Hanna explained that a key to understanding Industrial Internet of Things (IIoT) security is recognizing that it is not a single market. It is not just discrete manufacturing, not just oil and gas, and not just transportation, for example. There are different risk profiles for each industry or sector relative to particular threats and issues. Thus, the impact of security problems is different for a chemical plant or for operation of FitBit devices. It isn’t possible to devise a single unified security approach relative to IoT in general or even IIoT in general. Still, he notes, “We do find that while risks may differ in magnitude, they are often fundamentally similar and therefore the countermeasures employed can be similar.” Furthermore, human nature doesn’t change much, regardless of the industry or environment.
Why do people want IIoT? For similar reasons, of course. New capabilities and services, greater effectiveness and greater flexibility in customization or convenience....Hanna says one potential benefit of IIoT is that it becomes easier to have your automation experts located in one place, such as a large city, while the actual manufacturing plant is located hundreds of miles away. But the attractiveness of IIoT is also linked to its vulnerability.
Hanna noted that what needs to be secured is not just IIoT devices and infrastructure, but the human aspects as well. “Humans are usually the weak link, always disobeying instructions and clicking on links,” he said.
The real attacks that have manifested in the field so far have been quite worrisome, he said. For instance, a hacker attack on a German steel mill depended on human credulity and disrupted the control system, preventing an orderly shutdown. In the business of making steel, that can be a very expensive problem. Well publicized stories about attacks or potential attacks on motor vehicle systems – often by achieving access through the human-facing systems such as radios – underscore the problem.
An even earlier example shows that this isn’t just a “fad” connected to cyber security. In the Olympic Pipeline explosion of 1999, a mechanical problem with a valve was exacerbated –fatally, according to Hanna – because an IT employee had initiated testing activities on a control system without authorization. This prevented automated safety responses from working in time, leading to a massive gasoline spill, fire and three deaths.
Even attacks that simply overwhelm a location with spurious messages (known as distributed denial of service – DDS) can cause significant functional disruptions, he warned.
Fighting Back
That’s the bad news. The good news, of a sort, is that there are countermeasures.
- Employ authentication to ensure that unauthorized or unsecure messages are accepted.
- Institute boot process protection to ensure malware does not infiltrate.
- Employ secure software and firmware updates and ensure that proper updates are conducted.
Additionally, Hanna recommends reviewing the Industrial Internet Consortium (IIC) Reference Architecture, which has details on the concept of trusted computing and on building in security.
Hanna also warned against becoming too attracted by Linux – the open source software that has grown increasingly popular for everything from website operation to embedded systems. “There are a lot of great tools out there for reverse engineering Linux so that before you know it someone can get to your source code and start to look for vulnerabilities,” he says. In fact, he says, Linux was one of the things contributing to the vulnerability of Chrysler vehicles to hacking, referred to above, which ended up leading to a recall.
Alan R. Earls is a Boston-based writer focused on technology, business, and manufacturing — a field where he spent the earliest part of his career. He has written for publications and websites as diverse as The Boston Globe, Computerworld and Modern Infrastructure as well as Industry, The Manufacturer, and Today's Machining World and is a regular contributor to the Smart Industry Connect blog.