Rising value of data and growing complexity driving sense or urgency.
The rapid growth of the Industrial Internet of Things is raising questions about just how secure these systems are today, how to improve security, and who exactly should be responsible for that.
These issues are interlaced with a shift in where a growing volume of data gets processed, the cost and speed of moving large amounts of data, and the increasing frequency and cost of attacks.
“Digital data is doubling every 1.5 to 2 years,” said Steven Woo, vice president of systems and solutions and a distinguished inventor at Rambus. “That is causing a growing concern with security. The data is becoming more valuable.”
Along with that, the systems that process that data are becoming much more complex.
“Complexity is one dimension of the challenge,” said Marc Canel, vice president of security systems and technologies at Arm. “There is a layering of technologies, from the physical IP, in which the key that will make the root of trust is embedded, all the way up to the application and everything in between. There also is complexity in the processes to build all of these things, to provision them, to load the code and to load the keys. One of the big challenges is there is no standardization across the overall IoT world.”
But unlike the IoT at large, there is a concerted effort in the IIoT space to identify best practices and close up security holes. In fact, an IoT vendor consortium published a cybersecurity guide this week designed to improve security of industrial IoT networks. The guide shows how unprepared some end-user companies are to secure a new set of IoT systems.
Endpoint Security Best Practices, published by the Industrial Internet Consortium, is a guide designed to make it easier for industrial operations staffers to find their way through guidelines from several organizations to the security information they need. The guide’s target audience — factory owners or managers, factory equipment makers and the integrators and resellers who put together industrial production and Industrial Control Systems — know exactly what it takes to make their own factories and systems work the way they should. But they often have trouble identifying either problems or solutions when it comes to securing new installations of industrial IoT networks, according to Steve Hanna, senior principal at Infineon Technologies and one of three co-authors of the report.
The majority of the guide’s audience includes engineers specializing in operations and process management, working in companies that often run on Industrial Control Systems (ICS) or SCADA applications, according to Dean Weber, CTO of Mocana and co-author of the IIC paper.
Getting up to speed on IT systems rather than OT (operational technology), and on cybersecurity rather than physical security, requires a change in outlook. But more practically, it also requires a ton of reading — more than a thousand pages of heavy technical material on cyber hygiene and IoT design advice from the IIC’s own framework, along with others from NIST, IEC and the German government’s Industry 4.0.
“That’s a lot to ask of industrial engineers, operations people, manufacturers who are used to having an operational cadence to what they do, not cybersecurity,” Weber said. “Cybersecurity leaves them scratching their heads a little bit. This gets them thinking about regulatory compliance objectives and tries to get them thinking about low-level objects that still need security — a thermostat, for example, that could serve as an entry point for an attack.”
The guide includes simple definitions of common security terms including root of trust, secure boot, trust anchor, and trust chaining to get the audience comfortable with those concepts, Hanna said. Its definition of endpoint, which is any device with computational capabilities and network connectivity, makes the argument that any device can be attacked and become a dangerous entry point, regardless how trivial it seems.
“The industrial community is just at the edge of realizing their systems can also be the targets of malicious intent of everything from script kiddies to near-peer nation-states,” Weber said. Attacks on utilities, industrial companies, financial institutions and any other organization that would have an immediate impact on large numbers of customers isn’t just possible because there are a lot of hackers and malware out there. “It could be a policy decision like the  BlackEnergy3 [malware-based] attack on the energy grid in Ukraine [allegedly by the Russian government].”
Utilities and industrial companies have been favorite targets for attack, presumably due to the wide impact of an attack and the relative simplicity of taking down often antiquated, undersecured systems. In June 2017, several research companies concluded that the CrashOverride/Industroyer malware was designed to attack and disrupt ICS facilities, particularly electrical systems. It included an additional tool to exploit weaknesses in the Siemens SIPROTEC protection relays, according to a September 2017 report from Kaspersky Labs.
Between February 2017 and February 2018, 3.3% of nodes in industrial automation systems were attacked by cryptocurrency miners, according to Kaspersky Labs, which found most attacks originated from the Internet and most often attacked Win32 computers.
In March 2017, security firm Dragos reported approximately 3,000 industrial sites are hit by traditional, non-targeted malware every year, and that one piece of malware, disguised to look like a legitimate piece of software for Siemens Programmable Logic Controllers has been circulating for at least four years, attempting to infect industrial firms. The malware attacks regular computer systems, not IoT devices, but there are three pieces of malware specifically designed for smart industrial machinery — Stuxnet BlackEnergy and Havex, according to Robert M. Lee, founder of Dragos.
There is plenty of malware available that can infect IoT devices, however, which in turn can create disasters for industrial companies and anyone else, simply because so many devices ship with little or no security, according to Haydn Povey, founder and CTO at SecureThingz, and board member of the IoT Security Foundation.
The 2016 DDoS attack on DNS provider Dyn, for example, came from tens of thousands of printers, IP cameras residential gateways and baby monitors that had been infected with the Mirai malware, which took advantage of weak or absent passwords. Newer IoT-targeting malware including IoT Troop and Reaper use cracking techniques to penetrate a resistant device. Botnet development is going well enough that Bitdefender Labs has been keeping an eye on one that’s grown to more than 32,000 nodes, and Ars Technica spotted one offer to launch DDoS attacks of up to 300Gbit/sec for just $20.
People do need to take more care with their own devices, but IoT device makers need to meet them halfway by adding a few security features that would make a device harder to crack and easier to manage or trust, Povey said.
“The big holes [in IoT security] are caused by devices that haven’t got a root of trust,” said Richard Newell, senior principal product architect at Microsemi Corp. “They don’t have a trust execution environment, they haven’t got a definite ID. [IoT device makers are] too busy making the device work and haven’t worried about putting in security,”
Part of the problem has to do with a redefining of where computing gets done. “Traditionally people didn’t worry about edge devices because they figured they could protect the network at the gateway, but that doesn’t stop someone from launching a denial of service attack using the microcontroller in the fridge,” Povey said. “It really is the next-gen industrial revolution, but the IoT is not designed with security in mind and, for all the good data we can get from these devices, they can do a lot of damage, too.”
There is a lot of pressure to keep costs down and chipsets simple, but adding a very basic secure IC element to an existing chipset could cost as little as 30 cents and still “let you create identity at a broad level,” Povey said. “Realistically it would be better to go for a full device with a fully integrated secure microcontroller like the Renesas Synergy that integrates the core of a secure element and tamper resistance and gets you AES acceleration and true random number generation. Another option is a STM32h7 device, which has all the foundation of the PKI infrastructure. Or you can have a separate small microcontroller with an 8- or a 16-bit processor-that’s valid-or an Arm CryptoIsland or CryptoCell. All those options are either on the market or coming in the next few months.”
Microsemi’s customers have been in high-security businesses that really appreciated security and were willing to pay for it, but the others have begun to realize they can’t let IoT devices out without some protection and still expect to get full use out of them.
“It’s not everyone at once, but customers are demanding this kind of identification ability in all sorts of Internet infrastructure and IoT applications,” Newell said. “Government and DoD prime contractors understand security really well, but if you work your way toward the other end of the spectrum, the finance people have figured it out and the medical people are just barely realizing there’s a problem because wireless devices and pacemakers can be hacked.”
Unfortunately, many chipmakers don’t believe IoT security can be profitable. Some 38% of senior semiconductor company executives interviewed for a 2016 McKinsey & Co./GSA survey said their customers wanted security solutions that would eliminate 98% of risks, but only15% thought customers would pay a premium of 20% or higher and 42% thought customers would pay no premiums and expected prices to drop.
Fig. 1: Percentage of respondents who want security but are unwilling to pay premium for it. Source: McKinsey & Co./GSA
Charles Hsu, chairman and CEO of eMemory, likes the IoT security guidelines put out by the U.S. Dept. of Homeland security in 2016, which suggested that IoT chipmakers had hardware-based security, and that the device maker needs to add identity and authentication capability and a function that, if the device were hacked, would cause it to fail safely and securely.
“For IoT to be popular, security is very important, particularly for the endpoint device,” Hsu said. “Since you don’t usually have strong computing power in the end point, your security has to be simple and reliable.”
It matters less whether vendors add security individually, in response to government guidelines or in vendor-led groups such as Intel’s Enhanced Privacy ID project, but chip designers and device makers need to add something that would make it easier to plug the gaps, Newell said.
“It’s very important when you set up these Internet communication links that you know who you’re talking to,” he said. “This shouldn’t be one of those problems like stack overflow bugs that have been around for 30 years and you still have apps with stack overflow problems.”