Researchers and defenders needed in IIoT

The Internet of Things and Industrial IoT are causing a lot of security headaches, mostly because these devices and the solutions used to secure them are still in the nascent stages of being developed and coming to market.

Industrial automation devices are installed across all critical infrastructure environments from electric, oil, and gas, to pharmaceuticals and chemical factories.

Phil Neray, CyberX’s vice president of industrial cybersecurity, said even though the federal government has classified all of these as critical infrastructure, “The fact is that all of these devices were designed a long time ago.”

With their age comes the issue that the protocols used to communicate were designed before anyone really understood the vulnerabilities in them. Neray said, “They lack many of the features we take for granted in cyber, and that leaves room for lots of zero days.”

The industry has seen many zero day vulnerability disclosures, and at the risk of sliding into some serious FUD, Neray is calling them “Forever Day” Vulnerabilities, possibly serious enough to be considered the “Heartbleed of OT networks”.

By way of example, Neray talked about the recently issued patch for a vulnerable software—CODESYS Web Server v2.3—that is part of the WebVisu visualization software (developed by a company called 3S-Smart Software Solutions GmbH). 

“The problem isn’t with the patch, but with the patching process and its convoluted, disorganized supply chain, which makes patching so complex it becomes a non-starter,” said Neray. 

CODESYS software is middleware found in hundreds of industrial products made by dozens of vendors who first need to patch their own firmware code, and then send those fixes downstream to hundreds or thousands of their customers. Neray said those customers then need to patch, or “reflash” all affected devices on their OT networks. 

“Putting aside the myriad issues with skittish and/or de-incentivized OEMs at the top end of the supply chain who need to spend time and effort to recode their firmware, test the patch, and package it for download,” Neray said the reality is that a power company can’t cut off power to an urban neighborhood for a week to make sure these vulnerabilities are properly patched on all their devices. 

When many of these environments are running 24/7, how do they interrupt to patch? Recognizing that their attack surface is growing bigger, what do they do?

“Detect and respond. Firewalls can’t do everything you need them to do. They need to focus on how to detect and respond,” Neray said.

Unfortunately, phishing is the most common form of attack in corporate networking, and there have been some pretty large-scale attacks that started through phishing. The obstacle for security professionals is the fact that they can’t patch a human.

“Phishing attacks rely on the 1 to 2 percent that will make the mistake. Because they can’t patch devices, a lot of corporate IT are deploying solutions that detect and respond in order to isolate the device or do other things to block the attack,” Neray said.

A second strategy is segmentation. Many industrial organizations have one big flat network in which a single device is connected to any other device. “They can segment the industrial network into small subnetworks, and the attacker will have a more difficult time pivoting to other areas of the network,” Neray said. 

Given that at some point all of these devices are going to be connection, Neray said, “Don’t leave your industrial devices directly exposed to the internet. Don’t leave them publicly exposed.”

If a device has been compromised, the first thing the attacker wants to do is connect to the command and control center. “Block that traffic. Create a rule on the firewall that says any traffic coming from here can’t go there,” Neray said.

In the corporate IT environment, it’s very common to routinely analyze their severs for vulnerabilities, misconfigurations, or patches that need to be applied. Compliance regulations have helped, said Neray, but “In the OT environment, it is not the case. One third of manufacturing companies have never done it, and about half do them occasionally.” 

The industrial environment is different from networks because “You can’t ping or interrogate the devices. That will disrupt, slow down, or possibly even crash the devices,” Neray said.

Since it’s so difficult to do automated vulnerability assessments because the traditional tools aren’t suited, Neray recommends that they manually do pen tests.

“In the same way that there is a whole community of researchers looking at vulnerabilities, there is a small but growing community of researchers on the industrial side looking for zero days in industrial systems and monitoring the ecosystem for cyber operations,” said Neray.

In addition to these security strategies Neray recommends, he said that research in the industrial domain is a necessary part of what needs to be done to secure critical infrastructure and the IIoT.

What do you think? Head to our Facebook page to let us know.