply using the management software itself to shut off breakers at substations all around Kiev.
How to protect IIoT sensors
The benefits from the IoT are too great to simply walk away from. So, what can a company do to protect itself?
First, involve IT during the device selection and installation process, understand the supplier’s cybersecurity process and testing, and understand how to configure the devices and the network to maximize security. Additionally, do not use the device’s default password. Make it at least a little challenging for the criminals.
Second, test all firmware updates in a sandbox before deploying them. Do not allow the manufacturer to push updates directly to the devices. Unfortunately, many software worms are dormant until they receive a message from the attacker’s server, weeks or months after the malware has infected the target computer. Testing the firmware updates before deployment may buy enough time for any compromised updates to be discovered by the manufacturer, or another customer.
Third, several vendors now make a variety of firewalls and intrusion detection software specifically for IIoT networks. This software will monitor the IoT devices and detect and block anomalous communication or unusual behavior. These systems are not foolproof, but they do add one more level of protection against an attack.
Even with the best precautions, it pays to be prepared for the worst. When developing IoT networks assume that the network could be unavailable for days or weeks. For this reason, do not have an IoT network be the only control network for mission critical or safety critical systems. The legacy industrial networks are still relatively secure and may be a better choice for some applications.
Finally, remember manual backups are hard to hack. Even the most sophisticated IoT door locks still have manual key locks — because no one wants to be locked out of their own house by a cybercriminal.
About the author
Dave Warburton is an engineering professional with extensive experience in medical device product development and program management. He has written many articles and posts about engineering management and new technology.