As industrial and manufacturing organizations increasingly shift towards digital transformation due to its inherent advantages, OT and IIoT endpoint protection will need to consider all of the potential risks and attack vectors associated with those decisions. Though the adoption of these technologies helps boost efficiency and speed, the same interconnection can be exploited by hackers, thereby making the industrial control system (ICS) environment susceptible to cyber threats.
A breach or cybersecurity incident in either the operational technology (OT) or the industrial IoT (IIoT) frameworks can lead to a host of risks, such as the leak of important company information critical to the way in which business operations are carried, thefts of intellectual property designs and structures, and data on how the product is manufactured or produced.
OT systems incorporate and manage programmable systems or devices that transact with the physical environment, while the IIoT framework is made up of sensors, instruments, machines, and other devices that interweave sources of real-time data using internet connectivity.
OT endpoints are made up of database servers, SCADA (supervisory control and data acquisition), application servers, Level 2 control systems, manufacturing systems, asset management, Human Machine Interface (HMIs) systems, and engineering workstations. Typical IIoT endpoints include edge devices, communications infrastructure, cloud servers or anything in between that has computation and communications capabilities and exposes functional capabilities.
Every OT and IIoT endpoint has different requirements and hardware constraints that affect the level of protection that can be achieved, whilst applying security mechanisms and techniques to the endpoints depending on their specific function and security requirements.
Vendors must be aware of risks lurking in the industrial and manufacturing environments, coming primarily from rising ransomware, coin miners, and malware that lies low in the legacy ICS and OT infrastructures. Organizations must choose a deployment strategy that helps to mitigate such threats, as different security measures are built for technologically different purposes or applications.
Adoption of tools and applications will help diagnose and detect problems, others can be deployed in the network to help organizations prevent attacks from ever happening in the first place, thereby strengthening OT and IIoT endpoint protection.
Some of the risk factors involved in OT and IIoT endpoints come from the fact that some of the endpoints in these environments run out-of-date software, and are not patched regularly – if at all, William Malik, Trend Micro’s Vice President of Infrastructure Strategies told Industrial Cyber.
He said that the biggest risk facing endpoints is that they will be compromised by malware for one or more of the following purposes, including harboring ransomware, data exfiltration, crypto mining, harvesting credentials, altering settings to wreck machinery or corrupt industrial processes, forging message traffic to cause false alerts or mask attacks, send malicious traffic elsewhere in the network in lateral movement, or serve as spam relays.
“The core problem is that endpoints are cheap and ubiquitous. If the devices were more functionally robust, so they could generate digital signatures, keep forensically durable logs, or scan and intercept malicious processes, they would cost much more and require a lot of monitoring and attention,” Malik said. “When possible, upgrade the firmware or software these devices run, when more secure versions become available. Where possible, segment the IIoT network to limit malicious traffic. Where possible, monitor the network for indications of compromise (IoC) to detect and block malware or stop data theft.”
Malik is hopeful that more comprehensive cybersecurity tools will become available to cost-effectively monitor endpoints in general IIoT environments. “For now, use your risk assessment methods to identify and secure the most critical devices. Link this with your existing IT security monitoring and response tools. As your capabilities grow and your understanding of risk improves, expand that monitoring appropriately,” he added.
David Barzilai, Executive Chairman, and Co-Founder at Karamba Security, said that the primary risk factor for IIoT and OT endpoints is safety impact. “An exploited endpoint in a manufacturing plant could cause a breakdown, fires, or worse yet, introduce subtle flaws into hundreds or thousands of manufactured components which would later lead to multiple accidents and have an environmental or life and death impact on employees or end-users. The secondary risk factor is severe monetary damage to the manufacturer, caused by shutting down the production line,” he told Industrial Cyber.
The major risks in IIoT/OT endpoints are supply chain compromises, data-based attacks, lack of local activity logs for forensics, and ransomware, Srinivas Kumar, Chief Product Officer and Chief Technology Officer (CTO) at Mocana told Industrial Cyber. “Risk mitigation requires runtime operational integrity measurements and assessments to establish trusted state, device authentication, and remote remediation for timely intervention,” he added.
The biggest threats for OT/IIoT endpoints remain vulnerable code running unpatched vulnerabilities, said Trend Micro’s Malik. “Most cyber crooks don’t work late nights trying to hack apart exotic tech. They rent tools to exploit known vulnerabilities and then blindly attack everything they can find. The problem is the software supply chain: someone comes up with a clever, lightweight, efficient implementation of the TCP/IP stack and shares it with an open-source community. That code gets borrowed and built into the software that gets incorporated into endpoint tools,” he added.
“The bug was created years ago by a talented hacker (the good, original meaning of the name) who never imagined that his or her software would ever end up running in a petrochemical refinery or a cardiac pacemaker. But it is, and the bug is now being sold in the criminal underground along with an exploit kit,” according to Malik.
Kumar picked the key threats for OT and IIoT endpoints as stemming from sophisticated attacks with sophisticated tools and methods by nation-state actors to stage cyber warfare for extortion, social or political activism. “The intent of such attacks would be to cause harm, directly or indirectly, to essential services. They arise because the traditional network layer detection and prevention countermeasures are inadequate against the techniques used by sophisticated malware. The security gaps on the endpoint cannot be plugged on the network,” he added.
Barzilai identified the security threats faced by OT and IIoT endpoints coming from multiple risk profiles, including ransom attacks driven by pure profit motivation, nation-state attacks that usually leverage supply chain vulnerabilities, in order to gain access to sensitive production and IP data, internal attacks to sell the data or copy and sell sensitive data, and terrorist organizations to create financial or safety damage.
Citing instances of how these attacks take place, Barzilai said that “remote code execution attacks are the OT Armageddon, with an attacker outside the plant or power facility able to modify a controller and change control values. A slightly lesser threat is a Denial of Service ‘only’. While it is less risky than remote code execution, it can still affect safety systems, or cause physical damage by the system’s inability to act,” he added.
The presence of brownfield OT assets and a growing number of connected devices place greater challenges on OT and IIoT endpoint protection. A brownfield environment is where new solutions and components must coexist and interoperate with existing legacy solutions, while greenfield environments are where legacy, older systems do not exist, removing such constraints.
For brownfield deployments, endpoints are deployed for long periods of time, sometimes for decades, but they should be upgraded to safe levels without disrupting existing business processes. Security controls should be loosely coupled to the industrial and manufacturing processes to minimize the interdependencies between them.
OT assets have a longer life cycle of 20 years or more compared to IT assets which are often obsolete in three to five years. “Therefore, it becomes even more important to protect assets that were commissioned at the time cyber was just another Greek word. Reducing the risk for such assets is imperative,” according to Karamba’s Barzilai.
“Regulatory requirements (such as the newly issued Executive Order), following industry regulations such as IEC 62443, require device manufacturers to provide detailed data about cybersecurity methodologies, which are used during the production and software updates of OT and IIoT endpoints,” Barzilai added. “The way to increase the much-required security posture of brownfield devices is by leveraging the firmware update mechanism that is offered by the device manufacturer.”
“Most of the successful attacks take advantage of flaws that have been known for two or more years,” according to Trend Micro’s Malik. “The vulnerabilities in the open-source TCP/IP stacks – Urgent/11, Ripple20, Amnesia:33 – date back over ten years. This code ended up in many OT device software configurations.”
The open-source community can fix those problems they feel are urgent, but the bad code is already in production in millions of devices and there is no mechanism to update that code remotely, according to Malik. “Most users of these devices do not know what software they run, and few vendors keep records going back a decade or more showing what the software configuration was at build time. So the problems are very hard to track down. Upgrading technology can reduce the instance of latent old bugs if the code base is properly validated,” he added.
“While interoperability between brownfield and greenfield devices is essential to implement a non-disruptive, phased, and cost-effective modernization program, the security vulnerabilities in brownfield devices must be addressed to the extent possible,” said Mocana’s Kumar. “This may be accomplished with a hybrid approach of edge protection and software updates to brownfield devices,” he added.
Large organizations must assemble certain key components to ensure that OT and IIoT endpoint protection can secure industrial processes and assets. “The key components are application security by design, platform level protection controls, and a horizontal platform for unified NOC/SOC operations,” Kumar said. “Encrypted and authenticated data exchange is critical to protect against orchestrated attacks with sophisticated techniques that exploit cryptography for nefarious purposes,” he added.
Barzilai advocated hardening the devices, as any deviation from the manufacturer’s specifications would then suggest a hacking attempt. “Such security control can be applied to the endpoint firmware by the device manufacturer, or by the end customer. This is the most efficient way to protect devices against cyberattacks, as the devices are self-protected, and noise levels (i.e. false alerts, and quantity of security events) is negligible,” he added.
“When applying such controls is not feasible, enterprises apply network-based solutions, which sniff the network, create behavioral profiles for different types of endpoints, and when anomalies to that profile are detected, events are created and data analysts should investigate the behavior anomaly and whether it implied a hacking attempt,” according to Barzilai. “Either way, indications of the attack go to some central logging location to be able to create threat intelligence and disseminate it among other less protected peers.”
Malik suggested that large organizations leverage their Software Asset Management database to track the components in their production environment, and subscribe to notifications and update services for the technology they are running. When a live bug shows up, these databases can point to components requiring the patch.
“The cybersecurity team should deploy monitoring and mitigation tools to observe and block network traffic carrying indications of compromise. Networks should be segmented to filter unwanted traffic out of sensitive zones,” according to Trend Micro’s Malik. “The cybersecurity team should run an overarching alert monitoring and analysis infrastructure to stop problems early and preserve the integrity of the production environment,” he added.
The issue before the industry is clearly how to secure the link between OT and IIoT endpoints, in order to deliver complete risk management. It is not enough to secure the endpoints, but also their communications with one another and the operational framework in which they operate. With many devices not conforming to consistent standards, such as communication protocols, enabled or disabled services, or methods for configuration, the engineering, security, and management across OT and IIoT endpoint makes their protection more difficult and challenging.
“Cybersecurity tools are an important part of the solution. The cybersecurity team, working with the OT process hazard analysis function, should build a comprehensive playbook for responding to attacks in both the IT and OT world,” said Trend Micro’s Malik. “These procedures should be automated to allow a timely and effective response. A zero trust architecture – strong authentication required before granting access to any would-be user, segmented networks to block malicious code – will be the most effective approach to stop malware most of the time, and limit the impact of a breach if it happens,” he added.
A zero-trust architecture requires protection controls on the endpoint for device identification, device authentication, and secure data exchange with protected cryptographic artifacts, according to Mocana’s Kumar. “The biggest risk to manage is the compromise of cryptographic artifacts (keys) and the ability to rotate artifacts (keys and certificates). Cryptographic protection and supply chain provenance are both essential to establish the notion of trust between connected devices/systems,” Kumar added.
“Endpoint protection for IIoT and OT is the most basic step, together with network segmentation and monitoring,” said Karamba’s Barzilai. “Endpoint Protection ensures endpoints cannot be subverted, Segmentation limits the impact of such an attack to a single isolated subnetwork, and monitoring spreads the information and allows SOCs to learn of the attack, respond, and warn others.”