Securing the IIoT and OT Environments

By Syam Madanapalli
Director of Internet of Things at NTT DATA Services 

On April 6, 2022, The Washington Post [1] reported that the U.S. government and energy firms close ranks, fearing Russian cyberattacks - the Ukraine war has put them on high alert. 'President Biden’s warning last month of evolving intelligence that Russia is exploring possible cyberattacks against American critical industries, companies such as Berkshire Hathaway Energy and the U.S. government are on high alert.’ This article gives rise to the following: 

Security of the infrastructure running the industries is critical.

They are prone to security attacks, which means we (the technical community) did not do our job well.

As bad as the war between the nations, presidents and prime ministers are worried about infrastructure security.

I want to share some of my thoughts on securing connected industrial environments in this article.

Introduction

We use Operational Technologies (OT) everywhere, typically to control a physical process. These include controlling and monitoring a valve in a water processing unit, a robot in a warehouse, or a machine in the manufacturing process. The application of the Internet of Things (IoT) in the operational technologies, Industrial Internet of Things (IIoT), is increasingly used for remote operations, data collection, and cloud connectivity to create more value and improve OT operations creating the cyber-physical systems. Application of IoT in the commercial and consumer markets, expanding the OT environments into other sectors. The application of IIoT exposes the OT environments to cyberattacks. Securing the OT environments is becoming increasingly critical in the wake of the national conflicts, the COVID-19 pandemic, and ever-evolving hyper-connected technologies like Metaverse. 

NIST [2] and IEC [3] provide comprehensive frameworks for securing the OT environments and guidance for stakeholders, including manufacturers, system integrators, and owners/users. My thoughts in this article are not a replacement for these Instead, how better we can follow these guidelines. Risks are increasing, and complexity is growing. Therefore, the industry needs to share the proven best practices and develop new standards to secure OT networks and assets. 

The Challenges in Securing the OT Environments

OT environments are complex for the following reasons.

Lack of asset details: The primary challenge in OT environments is the lack of asset details. Most companies do not have full asset details (not just the name, they should have risk profiles). They need to have more context to respond better when required.

Lack of vulnerability information: In IT (Information Technology), vendors and 3rd parties publish vulnerabilities and how to patch them. For OT environments, the standard vulnerability information from vendors and 3rd parties is not readily available.

Lack of budget and staff: The lack of full-time security professionals on the ground makes threat detection and prevention difficult and slow.

Vulnerable environment: OT networks are not resilient, and availability is critical, whereas IT networks can recover from faults, and availability is not critical.

Legacy systems: Device lifetime in OT environments is very high, so you will have to deal with legacy systems. Most legacy systems have a default username and passwords, and the user manuals are available online.

Constrained environment: The OT equipment typically consists of Constrained devices (low processing power, low bandwidth may be operating with battery power). Most of them do not have input and output devices and work in harsh environments. The complexity also arises from the number of vendors (product manufacturers, software providers, and system integrators) participating, the number of devices connected, the number of protocols in use, and the number of different applications built. Figure 1 illustrates the OT environment complexities.

Figure 1: Typical IIoT environments and security implications

OT users are tech-illiterates: OT operators, business leaders, and senior executives generally lack a deep cybersecurity knowledge.

Impact on the physical world: A security attack in an OT environment may impact the physical world, including the safety of the people and financial and reputation losses. In addition, these attacks may introduce anomalous data into a manufacturing process, or a water purification process can disrupt the downstream.

Figure 2: IT Security vs. OT Security

Figure 2 illustrates securing IT vs. OT environments, and any compromise in OT security may also have safety implications. Any active threat detection may disrupt the OT environments because of the need for the high availability of the OT systems. Securing the IIoT systems requires new thinking, and hopefully, we will see much innovation in this area soon. Here are some of my thoughts on securing the OT systems.

Fresh Thinking for OT Security

Fresh thinking is about going back to the fundamentals and applying common sense. And, do not underestimate common sense; it is very uncommon these days.

Un-interneting

If it ain’t required, do not connect. When It needs to be connected, connect securely. For example, you may find ways to collect the data with intermittent connectivity to a local server. If you are IPv6 [4] ready, use IPv6 Unique Local Unicast Addressing (ULA) [5].

Asset discovery and maintenance

Use tools to maintain the assets, their risk profiles, and their context so that the security professionals can act better for patching, threat detection, and responding to security breaches. Tracking all vulnerabilities and associated risk mitigation and contingency plans is essential. Note that we cannot protect what we do not know.

Employ full-time security staff and allocate budget

The median dwell-time of an APT (Advanced Persistent Threat) in the Americas is over two months; in EMEA, it is over five months, and in APAC, it is over six months [6]. Therefore, full-time security professionals monitoring the OT environments can detect and prevent most breaches. Hiring security professionals also means reducing the number of hackers and hence the number of attacks.

"Winning a war doesn’t mean killing the enemy." Pawan Kalyan’s dialogue in his movie Jalsa [7].

The best is to make them your ally.

Full-time security staff requires budget allocation. The budgets are with the business leaders. Hence, they should understand the consequences and costs of sophisticated security attacks and allocate the budgets for OT security monitoring. And, of course, the business leaders should not be treating the security as a cost but rather as part of the business. If they cannot deliver value with security included, there is no business.

Migrate to IPv6 and build new sites with IPv6

Hackers are like terrorists; targets weak; they have strength as long as they are hidden. They are weak to fight face to face. Today's OT networks are complex and challenging to monitor and manage because of poor network architecture and nested IPv4 NATs [8]. These complexities protect the network from simple attacks, but a sophisticated hacker can easily penetrate IPv4 NATs [9, 10, 11]. The complexity of OT Network environments provides an advantage for the hackers to be hidden and carry out sophisticated attacks. RFC 4193 [5] defines Unique Local IP6 Unicast Addresses (ULAs) as globally unique and intended for local communications within a private site. The IPv6 ULAs, along with Global Unicast Addresses [12], when required, allow the organizations to build clean, robust, easy to manage, easy to monitor, build better firewalls, and more secure environments [13, 14, 15]. The buyers should ask for IPv6 support for new assets (hardware and software), an important step even if you are not moving to IPv6 immediately and provides an easy path for future migration.

Zero trust security

To prevent attacks from APTs, one should implement Zero Trust Security [16] throughout the OT and IT environments. Zero Trust is a buzzword or marketing terminology for networking and security professionals. However, this is nothing new to the technical community. Zero trust goes back to basics, and Figure 3 illustrates this.

Figure 3: Zero trust security illustration

The principles of zero trust or basics of computer security:

Every resource should be protected and have access control

Every user should have an identity, be authenticated, and be authorized to access the resource with the principle of least privilege.

The user/client and the resource should secure their communication

Log transactions and events for analysis to detect the threats

Continuously monitor for preventing and detecting the threats and breaches

Act local, think global

Figure [4] illustrates the handling of events in spacetime. Certain actions should be taken closer to the data source, and plan future actions at places and times when you have better visibility. Each local environment should act autonomously over some time (semi-autonomous). As you move up in the hierarchy, you make the decisions for the future.  Any real-time action from a non-local environment should be considered an emergency or a security threat. Dividing the data value chain into hierarchical and modular zones allows for building secure boundaries. The hierarchical spatiotemporal event handling allows for creating resilient and secure environments.

Figure 4: Spatiotemporal design for OT environments

IT and OT convergence

When IT and OT join forces, there is an opportunity to reduce the risk and cost of protecting the enterprises from cyberattacks. One way to drive IT/OT convergence is to provide a common platform to monitor and secure IT and OT systems actively. In addition, IT and OT teams should collaborate and correlate data across the OT and IT systems to detect anomalies for security breaches or the signs of APTs. Finally, the convergence should help each other learn from their priorities and best practices, including network segmentation, multi-layer monitoring and protection, and awareness among employees about phishing threats.

Security Considerations:

Figure 5: Sample warning label for toys

Look at the above pic; looks familiar? I am sure we have several requirements to communicate hazard and safety warnings for several consumer and industrial products for their safe use.

In the hyper-connected world, everything would be connected. Every connected asset exposes an attack surface. And hence, every new connected asset (software or hardware) should be assessed for security threats and have a security assessment report before deploying or using it. I propose to have Security Considerations for every connected asset. Manufacturers, developers, system integrators, or solution providers should provide the Security Considerations along with their product or the proposal. The Security Considerations should contain the details about new attack surfaces, vulnerabilities, and how to prevent and respond to these threats.

The buyers in the enterprise must ask one question; can you talk about how secure this product or solution is? And they must insist on having a section with Security Considerations as part of every proposal they receive.

Evolving Standards

The Internet is an unprecedented, unparalleled, and massive platform for information sharing and collaboration. It is enabling today’s innovation, economy and society. The internet is being used for applications not previously thought about; the Internet of Things is an example. Security standards and practices must also evolve to keep the Internet and its applications safe.

Risks are evolving: The number of vulnerabilities and the number of hackers are growing with varying levels of engineering sophistication.

Complexity is increasing: We are moving towards a hyper-connected world. The IoT will bring billions of end devices into the connected ecosystem. The number of applications, the number of users, and the kinds of users are increasing; as a result, the complexity of the connected ecosystem is rising.

Best practices are being established:  We are also learning from our experience, and we should publish, share and collaborate to learn from each other.

New standards:  New standards should be created to cover connected applications and the resulting threats by incorporating the best practices and advancements in technology. 

There are many security standards, and new ones are being developed for the Operational Technology environments and IoT covering various aspects. To name a few:

NIST has a framework  for Control System Cyber Security [2]

IEC 62443 - Security for Industrial Automation and Control Systems (IACS) [3]

GSM Association is working on IoT assessment guidelines  [17]

IoT Security Foundation is also developing guidelines  for IoT security  [18]

ETSI has published EN 303 645 for IoT security requirements for Consumer Devices [19]

However, as the risks increase and complexity grows, I think we need more innovation to protect the connected ecosystem. One such initiative is IEEE P2994 - to develop a Standard for Security Assessment Framework for IoT Applications. My expectation for this IEEE Working Group is to produce a standard that will help connected ecosystem players to publish the Security Considerations for their product/solution/service.

IEEE P2994 working group would innovate in the following areas.

Security Considerations: A standard for publishing the risk profiles for the connected assets.

Empowering the business leaders: provide security information to the business leaders to make their buying decisions and plan for developing mitigation and contingency plans for security.

Data-driven tools:  Ability to develop data-driven tools to automate security assessment and monitoring.

Create more security professionals and reduce the cost of security: Simply the IoT security and help train more security professionals.

The Summary

Security threats increase as the connectivity penetrates our day-to-day lives to work and live better. Operational Technology environments with legacy systems are becoming complex, challenging to manage, and becoming major attackers’ targets. An OT security breach will significantly impact human lives, the economy, business reputation, and financial losses. In addition, threat detection tools are considered the prevention mechanisms instead of incorporating prevention mechanisms during the site design.

The basic rule: Prevention is better than cure. And more importantly, pain killers do not cure.

During the COVID-19 Pandemic

Dolo 650: The Medicine that trended on Twitter, made its manufacturer a billionaire in no time, Gursharan Bhalla, Jan 21, 2022, The Times of India 

Industry, Governments, SDOs, and technical communities should collaborate and share best practices and innovate in developing more security standards. In addition, we need to train more security professionals, and organizations should allocate budgets and hire full-time security professionals. Finally, security should become an integral part of every product, solution, and service.

The enterprises should plan for building simpler networks based on IPv6 and converge IT and OT networks with appropriate hierarchical boundaries with zero trust implementation and follow NIST or IEC guidelines for securing the OT environments.