September 3rd, 2015

Securing the Industrial Internet of Things:
The Risk List

The Industrial Internet of Things (IoT) is growing fast, but the more devices it connects to the internet, the more vulnerable they become. Seismic sensors, pumps on oil rigs, jet engines, smart meters—almost any fixed or mobile asset is at risk and needs to be secured.

More and more devices are connected to the internet. Fitted with lightweight sensors and joined to proprietary systems, their constant streams of data can be analyzed and controlled remotely. But none of this increased interoperability comes without risk.

“Traditional machine-to-machine (M2M) applications are typically very focused, using specific edge devices (that enable to enter an enterprise core network) and a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level,” says Professor Jon Howes, Technology Director at analysts Beecham Research. “But the industrial IoT cuts across different sectors and embraces multiple devices and networks. Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link.”

Upgraded, connected and riskier

A security breach can mean physical assets being stolen, misappropriated or misused. “When it comes to industrial IoT devices, this includes things like sensors, programmable logic controllers [PLCs], human machine interfaces [HMIs], and distributed control systems [DCS],” says David Meltzer, Chief Research Officer at cyber threat detection company Tripwire. “These are the kind of things that make industrial systems run, and as these devices are upgraded, connected to IP networks, and become accessible to an increasingly inter­connected world, the risk of being exploited grows.”


The IoT Threat Map
Courtesy of Beecham Research

All IP-enabled networks and devices need to be secured, from smart sensors, transmitters and smart machines to safety controllers, wearable devices and radio-frequency identification (RFID) tags. “The main areas to be monitored and secured are the device's hardware in general—its power source, its sensors and actuators, its local storage, its system bus, its CPU and its transmission hardware, including transmission channels such as cable and wireless connections,” says Luigi Mantellassi from 'digital things' software platform Dizmo. He also insists that all layers of software need protection.

Protecting against hacking

The industrial IoT is only as secure as its participants make it. Prior to the IoT, the only way for someone to attack a system was through software. “This kind of attack is independent of the geographic location of the system and its attacker,” says Mantellassi, “and exposes a system to virtually any person on the planet who has access to the Internet.”

However, IoT devices are increasingly being deployed in public places, making them physically accessible. Hackers can compromise a device and feed the central system fake information or—a worst case scenario—gain entry to the back-end data collection platform, and from there, access the entire enterprise IT infrastructure. This domino effect can be devastating.

Data security and internal threats

For many telecom, utility and energy companies, the industrial IoT is all about collecting user data. This process needs securing. “Good authentication and authorization standards come into play, as well as external security software such as Kerberos and LDAP,” says Robin Schumacher, Vice President of Products at big data company DataStax. Schumacher advises encrypting all data. It's also important to have effective auditing practices that immediately recognize unauthorized access, even from staff. Security company Qualys found that 63 percent of breaches in the utilities industry occurred in the HMI, where management information was being presented to staff.

Minimum specifications needed

There are also worries that the manufacturers of electronics, components and personal devices that link to the industrial IoT are not taking security seriously enough. Regulation is needed to force manufacturers to use cryptographic algorithms and modes suitable for IoT devices. “There is an international ISO/IEC 29192 standard which was devised to implement lightweight cryptography on constrained devices,” says Dr. Kevin Curran, Technical Expert at the Institute of Electrical and Electronics Engineers (IEEE). However, most IoT devices are just not up to the task, with most suffering from limited memory size, short battery life and weak processors. “Traditional heavy cryptography is difficult to deploy on a typical sensor, hence the deployment of many insecure IoT devices,” says Curran. “Regulations for the Internet of Things need to address issues of minimum specifications for IoT devices.” Margee Abrams, Director of IT Security Services at Neustar, agrees. “IoT manufacturers should be held to a very high standard for security application testing prior to general release of connected devices.”

Devices that power financial transaction and critical infrastructure systems will likely be prime targets for hackers, though perhaps the only reason we have not seen serious breaches of the IoT is because it's not yet large enough. With the industrial IoT expected to be worth US $319.62 billion by 2020 according to Markets & Markets, industry won’t be able to avoid implementing more advanced protection tools.

advertisement
myspace directindustry

 Jamie Carter

By Jamie Carter

Jamie Carter is a journalist based in Cardiff in Wales, who writes about technology for TechRadar.com, the South China Morning Post, MSN, the BBC Sky At Night and Korean Air's Morning Calm.

You may also like