The truth is that every versatile new tool also has a downside risk – such as the new wire cutters that make installing security fences faster and easier can also be used to compromise that same fence. The Internet and networked connected devices are no exception. Networking sensors, controls and other electronic devices that now comprise the Industrial Internet of Things (IIoT) are opening amazing new capabilities for purposes of data exchange, remote monitoring or control, while also creating new business and societal risks. Security cameras are the second most successful method of hackers breaching organizations, for example. Going forward, it will be vital to better understand these risks when adding any IIoT device to the network and take proactive steps to mitigate the potential downsides new devices represent.
IIoT devices are attractive targets
The nature of IIoT devices and infrastructure makes them high-value cyber targets. This is because they are relatively easy to compromise and are often connected to internal networks with high-value content with links to other networks. Moreover, IIoT devices rarely have direct user interaction, and this unattended nature means that many types of device compromise are likely to go unnoticed and undetected – particularly when the malware does not disrupt the device’s primary functionality.
Here are a dozen reasons why intelligent IIoT devices are attractive targets for hackers:
They perform critical functions which can wreak havoc or cripple operations when they are compromised.
They have appropriable processing power that can be redirected to act at the bidding of the hacker to steal resources or even attack other systems.
They exist at a scale which means that thousands, hundreds of thousands, and possibly millions of devices can be compromised and connected to a hacker’s command and control server to disrupt operations or fuel DDoS attacks.
Even small installations of IIoT devices are usually connected to larger networks, and so compromising a single device can act as a doorway to other targets.
They are always on, so their attack surfaces are always available and visible to attackers, although the attacks are usually out of sight and not visible to system users.
They often run on an embedded or stripped-down operating system that is relatively easy to infect with malware, compared with web servers and other devices designed to face the public.
They often include widely used low- or no-cost common code libraries that are often outdated and contain unpatched vulnerabilities.
They generally lack basic security because they do not have enough processing power to run security applications like servers and workstations do, making them less able to detect, block, or even report malware infections.
They often have password weaknesses, either because they ship with well-known default passwords (like admin, system and password) or because in-house or contracted technicians don’t have a mechanism to manage strong passwords at the scale of such installations.
They are often part of systems that are installed or maintained by third-party services, whose personnel typically have poor password management practices which are stored in obviously-named spreadsheets or text files, and whose networks are often less secure than those of the companies they service.
They often have outdated firmware because of the difficulty of maintaining such a large number of different devices allowing them to remain unprotected even when the manufacturer has released fixes for known vulnerabilities.
They employ weak authentication methods, such as a simple username and password, which in the context of hundreds or thousands of devices often leads to technicians sharing and reusing passwords – which are rarely changed over time.
As this list shows, implementing robust cyber hygiene in an IIoT system is not a one-time event, but will require ongoing attention and actions.
The changing nature of attacks
The nature of these vulnerabilities involves class breaks, where the compromise of a single device enables access to an entire group of devices. This is a familiar concept in traditional risk management, which can be thought of as the difference between a home fire and an earthquake. The home fire is how we traditionally think of cyber attacks, happening to select companies over a given time period. In contrast, an earthquake happens to everyone in the community at once, or not at all. The increasing computerization and networking of all our systems, along with attackers that are looking for class breaks to exploit, are moving us from a house fire model of risk ever closer to an earthquake model, where a successful attack can have extensive impact across many companies and individuals.
In Part 2 of this series, we will look at methods for protecting IIoT devices.